Michael Sentonas Vice President and Chief Technology Officer, Asia Pacific, McAfee
McAfee Vice President and Chief Technology Officer, Asia Pacific, Michael Sentonas is responsible for driving the integrated security architectures and platforms that have propelled McAfee into a leadership position in digital security, with a focus on the Asia Pacific region. With a background in sales and engineering, he has been able to drive innovation and optimise product direction and development in the company. He has over fifteen years experience in the IT industry, focusing on internet security solutions with past roles including software development, security consulting and management. In an email interview with eGov, he talks about the major security challenges to government business and McAfee involvement in the government sector
What would be some of the most critical security threats the Indian government faces?
Governments globally face threats to key assets. These threats can range from hacktivism, attacks on critical infrastructure through state-sponsored cyber sabotage and intellectual property theft. Increased penetration of mobile devices means more mobile government workers and increased potential for data leakage and for malware penetrating into the network if security policies and technical mechanisms are insufficient. Second, as the Unique Identity (UID) project rolls out, ensuring utmost protection for the IDs and data associated with each record would be critical. The Indian government is already planning a comprehensive security strategy to protect this project. Third, outsourcing protections will be critical – and this revolves around legislative policy or laws which the government should be instituting – since so much of Indian economy relies upon outsourcing.
What are your views on security of public information in India, particularly with respect to the UID programme?
Currently, security adoption across government enterprises is largely restricted to perimeter security and malware protection. However, the UID is one programme which takes stringent steps to preserve and maintain critical citizen data. It has been structured in a way so as to prevent any sort of data leakage, as it deals with confidential individual information. The privacy of the individual is respected and this will be one of the major reasons for the success of the project.
What is McAfee’s play in the government sector? Could you share with us some your major initiatives in this sector?
There is an immense opportunity in the e-Governance space for technology and related companies in India. Industry reports estimate it to be in the region of $ 6-10 billion over the next 2-3 years. At McAfee, we are very bullish about the Government vertical globally and this strategy translates into the Indian context as well. We have a separate team globally as well as in India that has been institutionalised for managing government projects; bearing testimony of our concentrated focus on this sector. The initiation of large projects such as UID project, r-APDRP (restructured- Accelerated Power Development and Reforms Programme) etc., and the international phenomenon of terrorism moving into the cyber domain implies that IT security will continue to grow in importance for the Indian government. We are working together with a number of Indian government agencies and ministries through our channel partners to help develop coordinated strategies to tackle the lacunae in India’s defences.
McAfee: McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. McAfee products empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security
What is McAfee’s advice to protect critical infrastructure from cyber attacks?
In April 2011, McAfee and the Center for Strategic and International Studies (CSIS) came out with findings from the Critical Infrastructures report that reflects the cost and impact of cyberattacks on critical infrastructure such as power grids, oil, gas and water. The survey of 200 IT security executives from critical electricity infrastructure enterprises in 14 countries found that 40 percent of executives believed that their industry’s vulnerability had increased. Nearly 30 percent believed their company was not prepared for a cyberattack and more than 40 percent expect a major cyberattack within the next year.
In a country such as India, much of the critical infrastructure is with Public Sector Undertakings and hence owned by the government. Because of their inherent economic importance, such assets make strong targets for political sabotage, data infiltration and extortion.
“Compliance never equates to security so an over-focus on regulation diminishes the import ance of other important security controls”
Managing security issues is certainly a challenge for the government in India because there are manpower as well as cost-related challenges to deal with. A key consideration for governments across the globe is the extent to which to rely upon outsourced vs. in-house cyber security talent.
There is also a worldwide belief that regulation will somehow solve network security related concerns. Compliance never equates to security so an over-focus on regulation diminishes the importance of other important security controls. Therefore spending budget wisely to ensure the government achieves the right level of security means balancing compliance with security and the right level of in-house talent to do so.
What would be the key components of a comprehensive security plan for protecting the country’s critical infrastructure?
A highly sophisticated network security posture is needed to guard critical establishments from premeditated attacks. We recommend adhering to a 5 step risk-based checklist to create a strong network control which will minimize such attacks:
• Key network areas – IT, Operations and New Smart Grid Projects – should be overseen by a single security authority responsible for interconnectedness and synergies necessary across all three as compared to a silo-based approach. It is advisable to have a single security authority as to enable holistic protection of the assets.
• A strong data governance plan that classifies data as per its value needs to be developed. Post this, a relevant plan to safeguard vital data (at rest on the network, in transit within/to/ from the network, and in peripherals and mobile devices) can be executed.
• Cyber attacks can also be instigated through a weak vendor network, as a result of which hackers can gain direct access to the critical infrastructure. Vendors should be selected carefully and made to validate their security standards. When vendors notify new patches or other urgent actions over a possible threat, the recommended mitigation steps must be assigned high priority.
• Daily vulnerability assessment to understand potential weaknesses especially when new devices/applications are added to the network is also needed. It is also important to maintain regular checks when the control system becomes IP-enabled.
• There has been an increasing trend in the deployment of ‘whitelisting’, a technology which blocks all unauthorized executables or applications and obviates the need for regular updates which require downtime on the network. It is also suitable for devices which are purpose-built – such as control systems; or those that run only limited applications – such as servers.