Security is a key concern area for India's telcos, especially as outsourcing to partners is such an important part of their strategies.
Bharti Airtel Ltd. has been taking a number of steps to ensure the safety of its infrastructure and subscriber data.
The company's Global Chief Information Security Officer, Felix Mohan, spoke to Light Reading India about the company's moves to ensure the security of its infrastructure and data.
Light Reading India: Outsourcing is an integral part of Bharti Airtel's strategy. How difficult is it to ensure security once the data is controlled by an outside partner?
Felix Mohan: Telecom comes under critical infrastructure and we need to ensure the security at all levels. We follow a two-pronged approach to ensure security. There is a contractual part and then there are regular audits. We have a separate policy for this called Bharti Third Party Security Policy. This has around 130 controls and that we enforce on our outsourced partner. Secondly, we conduct internal as well as external audits to confirm whether the policy is enforced properly or not.
Third is what we call the contractual controls. In all the contracts that we sign we clearly lay down all the continuity and security and regulatory/compliance requirements. Then there is something called the governance mechanism where if any issues which come up we escalate it within our company as well as in their company so that those things are either eliminated or are taken care of.
Light Reading India: Is Bharti Airtel contemplating moving towards the cloud? What are the security issues associated with this?
Felix Mohan: We are moving towards the private cloud. There are tests.. We need to decide whether some functions will move towards cloud... It might take a year or two.
Light Reading India: As the chief security officer of a major telco, what is your biggest challenge today?
Felix Mohan: Every day we face about 4,000 cases of new virus attacks and at least 15,000 to 20,000 attacks from existing viruses. Airtel also faces around 4,000 attacks on our gateways, 300 attacks on our websites. We stop about 2.1 million spam mails every day.
However, my biggest challenge today is knowing that we have been breached. Being a critical infrastructure we are a target of four different groups: terrorists; normal hackers; nation states; and Advanced Persistent Threats (APTs). APTs are basically low and slow attacks which the traditional security devices fail to detect. They can pick our data without us realizing. The issue is how do we detect that and how do we prevent ourselves from it. Once you get to know that you are attacked, you have to find out every machine which has been affected, which is almost impossible.
That is why people are today talking about living in a compromised state. The only way to deal with this is to develop a system by which you know you are compromised, but [which] should still enable [you] to continue with your operations. No Indian company has [admitted] that they have been attacked.
Light Reading India: What is the security spend of Bharti Airtel?
Felix Mohan: In India, traditionally a telco spends 3 to 5 percent of its IT budget on security. It is the same for us.
Light Reading India: What are the measures you have taken internally to ensure that your security is not compromised?
Felix Mohan: Security threats have spiraled in the past four-to-five years and they have moved from attacking infrastructure to attacking people. More than 80 percent of the attacks are through social engineering mechanisms that exploit the trust that human beings have on one another [including] targeted attacks using social media.
We have an extremely robust infrastructure to ensure security. We follow a defence and depth strategy. If hackers pass through one layer, they come across another layer. Second strategy relates to zoningentire infrastructure has been zoned into areas. We have various zones [such as the] user zone, production zone, test and development zone, business associate zone, business development partner zone. The controls are different for different zones and people manning them are also different.
Since the threats are moving towards data we also went from infrastructure security to data-centric security, which is not only at the hardware and software level but also at business layer. To do the same we introduced Data Loss Prevention (DLP), which is seamlessly integrated with Digital Rights Management (DRM). Besides, we also have log management and enterprise encryption platform.
Gagandeep Kaur, Editor, Light Reading India
|
Newest Comments First Display in Chronological Order