Addressing Data Security Concerns in India
Data security is now an aspect of India's digital movement that warrants attention and action
Digital India is evolving in a big way, backed by growth in information technology infrastructure, mobile and Internet penetration, and government initiatives. While the young demographic of the country has accelerated the adoption of the digital way of life, the current environment has pushed even the most reluctant user to take to the digital space for nearly all their transactions. Corporates also have a majority of their workforce operating from home now. This increased digital activity has exposed people and business to cyberattacks and data threats like never before. As COVID-19 distracts our attention, malicious cyber attackers see this as an opportunity to exploit any gaps in our data security measures to get what they desire. Data security is now an aspect of India’s digital movement that warrants attention and action.
The pulse of security concerns in India
As the regulatory ecosystem tries to match pace with digitization, the awareness among individuals about data security is significantly high. This is evident from the findings of the recently published 2020 Unisys Security Index, India. The survey revealed the top four security concerns among Indians were related to data security. This includes identity theft, hacking and viruses, bankcard fraud and online shopping. In fact, 83 per cent of the surveyed population stated that identity theft was their topmost security concern, making it the biggest security concern in India. India also recorded the highest level of concern about the security of shopping online, with 82 per cent of Indians concerned about this issue. An equal percentage of respondents is worried about hacking and viruses and bankcard fraud. These findings reflect concerns around the state of data security in the country—a call to action for all stakeholders. While data security in principle is not limited to the digital world alone, most of the large-scale data thefts happen in the digital world, thereby warranting greater attention.
Need for robust data security
The accelerated pace of digitization which is expected to continue post COVID-19 as well, and the widespread concerns around data security point to a need for robust data security measures in the country. Three stakeholders have a key role to play here—individuals, corporates and the government. Individuals need to be more cyber aware and take necessary precautions to secure their personal and financial data, as they engage in the digital realm. Organizations that deal with customer data—be it retailers, hospitals or other institutions—have a responsibility to secure the data they collated. They must also be aware of the security risks posed by remote working models and take appropriate measures to secure their data and assets. Last, but not the least, as a proponent of digital India, the government of the country needs to work towards creating an ecosystem where data security thrives. They can do so through interventions in the regulatory framework of the country that promote a data secure India. A cybersecurity strategy and policy that is in tune with the evolving cyberthreat environment is a must and our government has taken cognizance of the same.
Redundancy of traditional approaches to data security
Let us look at some of the common approaches to data security. Most organizations still approach data security from a compliance perspective. An annual or half yearly security audit, more with a view to ensuring compliance with regulatory mandates and other industry standards is the norm. What is really needed is a thorough risk analysis that considers threat intelligence and the evolving threat landscape in order to work out the likelihood of an attack and its impact, followed by commensurate action to prevent it. The ability to understand cyber risks, quantify them and articulate the same in the language of business, so that senior leaders can prioritize becomes vital, considering the limited information security budgets organization have.
Next comes the approach taken to prevent a cyber-attack. There is one common thread to all the recent cyberattacks—the attacker has penetrated the perimeter defenses. This shows that the traditional, perimeter security-based approach is failing. The fluidity of today’s threat landscape, disappearing network boundaries and enormous number of connections inside and outside the enterprises increases the attack surface considerably. Also, once a network is breached, the attacks spread laterally very fast with nothing to curb this movement of the attack vector. It is clear that traditional perimeter security-based approaches do not suffice in the sophisticated threat landscape of today. What organizations need is an approach based on logical segmentation of workloads.
Last, but not the least, data breaches are now considered a matter of ‘when’ and not ‘if’. Organizations need to assume that they will be breached at some point in time and work towards building cyber resilience into their plan of action. Investments in this space will define how quickly they are able to bounce back post an attack.
Zero Trust model, micro-segmentation and more
Given the redundancy of perimeter security-based approaches, organizations now need an approach that can overcome the limitations of it. Zero Trust is a viable alternative and is quickly becoming the de facto security posture for organizations around the world. Zero Trust is a network security model, based on the guiding principle of ‘never trust, always verify’. The framework dictates that you cannot trust anything inside or outside your perimeters. It assumes that the perimeter is dead and we can no longer operate on the idea of establishing a perimeter and expecting a lower level of security inside the perimeter as everything inside is trusted. This assumption has unfortunately been proven true in multiple attacks as attackers simply enter the perimeter through trusted connections using tactics such as phishing attacks. A Zero Trust model only allows authenticated and authorized users and devices to access applications and data.
One of the ways of implementing Zero Trust is micro-segmentation. Micro-segmentation logically isolates workloads in virtual environments by enforcing granular segmentation policies. This facilitates role-based access, making sure that all stakeholders-internal or external, only have access to the data and segments they need to perform their tasks. Because micro-segmentation can assign security policy at the workload level, the security can persist no matter how or where the workload is moved. Micro-segmentation, coupled with network monitoring and dynamic isolation also ensures that any breach is not allowed to spread laterally and is contained within that particular segment alone, preventing a breach from growing into a full-blown data theft. Technologies like artificial intelligence, machine learning and biometrics further enhance the effectiveness of a zero-trust based cybersecurity approach. Together, these approaches result in a strong data security posture, that can address the threat landscape of today.
The importance of data security in digital India cannot be overstated. The need of the hour is an ecosystem where individuals, organizations and the government work hand in hand towards building a data secure nation. Technology plays a key role here and models like Zero Trust and micro-segmentation are what will help build a data secure tomorrow.