Securing e-Governance, digitally
As India adopts e-Governance with a vengeance, the need for digital security measures to protect vital data has come to the fore, says Faiz Askari.
In catering to the next level of security solutions for an IT environment, the industry has recognised a relatively more secure way—digital security.
Digital security in India
Nagendra Venkaswamy, Managing Director, India & SAARC, Juniper Networks says, “If we look at the e-Governance projects and the networks that are being rolled out for these, digital security seems to be paramount. In an e-Governance project, a substantial amount of documentation is being done like maintenance of land records, police records and so on. Each department functions independently and has its own set of transactions to undertake. Hence having security measures in each department is critical so that only authorised people get into the network and access the information.”
"If we look at the e-Gov projects and the networks that are being rolled out, digital security seems to be paramount"
– Nagendra Venkaswamy
Managing Director, India & SAARC, Juniper Networks
However, in the enterprise space digital security is required for access of information by employees, partners and customers. Depending on the nature of information that needs to be shared, authentication is provided to enter the network and gain access.
Tanmoy Chakrabarty, Vice-president & Head, Global Government Industry Group, TCS explains, “The importance is high among industry and government, but the awareness is low. An understanding of the digital security technology and the need for its implementation is required for a safer and more secure IT environment in the country. Digital security solutions fit into the security requirements of IT projects of the government. Securing public data and ensuring security of the government Web sites are some applications where digital security solutions have been proven.”
Patrik Runald, Senior Security Specialist, F-Secure Security Response Lab says, “It’s moving along quite well, but in India where broadband penetration is growing at a rapid pace, it’s essential that the users are continuously reminded about security. The ‘bad guys’ on the Internet are always looking for new victims to send their malicious code and indulge in phishing. As users who have recently gone online are not as likely to be security-aware as their more experienced counterparts, they’re more vulnerable.”
According to Frost & Sullivan, digital security spend in India has been slow but steadily growing at 3.4 percent YOY. In FY 2005, overall digital security market was around $4.5 million. It is expected to grow at a faster pace in the coming years because of mandates from government organisations such as Director General of Foreign Trade (DGFT), Customs and Central Excise.
Dr T R Madan Mohan, Director, ICT Practice, Frost & Sullivan informs, “With increased adoption of BS7799, CoBiT, ISO 17799 certification processes, security is moving beyond firewalls and anti-virus to digital content. Several companies have invested in digital certificates for safe messaging, workflow documentation, certificate authentication (such as contracts, educational certificates, credit rating), vendor orders, and employee certificates (experience certificates and so on).”
"e-Governance is about improving service to citizens and making the system more responsive"
– Dr T R Madan Mohan,, Director, ICT Practice ,, Frost & Sullivan
Security and governance
Venkaswamy of Juniper says, “With the government finally adopting e-Governance, security has become a key issue that needs to be addressed. Like any other project, an e-Governance project also runs on a network, but the major difference is that in an e-Gov project considerable amount of critical information could be involved. Hence the need for securing such information. Technologies like PKIs (Public Key Infrastructure) and digital signatures are being adopted.”
Chakrabarty of TCS says, “The digital security solution is well known for its adaptiveness and acceptability in e-Governance projects worldwide. But in the Indian e-Gov scenario, the security aspects are not being taken as seriously. They are rather neglected. The decision-makers in the government prefer to compromise when it comes to high-end technology implementation. I think the officials themselves should take the initiative to understand the technology, examine its usability in their domain and implement it. Looking at the way e-Gov is moving in India, digital security has to be a critical factor.”
Runald of F Secure concurs that digital security is catching on in the government sector. He says, “It’s crucial for all aspects—from securing transactions to building trust. The users should have trust in the security systems, if not they will never use the e-Gov services.”
Mohan of Frost & Sullivan states, “e-Governance is about improving service to citizens and making the system more responsive. The government is the largest dispenser of certificates such as birth and death registration, motor vehicle licence, land records, and BPL cards all of which have legal and legislative nuances.”
Mohan explains, “Several state governments are discovering the value of digitisation of certification as that makes it easy to ship out and manage. Consider the e-Visa certificates which are being issued by several governments across the world in place of physical visa. Digitisation cuts down the lead-time (the average time reduced is six days), improves citizen service and enables better management of international visitors.”
He adds, “The government is aware of misuse of these records for personal gains and have adopted several initiatives such as deploying digital security, which is the best option available for securing this data.”
S Angiah, Business Development Manager, Adobe Systems India elaborates, “India is trying to catch up with the developed nations with regard to growth but there are issues like corruption and lack of infrastructure, which are hampering its plans. e-Gov could play an important role in getting rid of these problems. From October 18, 2000, transactions on the Internet have got legal validity in India, as the Information Technology Act 2000, has come into effect. This has ushered the country in an era of digital signatures. It allows people, at least on paper to conduct business with the government remotely, no matter where they are.”
Angiah adds, “Digital security is critical in e-Governance to safeguard the confidentiality of transactions and information on the network. Government documents and other important material have to be protected from unauthorised users in case of e-Governance projects. Hence, security is critical for their successful implementation.”
Some of the key areas where digital security applications are most required are defence, stock exchange, Ministry of Finance, Income Tax, administration (police etc), and land records.
The emerging technologies for e-Gov projects include PKI, digital signatures, biometrics and Secure Sockets Layer (SSL).
Runald of F-Secure says, “It is true that digital signatures will be dominating security infrastructure but the technology needs proper implementation. The trend is catching up in India. Digital signatures can be useful as long as they’re based on authentication, preferably through a smart card or some other physical device combined with a personal pin.”
Mohan of Frost & Sullivan believes, “an FIR is a key document in the judicial enquiry process and so are the land records. Technologies such as SSL, PKI, biometric maps are crucial for the success of e-Governance projects.”
Chakrabarty of TCS says, “PKIs and digital signatures are emerging trends. The MCA 21 (a project by the Ministry of Company Affairs) project is the first example in implementation of digital signatures at a higher level.”
Digital certification
In a span of about a year since the first digital certificate was launched, digital certificates gradually made their way into every possible business scenario. India’s leading software services firm Infosys uses digital certificates from SafeScrypt to sign and encrypt the top management’s e-mail.
Angiah of Adobe adds, “Even the government, usually reticent about adopting new technologies is jumping on the bandwagon by adopting digital certificates. For instance, the DGFT recently took a revolutionary step by mandating that all DGFT transactions would have digital signatures. As all EXIM notifications and public notices would be transmitted with digital signatures, the exporting community which applies for import/export licences will now be able to interact directly with DGFT on a secure electronic platform. That will facilitate paperless verification and processing. Similarly, educational institutions like the DoEACC (Department of Education for Accredited Computer Courses) and IGNOU (Indira Gandhi National Open University) are using digital signatures for students to register online.”
He informs, “When digital certificates were first launched few industry analysts were optimistic about adoption, as India traditionally has been slow in adopting new technologies. But the above instances of adoption in diverse sectors prove that digital certificates are slowly but surely picking up in India.”
Apart from above, other security-related technologies are biometric recognition, content scrambling and steganography (digital watermarking).
Implementation
Mohan of Frost & Sullivan says, “Digital security products are required wherever ‘authenticity,’ ‘validity,’ and ‘legal rights’ of digital content have to be protected from repudiation. All digital content (applications) that need protection from tampering, vandalism, decay and accident need digital security.”
“The role of digital security is vital in every application which collects or stores data, interacts with an outsider, carries some confidential information and other applications. The best example of having most of such qualities and requirements are various e-Gov projects. Digital security can have a competitive edge when it comes to such requirements,” adds Chakrabarty of TCS.
Runald of F Secure says, “Security is needed everywhere, especially in applications or solutions that involve transactions that are online such as banking, shopping, gambling and gaming. All these services/applications handle money transactions whether it is through transferring money through the online bank or buying more credits on the online gaming site. Either way, they’re interesting targets for criminals. It may be either through phishing scams, trying to fool the users to give away financial and personal information or it may be through Distributed Denial of Service attacks against the online site itself in a blackmail attempt. Either way, online transactions and their users are at a higher risk of getting targeted by digital attacks.”
Future path
For today’s enterprises and government organisations, security is not about restricting access to business critical resources and applications. Strategic value is achieved by addressing some of the critical challenges like improving competitiveness, reducing operational risks and allowing ubiquitous access to various services without compromising on security or performance.
“The future for digital certificates looks bright because of mandates from government bodies such as customs. In fact, SafeScrypt, a Satyam subsidiary, witnessed significant increase in its revenue because of DGFT mandate on certificates. Advanced technologies such as biometric watermarking are mostly in an experimental stage in India; mass deployments are only expected to happen in 2008,” says Mohan of Frost & Sullivan.
He adds, “Traditionally security was viewed as protecting critical assets and resources from the outside world. This is no longer the case. Networks are no longer segmented on the basis of trust. You have to view this as a single untrusted network and then deploy appropriate checks and controls based on what resource/application is being accessed, when, from where and by whom. With the increasing adoption of the Internet for business use, connectivity is available anywhere. The challenge is to use this medium securely and allow access to all business users including vendors, suppliers and business partners.”
Also, today, organisations have to follow stringent statutory requirements and network security is important to meet these guidelines.
Runald of F Secure says, “India is definitely one of the key targets for online criminals, digital security is key for the growth of broadband usage. If not, the trust in Internet among the new users will fade and they may even avoid getting online at all. All ISPs and mobile operators are aware of the security problems though and are taking measures to make it better.”
Chakrabarty concludes, “State governments are in fact getting aggressive towards implementing digital signatures and other digital security applications.”