Looking back this year, it was one fine morning of March, I was on my regular commute to work and my phone beeps. There was a news notification that read “Facebook in a Data Scandal”. I clicked on the link to find out what this whole chaos was. Cambridge Analytica had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political purposes. Majorly, this was the call for tighter regulation of tech companies’ use of data. Hence, the EU General Data Protection Regulations comes into the scene. In India, the EU GDPR came into effect on May 25th and Indian companies and the MNCs are in the process of assessing the impact that EU General Data Protection Regulations (“GDPR”) will have on their businesses. While many may argue that the compliance is exorbitant as high administrative fines in case of non-compliance with GDPR provisions are the driving force behind these concerns as they can lead to loss of business in India, no doubt that GDPR is here and is going to change industries’ perspective about the data usage. This is the era of internet, where everyone feeds on data; it is an absolute necessity for a certain set of rules that assures that one’s data is being protected. Recently, I got an opportunity to sit with Sanjay Katkar, Joint Managing Director and Chief Technology Officer, Quick Heal Technologies I Shrenik Bhayani, General Manager, Kaspersky Lab (South Asia) I Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet I Sean Sullivan, Security Advisor at F-Secure I Rakesh Viswanathan, Regional Director, India & SAARC at Cyberbit I Gagandeep Singh, Head of Practice, Risk Advisory, APAC and Japan, Aujas I & thus began the journey to explore the depths of this “requisite to safeguard” the buzz word
that DATA is.
What is Data Protection Framework of India?
The draft bill for Data Protection Framework is undoubtedly a step forward towards ensuring data privacy in India. The country has more than 500 million active Internet users at present, a number that will only increase as digitization makes greater inroads into various tier-3/4 and semi-urban geographies on the back of government initiatives such as Digital India. This necessitates a strong set of policies and laws for data privacy and protection to ensure the safety of Internet users, as well as to assuage their anxieties about who has access to their information and how they use it. Such a move will also give a definite direction to a rapidly-growing tech industry, while also significantly boosting the impact of initiatives like Digital India in the long term.
In the recent times India saw a draft of Data Protection Bill being proposed, which started a major debate between companies and those who were in favour of the draft. The main focus of the bill was to localize the data and only store the required data by the companies.As storing just, the required amount of data with the companies can definitely curb the huge risk of data breach cases, however, the data localization can limit the user security, harm the growth and competitiveness of Indian industry.
The GDPR framework is inspiring several governments to introduce data protection legislation or to upgrade existing data protection laws. The GDPR is fast becoming a benchmark for other Data Protection Frameworks and the India Data Protection Bill is one that looks up to the GDPR for inspiration. The Bill suggests steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, and proposed penalties for violation. If we look at the current threat landscape, there is an urgent need to regulate and protect data at every stage. This is what the Data Protection Bill aims to achieve. In today’s digital world, data must be protected as it moves across systems, applications, devices, and the multi-cloud. Which means that security needs to be able to seamlessly extend to the farthest reaches of the network, and even to those elements that may not even be in the network yet? It must also be found at every point of data interaction, not just at the perimeters or to secure north-south traffic. This represents a fundamental change in how security must be approached. It’s no longer just about the placement of security in different parts of the network. It goes far beyond that.
For Now, F-Secure would not like to comment on this until final deadline gets rolled out, and after then only it would be the right time to share expertise on its implementation successes.
Regulations like GDPR has made it imperative that India has its own Legal framework on data protection and privacy. GDPR has an impact on the services sector like banking, IT and Healthcare as companies must be GDPR compliant while handling data provided by an EU client. The India Data Protection Bill can be considered adequately rigorous and on par with GDPR. This will help form a regulatory regime and promote India-EU trade and going forward this framework will help data exchange between countries and promote ecommerce as we now have the required protections and regulations to safeguard data once it enters our country.
There are opinions which are for and against the content and context of the bill, however, the majority support the steps taken for data protection, which is definitely the need of the hour and very much required. Hence I would say that it is on a rough road to success but will succeed eventually. From the perspective of an effective privacy frame, all the rights mentioned are important. Prior to GDPR, they have existed in privacy related frameworks in some form or the other. Right to be forgotten and portability may be the only new entrants and hence the ones causing the most flutter. Organizations will have to look at separating data into personal, sensitive personal and critical personal data, within their App environments, so as to control the scope and investments of retaining a copy in India. There is also the question of being able to work with only those countries with equal or better privacy laws. Critical Personal Data would most likely constitute data that can be used for active or passive surveillance for example, real time data about a person such as geographical location, financial transactions, email and calls of people with security clearances and sensitive positions. Also, defining this data may be difficult as the range of use cases vary so we should expect some lack of clarity to remain and look to enforcement authorities and courts to establish precedent.
Data Localization and its Implications
Data localization mentioned in the new Data Protection framework could have long-lasting implications on the tech industry. Such a move will also have certain short-term disadvantages, such as the rising cost of storing data or cloud usage. Furthermore, tech giants like Amazon AWS, Microsoft, and Google will have to build data centers within the country to serve the Indian corporate sector’s cloud requirements. This will very likely increase their costs, which will be passed onto the clients. Another disadvantage of data localization could be a possible disruption in services for a certain period since the infrastructure in India is not yet equipped to set up large server farms and cloud facilities. This might lead to a reduction in the quality of services offered by Indian companies in the future, as compared to that in the present when their data centers are located out of the country. However, data localization will offer certain advantages as well. Localizing data centers will allow government authorities to gain easier access to data for conducting more efficient investigations. This will be very helpful in the context of national security and will also ensure a more controlled flow of data across the country’s borders.
The most positive aspect to the implementation of this draft is that it will have a law in place for the online security of the country. With India moving towards digitalization we hear of companies being targets of data breaches every other day. In the light of data protection, it is very important for a country to have a strict law in place. The control that the new law provides to the people over their information is more or less needed when it comes to being careful ourselves about what information are we ready to share with the world. The data localization step however takes away the freedom of cybersecurity expertise from other countries and exchange of information on the threat landscapes also become limited.
Facebook and Google Plus recently suffered major security breaches and there’s a high possibility that users’ information such as login IDs and passwords could be misused by those unknown hackers. However, the risk is not just restricted to user’s social media accounts but it could affect those business and web services such as payment services, travel booking and food ordering, online shopping and so forth. Because today, most businesses and e-commerce companies provide users the facility to sign-in with their social media account IDs and follow the single sign-on (SSO) process. In such situations, hackers could easily access those business and web services that are using SSO. Overall the ¬Data protection and localization frameworks will enforce best practices and bring about a strong user rights-respecting regime. However, Data localization does not mean the data is secure. Even if data is stored in India, encryption keys may still remain out of reach of national agencies who want to access the data. The increased cost of Storing data locally and setting up large data centre operations in India could be passed on to customers by credit card companies and financial institutions.
Data localization is not a guarantee of security or privacy. The location of data will not affect whether or not it is properly used. Additionally, location requirements add to complexity and costs, creating additional burdens in securing data. Location requirements would likely make it difficult for smaller companies to do business in India, decreasing competition, increasing the chance of mono-cultures.
Data Localization on one hand can promote the growth of Data Centres and Cloud industry in India spurring more investments in building new infrastructures. India is part of a select few countries moving towards a comprehensive data protection regime. But data is the new oil and Cross-border data flows have contributed nearly $3 trillion to the global economy. India has been a global hub for processing data and mandating a strict data localization regime could be perceived as a restrictive trade barrier and can spur the world into becoming silos or data islands. Finally Mandating localization is not a solution for data protection and this requires the implementation of a security framework that can protect data at every point in the network.
This is a fairly large requirement with substantial implications, especially for multi-national companies, companies using cloud services and cloud service providers themselves. Organizations and tech companies using or providing these solutions will have to invest to scale-up to support storage of records in India. I think the idea is not to restrict outbound data flow but rather for the fiduciary to be within the jurisdiction. As far as additional security is concerned, I do not think it deters malicious actors in any significant way, at least not technologically speaking. However, the good thing for us as Cybersecurity professionals, a.k.a the back offices of the world, such data requirements make copy retention much easier for us.
Data Protection Framework – The Maiden Notion
The industry is looking forward, albeit cautiously, to the Data Protection Framework. While it will no doubt be beneficial in the long run, many Indian corporations expect it will increase their burden of compliance, since infrastructure, audits, and various other resources and expert services will be required to comply with the data protection rules. This can potentially drive up the overall operating costs for companies.
With the new Data Protection Framework, organizations need to provide a seamless experience to their users while meeting compliance standards and securing their network from data breaches. Companies will also look to leverage new tools, such as connected devices and applications that will collect more consumer data than ever. To avoid the fines and penalties that accompany non-compliance, customers need security controls that ensure they meet these standards. Fortinet offers customers an integrated, architectural approach to cybersecurity, that will take them beyond simply being compliant with various regulations. — that’s the stakes we bring to the table. By publicly going above and beyond, they can build a deeper level of trust with consumers. This not only ensures business will not be lost over security concerns, the approach can also be a competitive advantage in winning new business. By building a proactive, architectural approach to cybersecurity, enterprises can earn their consumers’ trust while mitigating the security challenges faced. An integrated cybersecurity approach gathers security controls across IoT devices, local and branch networks, and even into multicloud environments. Each layer of protection collects and communicates threat intelligence regarding global and local cyber events, enabling the entire security system to deliver an automated and coordinated response to every incident in real time. Offering cybersecurity of this caliber, Fortinet has a unique opportunity to zero in on the specific needs and goals of its customers, both short-term and long-term, providing them with the opportunity to securely and confidently achieve their business goals and go beyond compliance.
India’s framework reportedly borrows heavily from the EU’s GDPR. If the framework is similar, companies should be able to apply it without too much undo burden.
With the new Data Protection Framework, organizations need to protect data with skilled security professionals protecting their Network Operation¬ Center. Hefty portions of company budgets are often set aside to train the employees responsible for keeping corporate assets secure, but there is a problem: cybersecurity talent is hard to come by. Aware of this reality, organizations often hire fresh-out-of-school cybersecurity analysts who have yet to encounter real crisis situations and have not fully developed the skills needed to perform optimally in the face of a dangerous cyberattack. Hands-on experience makes all the difference. With simulation training, analysts learn to interact and come together as a team. A safe, handson environment gives all participants a chance to learn to work together smoothly and coordinate activity in an efficient manner.
Though there are mixed reactions from the industry, at the outset, I believe it is a step to be welcomed. This is not a simple issue where the first draft will be perfect, but will take its course to maturity, and hence the reactions/feedback/inputs from the industry and experts are very important for us to reach the top of this very steep slope. Many feedbacks or concerns also list that the Indian bill on privacy is a copy of GDPR and hence is receiving criticism. I do not see it as an issue because of the following reasons:
- The end objective, in essence, is similar.
- EU has been maturing their data protection directive for a long time i.e. almost 25 years. The most recent directive received a lot of attention only because it created a big impact.
- We all know that India is often looked as a back office for the world and hence anything new that we add to the legal framework shall be in consideration of that.
For the above reasons, I don’t see how starting from scratch and reinventing the wheel would have been a better choice; however, I agree that it cannot be exactly the same as GDPR. We need to ensure it is modified/adapted to the Indian context and relevance; however, there are a few aspects which sound unrealistic or impractical, a good example of this would be the penalties involved. Though I am not a legal expert I can still say that penalties should be executable else it would lose its purpose, as once you see a few examples where the penalty was levied, but couldn’t be fulfilled.
It is a very positive step taken by the Indian Government in order to bring in place the Data Protection law In India for Indians to be safe online. The cybersecurity industry can in so many ways support this framework and together the government and the industry can work to make this a stronger and stricter framework for data protection and security.
Is Growing Internet Base a Growing Concern?
The reality is that no organization can patch vulnerabilities fast enough. Rather, they must become strategic and focus on the ones that matter using threat intelligence. With exploits examined from the lens of prevalence and volume of related exploit detections, only 5.7% of known vulnerabilities were exploited in the wild, according to our research. If the vast majority of vulnerabilities won’t be exploited, organizations should consider taking a much more proactive and strategic approach to vulnerability remediation. This requires advanced threat intelligence that is shared at speed and scale across all of the security elements, and sandboxing that provides layered, integrated intelligence. This approach shrinks the necessary windows of detection and provides the automated remediation required for the multivector exploits of today. The Cyber Threat Alliance, a group of security companies that shares advanced threat information, was created for this reason. Effective cybersecurity also requires diligence in patching. With the data on which vulnerabilities are currently being exploited, IT security teams can be strategic with their time and harden, hide, isolate or secure vulnerable systems and devices. If they are too old to patch, replace them. Network segmentation — and microsegmentation — is a must, as well. These steps ensure that any damage caused by a breach remains localized. In addition to this passive form of segmentation, deploy macro-segmentation for dynamic and adaptive defense against the neverending onslaught of new, intelligent attacks. Cybercriminals are relentless, making use of and adapting the latest technology to ply their trade. IT security teams can beat them at their own game by using the information and recommendations outlined above.
A good data protection framework should facilitate data portability. However, 500 million people make for a large and diverse user-base. Making personal data portable could prove to be a real challenge, at least in the short run. But, the process needs to start somewhere.
With over 500 million internet users and growing number of connected devices India has a huge potential and need for Endpoint Protection and Response (EDR) solutions. EDR is a solution for detecting attacks that aim to penetrate the organization through its endpoints; e.g. workstations, or servers, and is designed to detect advanced and highly evasive attacks by using more advanced detection approaches that include AI, machine learning and behavioral analysis. EDR leverages an agent installed on the endpoint. The agent continuously records the activity on that endpoint, stores the data on a server, and analyzes the data using AI-based approaches. EDR is designed to be the last line of defense, which detects the attacks that bypassed all other lines of conventional security including firewalls, email security, antivirus and more.
I see the following challenges:
- The rate of adoption has been phenomenal and would continue in an exponential way as the use cases are no more limited. This revolution like any other has a price to be paid and that’s what the users are knowingly or unknowingly paying with their privacy. The majority of internet users are not tech savvy and hence they are hardly aware of how their data could be used.
- The users have already started to face the heat of it with the failure of protecting the data thus collected. The public has always freely shared their personal data in the past, however this has been in the form of hard copies, the hidden advantage of which is clearly visible now.
- Most people are unaware that data protection has always been in place, what has changed is the ownership of the data. The earlier directives focused on the importance of data to the organization, while the latest directives assign ownership to the end user. Conveying this on a design level is a challenge.
- The awareness and education for internet users needs to be simplified in non-technical terms to ensure it gets assimilated well by the non-tech savvy users. They may be added to course curriculums or have specific campaigns run. It is not enough for users to protect themselves from data breaches but also to fight it legally if they do.
- Provisions in the law that could enable the data user to fight against the fiduciaries for any operation that has not been authorized, whether it is the collection, usage, storage, sharing or archival of data. It is for these reasons that the data protection framework has been introduced, but it needs to be more specific and detailed compared to the broad directives for privacy existing under the IT act already.
- Enablement and funds for law enforcement agencies including PPP models, so as to ensure the right mix of skills for the requirements.
Some of the major challenges could include a potential increase in the cost of products and services for consumers, since businesses will have to deal with higher compliance costs on their end. Unfortunately, there are no short-term solutions to this transition. The only thing for companies to do is to systematically adapt the framework to ensure compliance with the data protection policy rules, once implemented. Data protection has become a serious issue across the globe, and governments are taking all the necessary steps to protect their citizens’ personal information. Companies could face heavy penalties or restrictions from the authorities if the policies are violated in any way, and that’s a risk no one wants to take. There is no other way around this.
The biggest challenge that we see in India today is lack of awareness. With telecom networks coming up with 4G and 5G it does give a lot of Indians a powerful internet connection that they did not have before. However, a majority of these people who are fairly new to the internet are completely unaware about the online predators and the threats online. As India moves towards digitalization, the government needs to educate its citizens about the cyber threats, strengthen the infrastructures, include cybersecurity in the education system, etc. The Government in all its power has started with these steps and we look forward to a more aware and cyber-secure India.
Data Protection Regulation – Regulate, Enhance the Security of Companies, Entities, etc.?
Internet users in the country are feeling less safe sharing their data with any company with each passing day, be it telecom, e-commerce, or even government departments. Given such rampant mistrust, there is absolutely no doubts that data protection laws, if implemented properly, will not only have a positive impact on all internet users in the country, but will also revolutionize the Indian technology industry in unprecedented ways.
It would bring a new perspective to the prevalent approach on security and enhance the existing framework. Most data privacy controls are being applied retrospectively and given the number of systems and processes that are involved, the protection mechanisms are usually limited to encryption and anonymization, that are often patchy. In many cases it is not possible to implement these controls without significant performance penalty or remediation cost. A privacy by design mindset will significantly improve privacy and with minimal cost implications. It essentially consists of planning for privacy in the development and acquisition life-cycle. Things like: capturing minimum required personal information, use of encryption / masking / anonymisation techniques, retention of data, assessing if records and history logs be used to reconstruct personal data (name, IP address), review data used for analytics, deciding on location of data, identifying third parties involved and reviewing their privacy programs, reviewing all the manual and automated processes being used, etc. Privacy by design also helps to ensure that innovation and disruptive technologies in various fields mature safely, at least from data privacy perspective. Well begun is half done – implementing the new regulation is an opportunity for companies to review their security postures and to cover the gaps.
To put it simply, there aren’t enough skilled analysts to fill the deluge of security positions that are opening at a pace much faster than new professionals are entering the field. Simulation training will allow new professionals to gain valuable security experience so India can quickly create an army of cyber defenders who possess the skills, grit and passion needed to keep the country’s organizations safe from today’s cyber threats and support the Data Protection Bill. Simulating security events in a manner that’s as close to real life as possible helps SOC analysts make smarter, more informed decisions – regardless of whether they have been on the job for ten minutes or ten years. There’s no substitute for experience, but we can’t afford to wait for new analysts to accumulate years of on-the-job experience before they become effective cyber defenders. Everyone sitting in the SOC needs to be 100% ready for the big one to hit. Simulation training will help in proper preparation to face real crisess in which teams can practice applying skills in a hyper-realistic, controlled environment, building their ability to react better with each iteration.
It depends on the enforcement mechanisms. The decision to invest in security is related to a company’s appetite for risk. In the EU, GDPR fines are potentially very significant and companies currently see big risks in failing to comply with GDPR requirements.
Growing cyber risk has led to the India Data Protection Bill mandating specific security requirements to protect consumer data and to strengthen cybersecurity. However, many organizations are doing only the bare minimum required to achieve compliance, with little consideration of the potential advantages that going above and beyond might provide. The truth is, organizations that go beyond compliance to offer robust data-security controls deliver greater value to consumers and build their level of trust, resulting in a distinct competitive edge. High-profile and high-impact breaches have caught the attention of companies and consumers alike. As a result, users are looking at organizations that store and analyze their personal data with increased scrutiny — and holding them accountable for security slip-ups that result in breaches. Regulations are a step in the right direction; however organizations must think beyond compliance by taking a proactive approach to security. Only then will they be able to effectively protect consumer data and earn customers’ long term trust.