The next interview in this month’s series about Data Privacy is an interaction with Narasimha Murthy Pappu, the VP engineering and technology at Cartesian Consulting, a global analytics services firm specialising in customer, marketing and business analytics.
Murthy shares his thoughts on data security issues faced by India, security measures for data safety and best practices that companies can take to ensure zero misuse of data.
Analytics India Magazine: What are some of the data security issues faced by India? Is there a dire need of data privacy laws in the country?
Narasimha Murthy Pappu: Every citizen of the country expects that there are enough laws and mechanisms in place that enable her or him to feel safe in all aspects. For most part, we have robust laws in place to accomplish the same. I believe that data needs to be treated like any other asset. If ownership of the asset is established, I believe that current laws including the IT Act 2000 can be readily applied to resolve disputes. However, I do believe that there are certain scenarios which are unique because of the inherent nature of data and we definitely need laws to address those nuances. The bigger issue is making the citizens of the country aware of their rights with regards to data privacy and importance of protecting their data. This, I believe is a more immediate need.
One exception is when the Government is a user of the data. This is an area where we do not have enough clarity and hence definitely needs laws for the same.
AIM: Why do you think people are more willing to give up their information on, say, social media websites, than for a government initiative like Aadhaar?
NMP: Firstly, the social media websites spend enormous amount of effort, time and money in communicating the steps they are taking towards data protection. Secondly, most of the information shared on social media is not monetary in nature and in general people are comfortable sharing in non-monetary data. There is a base level of mistrust in the Government at multiple levels. There is a concern about the capability of the government to safeguard the data. This emerges from the various reports of alleged leakage. Also, there are not sufficient laws in the country that a citizen feels protects them when the government is at fault. This is not necessarily true with private parties. Hence people are typically circumspect when the government is involved when it comes to data.
AIM: How can India provide adequate protection for electronically transferred data?
NMP: One of the first things India can do is to mandate the use of appropriate encryption for electronically transferred data at OSI Layer 7.
AIM: How will change in data privacy bring an impact on data collection and data aggregation?
NMP: The costs associated with all aspects of data usage, that is, collecting, processing and consuming will increase in the short term. Organisations will need to invest in encryption technologies across the entire data value chain. The good news is that all these technologies exist and are scalable. The impact on data aggregation will be far less.
AIM: Many companies consider data as a commodity as well. Is that ethical?
NMP: Treating data as a commodity is ethical if the consent of the owner of the data is taken. The tricky part is to establish ownership of information derived from data. This is currently a grey area. As mentioned above, we need appropriate laws to address this.
AIM: What can be the lessons learnt from FB data leak? Where should IT leaders focus their security efforts?
NMP: One of the first things every IT organisation should do immediately is to do an audit of their processes, technologies and the roles of personnel across the data value chain. Second, if not already done, start implementing encryption for all the PII data in rest as well as in motion.
AIM: What are some of the best practices that companies can take to ensure that there is no misuse of data or any other kind of data breach?
NMP: First and foremost, companies need to ensure that they have a data classification policy and procedures in place. Second, if not already done, they need to start implementing encryption for all the PII data in rest as well as in motion.
AIM: What are steps taken by Cartesian Consulting to ensure data protection of its clients and users? What are various tools and measures used?
NMP: Following are some of steps that we take to ensure protection of the data:
- All our data at rest is stored at a data center.
- Access to servers is restricted to authorised users only.
- Systems are put in place to restrict movement of data to and from servers.
- Servers can be accessed only from known endpoints using a VPN.
- Encryption is used for all critical data.
- There is no direct access to the data stores. All access is through approved tools.
- We implement security policies where even the administrators do not have access to the data within the schema.
- All traffic to and from internet is checked at the following two levels for misuse:
- Firewall at each of the offices restricts access to type of content and sites on the internet
- Checkpoint cloud security secures every laptop/desktop from virus threats, bots, IPS and malware even when the laptop/desktop is connected to a public internet connection
- Physical access to servers is restricted to authorized users only.
- No Public IP is assigned to any Server and we have created DMZ where required.
AIM: What are some of the challenges while dealing with large number of data?
NMP: Main challenge of dealing with large data sets is manually classifying each of the data elements based on criticality. Once this is done, automation and technology ensures that we take necessary steps to protect the data.