“It is not a question if you are going to be hacked, but when.” When this statement comes in relation to India’s Aadhaar unique identity system, the largest digital identity database in the world, we better listen. “When we talk about critical information infrastructure it is always about hardware and software, when it is actually only about the data,” says Cheri McGuire, vice-president, global government affairs & cybersecurity policy, Symantec Corporation.
“The important thing to remember is that it does not matter which platform or device, as in the end it is about the data. It is really about how the data is protected. You are not getting rid of endpoint protection, you still need those, but the emphasis in on those protecting the core,” explains McGuire.
Watch video (App users click here for video)
She says a broad toolkit will be needed from encryption, multi-factor authentication and data loss prevention technologies that give you visibility across your networks to protect data at this scale. McGuire is impressed that the implementation of Aadhaar is happening very quickly, and thinks some of the lessons learnt by India will help other countries who are looking to implement similar identity management infrastructure.
On whether it is a good idea to have a single number at the core of a lot of services, she says it ultimately depends on culturally what is acceptable. “I do think there are some concerns when you tie everything to a single number as it does open you up a bit more. You have to look more closely at how you intent to protect the unique ID database and ensure that all those personal IDs are encrypted both at rest and transit, and to access things you should be using multi-factor authentication.” Plus she highlights that you need to have modern security software, as “five year old security software only gives you protection from threats that are five years old”.
McGuire says it is important to understand the psychology behind the cyber criminals and the threat landscape. She says the game has changed with nation state, organised crimes groups and hacktivists also becoming a threat along with everyday criminals. “Those different types of threat actors have access to much different types of technology and resources. The kinds of threats emanating from them will be at scale.”
She also warns about the insider threat, especially in the context of what has happened in the US with Edward Snowden. “That is where data loss prevention technology is important to be able to segment controls over who has access to what data, keep logs, tag data to see to if something is moving around. The old just-don’t-put-a-pen-drive-in does not work anymore as everything is wireless these days,” she says, underlining how it is also important to train people to be vigilant.
Plus, governments are dealing with numerous technologies that can sometimes create additional vulnerabilities, which she says is becoming more complex with the advent of BYOD, IoT, wireless interconnectivity.