Cheri McGuire of Symantec on cyber security best practices and the need to protect sensitive Aadhaar data
By: Nandagopal Rajan | October 26, 2015 12:11 AM
It is not a question if you are going to be hacked, but when.
When this statement comes in relation to India’s Aadhaar unique identity system, the largest digital identity database in the world, we better listen. “When we talk about critical information infrastructure it is always about hardware and software, when it is actually only about the data,” says Cheri McGuire, vice-president, Global Government Affairs & Cybersecurity Policy, Symantec, who has seen how countries implement similar systems around the world and helped them protect that data.
“The important thing to remember is that it does not matter which platform or device, as in the end it is about the data. It is really about how the data is protected. You are not getting rid of endpoint protection, you still need those, but the emphasis in on those protecting the core,” explains McGuire who leads global security giant Symantec’s public policy agenda and government engagement strategy that includes cybersecurity, critical infrastructure protection (CIP), and privacy.
She says a broad toolkit will be needed from encryption, multi-factor authentication and data loss prevention technologies that give you visibility across your networks to protect data at this scale. McGuire is impressed that the implementation of Aadhaar is happening very quickly, and thinks some of the lessons learnt by India will help other countries who are looking to implement similar identity management infrastructure.
On whether it is a good idea to have a single number at the core of a lot of services, McGuire says it ultimately depends on culturally what is acceptable. “I do think there are some concerns when you tie everything to a single number as it does open you up a bit more. You have to look more closely at how you intend to protect the unique ID database and ensure that all those personal IDs are encrypted both at rest and transit, and to access things you should be using multi-factor authentication.” Plus she highlights that you need to have modern security software, as “five year old security software only gives you protection from threats that are five years old”.
McGuire says it is important to understand the psychology behind the cyber criminals and the threat landscape. She says the game has changed with nation state, organised crimes groups and hacktivists also becoming a threat along with everyday criminals.
The Symantec official also warns about the insider threat, especially in the context of what has happened in the US with Edward Snowden. “That is where data loss prevention technology is important to be able to segment controls over who has access to what data, keep logs, tag data to see to if something is moving around. The old just-don’t-put-a-pen-drive-in does not work anymore as everything is wireless these days,” she says, underlining how it is also important to train people to be vigilant. Plus, governments are dealing with numerous technologies that can sometimes create additional vulnerabilities, which she says is becoming more complex with the advent of BYOD, IoT, wireless inter-connectivity.
Symantec alone secures a billion IoT devices across the world. “We have a lot of experience in IoT, but also some concerns. There are great devices and applications coming out, but we believe there is a small window available now to ensure security and privacy are built in before it becomes ubiquitous like the Internet. We know the Internet was not built with security in mind and we have an opportunity to change that with IoT.” She adds: “We don’t want to slow innovation, but we also believe the security technology should be engineered into those devices and you are not trying to bolt it on later. It is proven that building technology at the front end is not just easier but also more effective.”
On the smart cities front, McGuire says it is a positive sign that nations are not just blindly going into instituting these “great new things without being mindful of security and privacy”. Symantec believes there must be a global standard so that there is a level playing field for all players.
First Published on October 26, 2015 12:11 am