By digging out intimate moments of close to 100 Hollywood celebrities, hackers have shown the dangers confronting India’s efforts to digitise personal data for electronic governance
R Swaminathan | October 1, 2014
The au naturel pictures of Jennifer Lawrence and Kate Upton floating freely in cyberspace have serious national security implications for India. Hackers dug out what was considered by close to 100 celebrities as their private, intimate and completely secure moments and put it all out in the digital domain for everyone to see. In doing so they ensured that cybersecurity experts could no longer ignore the elephant in the room about cloud storage and services.
A certain unacknowledged sense of disquiet about cloud storage and services has always been a constant backdrop in the discussions dealing with security of data. Cloud is here to stay. In fact, it is increasingly adopted by corporate houses, government institutions, online retailing companies and financial service companies for reasons that range from substantial savings in capital expenditure to a drastic reduction in time-to-launch and time-to-market scenarios.
Cloud also has special significance for electronic and digital governance. The US government, for instance, has saved close to $4 million till now since it shifted from Lotus notes to Google’s cloud-based email services. The savings primarily come from cuts in hardware, licensing and maintenance costs. Cloud services bring down the average cost of ownership of a digital property drastically. Gartner estimates that any organisation dealing with digital data or information technology services spends close to two-thirds of its annual budget in daily operations (read maintenance, security, monitoring of traffic, managing downtimes and analysing server logs).
The consultancy firm in a comprehensive study across 500 major digital organisations found that replacing traditional server farms with virtual ones (cloud) brought up to 50 percent operational and infrastructural efficiency for companies and institutions. The utility and business logic of cloud computing, storage and services cannot be overstated, or underestimated for that matter. What has always been the unspoken Achilles heel of digital society and economy, more so after being underpinned predominantly on a cloud framework, has been the security of data.
India’s ambitious electronic and mobile governance initiatives as well as its plans to develop 100 smart cities are going to be based on a foundation of technology, software and data, much of which will be stored, processed and retrieved on cloud. The country is already in the process of investing '11 lakh crore for its e-governance initiatives, a massive budget that is comparable to the GDP of Finland and Chile. The plan to develop 100 smart cities is officially expected to cost slightly over '7,000 crore. Realistically, however, developing each city is expected to cost at least '1,000 crore, which makes the overall spend touch a substantial '1,00,000 crore.
Both plans require a substantial investment of public and private funds. They also need a fundamental reorientation of the way India has been dealing with data till now. Identifying, capturing, storing, retrieving and then creating a networked intelligence and knowledge framework out of various data points requires an overarching layer of business and governance analytics tools that can only be rolled out on a cloud ecosystem. In short, both public and private data will be put up on a similar kind of virtual servers that hackers were able to break into so easily to access intimate celebrity photographs and videos. It is in this context that India has to deal with data security within the cloud environment, not just as an aspect of cybersecurity but as an independent issue requiring a different mindset, thought process and operational plan.
The first aspect of creating an autonomous policy framework is to establish a clear conceptualisation of a cloud as a model rather than just a service: one that enables on-demand ‘network access to a shared pool of configurable computing resources’ with zero downtime, minimal uptime and service provider requirements. By configuring cloud as a model, autonomous policy frameworks for cloud subsystems of Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) can be established.
Such a clear-cut definition and associated policy formulations are currently absent or, at best, ill-defined. It would be good for Indian policy makers to seriously look at the American National Institute of Standards and Technology (NIST) deployment model. It consists of a private cloud, where the infrastructure is completely and exclusively used by a single organisation, a public cloud, for open use by general public, a hybrid cloud, which is often used as a gated resource network by public-private partnership services, and a community cloud, which, as the name indicates, is used exclusively by a group sharing specific interests.
Such a deployment model creates a transparent arena of virtualisation, which is a necessary component of a cloud ecosystem, allowing for risks associated with virtual machines and data to be identifiable and manageable. For instance, the hypervisor software that manages communications between a physical server’s memory, CPU and virtual machines allowing for quick provisioning and decommissioning of a virtual computing environment is also a critical vulnerability that allows hackers to gain access to sensitive data. A clearly specified deployment model allows for a realistic risk assessment and management environment to be formulated.
The second aspect is to identify information security standards, protocols, procedures, processes and guidelines that take into account the specific deployment model and the subsequent service models emerging from it. Currently, standards and protocols on information security and data security do not specifically deal with the cloud ecosystem and the unique challenges of confidentiality, integrity and availability of data that they throw up. With India entering a more advanced phase of electronic and mobile governance, service and delivery frameworks are increasingly becoming specific.
A good example of this process is the way Pradhan Mantri Jan Dhan Yojana (PMJDY) is creating a more focused financial inclusion model based on the RuPay debit card as opposed to the more broad-based inclusion models created by the Aadhaar system. Both are, however, fundamentally dependent on the cloud ecosystem, even though each one’s security requirements are completely different. It is here that Indian policy makers would do well to understand the global security systems and standards that have evolved over the past several years. These standards cater to different forms of financial data security, IT service delivery and control environment.
Indian e-governance platforms, especially those dealing with financial and business transaction services, can take a leaf out of Google which became ISO 27001 certified in May 2012. Such a certification allows for an independent third-party audit, which, in turn, makes security protocols and systems robust, allowing them to identity and manage new threats. In this context the American Federal Information Security Management Act (FISMA) of 2002 and the Federal Risk and Authorisation Management Programme (FedRAMP) should be of special interest for Indian policy makers.
The third aspect is to rapidly strengthen specialised digital forensics capacity within India. Data security for the cloud ecosystem can never be foolproof. Cybercrimes of various degrees will always be committed. While most of the cyber raiders, and hackers, might stop at DoS attacks and overloading of servers with continuous bot requests, there are increasing instances of more sophisticated attacks. Amazon’s wireless retail site saw a cross-site scripting attack in April 2010 that allowed hackers to access customer credentials. Similarly, but more worryingly, the data breach at Target in 2012 resulted in over 100 million people losing their personal and credit card information. India is completely unprepared to deal with cyberattacks of this scale and policy makers must look to create specialised cadre of digital forensic experts.
The digital forensics university in Gujarat is a good beginning. Such institutions, however, need to be quickly set up in all states, and the expertise generated should percolate down to district and block levels. The private sector must start to proactively share their expertise, and experts, with government institutions.
India will become a digital society. It is also deploying all the right pieces and infrastructure for a digital economy. The foundation for both, without any doubt, will be the cloud ecosystem. That ecosystem, however, needs to be protected through a robust policy and legal framework that acknowledges the emerging concerns and realities of data security and privacy.
Swaminathan is senior fellow of Observer Research Foundation (ORF), fellow of National Internet Exchange of India (NIXI), and contributing editor of Governance Now.
This article was first published in the October 1-15, 2014 print issue.