The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
As COVID-19 continued to spread, Governments announced lockdowns in response, and companies had to allow employees to work from home. As there was a drastic increase in workforces joining company networks from home, attackers likely ramped up their efforts to take advantage of the inadequate or loose security posture of the WFH environment. The rush to move to work from home environment left security loopholes and made businesses vulnerable. Employees using home network and public internet services to access their official resources added another set of security challenge.
Security leaders from different industry verticals and DSCI came together in this challenging time for sharing experiences, learning, and best practices. In the series of several calls since the lockdown was announced, CISOs discussed their challenges, shared solutions and techniques they adopted, reflected on immediate problems, debated ideas, and put together strategies for addressing the long-term issues. In a couple of calls, CISOs also interacted with government authorities responsible for national cybersecurity.
This paper is an attempt to compile the discussion and deliberations for the benefit of the security community. It also serves an account of how the security fraternity, behind the wall, handled the unimaginable and unprecedented pandemic disaster.
1. Enabling WFH: Connectivity Options
The figure below depicts the options experimented for connecting the work environment to the corporate environment.
Fig. 1: Connecting home environment with Enterprise
While IPsec VPN is a popular option, many more options have evolved for remote or teleworking. SSL-VPN is the preferred option for providing access to applications. Due to cloud providers, Virtual Desktop Infrastructure (VDI) has evolved as an option as it allows connecting to corporate networks from any machine. As many corporate applications are moving to the cloud, provisioning access to the cloud application played a very significant role in handling the pandemic situation.
Advanced options like Software (or Blockchain) Defined Perimeter reduces dependencies on VPN, which is called out for the complexity of configuration and latency.
Fig 2: Various options adopted across the sector
Transition to the work from home environment was a daunting challenge, as the timespan was very short, and scale of operation was unprecedented where companies had to adopt various means and techniques.
2. Compilation of Issues and Challenges
The virtual meetings hosted by DSCI were quite intriguing and engaging. The CISOs from different industry verticals not only shared their experience of managing the unprecedented BCP and security situation but also deliberated on various strategies to manage the challenges. The figure below compiles them.
Fig. 3: Challenges to manage resiliency
3. Remote Working Enabling Infrastructure (VPN)
Virtual Private Network is the primary means that enabled moving to the work from home environment in the shortest possible time. CISOs discussed the nuances of the technology option. The following figure captures the experience, best practices, and insights associated with IPsec and SSL VPN technologies.
Fig. 4: Insights associated with IPsec and SSL VPN technologies
4. Public Policy enabling Work-From-Home (WFH)
CISOs across the industry verticals appreciated timely response and updates to the Government’s policy to enable WFH. Since the lockdown began, NASSCOM and DSCI worked closely to push the Government on following two fronts:
Relaxation guidelines, issued by Department of Telecommunication (DoT), towards terms and conditions for Other Service Provider (OSP) to facilitate WFH
Issuance of ePass for employees working in sectors providing essential services
DoT issued guidelines for OSP to facilitate remote working on March 13, 2020, and later revised the guidelines on April 15, 2020. Both the versions covered four main aspects – requirement for the security deposit, use of static/dynamic IP, need for prior permission, and a penalty for non-compliance. Below table summarizes the key points:
Fig 5: Initial iteration of DoT guidelines
Clearly, the guidelines issued in April were further relaxed by the DoT. Another issue that was commonly discussed by our CISO community was the case of movement (or office commute) of workforce employed by organizations providing essential services, for instance employees supporting data center operations of a bank during curfew.
State government across many states – Delhi, Odisha, Telangana, Tamil Nadu, Kerala, Karnataka etc. have issued guidelines to procure ePass for their employees. NASSCOM has been helping in issuing advisories and spreading the awareness on the topic for easy reference.
5. Business Resiliency in Global Scale Pandemic
Recovery from the Pandemic is far from over, but the silver lining in this whole scenario is that our industry leaders are collaborating across the sectors to understand how businesses can be made resilient to this Zero-day attack on human lives. Naturally, this requires organizations apply unprecedented thinking for continuity planning.
Organizations need to think holistically when it comes to developing business resilience strategy for post-pandemic world. The possible pandemic scenarios from now on are depicted in the figure below, along with their impact on resiliency planning.
Fig. 7: BCP plan
Since the lockdown began in March, DSCI and CISOs from various sectors (BFSI, IT/ITeS, Oil & Gas, Healthcare etc.) came together to discuss and find solutions to the business and operational challenges that came along with COVID-19.
Scenario 1: In this scenario, the virus is rapidly and effectively contained, as per original plans and the lockdown ends as planned by the Government. Under this scenario, workforce may be expected to return to the office, at least partially. However, operational excellence will take center stage in planning of workplace setup and operational elements under the ‘new normal’.
Plan to bring back workforce will be a critical element. As discussed in our paper titled “Resuming work from office under new normal”, the very step will be to do people classification, either on the basis of administrative attributes such as vicinity to the office, availability of the private vehicle for office commute, or on the basis of business role attributes such as criticality of the project delivery, sensitivity of the data being handled and access to the specific areas such as lab for testing etc.
Since the lockdown began in March, DSCI and CISOs from various sectors (BFSI, IT/ITeS, Oil & Gas, Healthcare etc.) came together to discuss and find solutions to the business and operational challenges that came along with COVID-19.
Scenario 2: This scenario will push businesses to go under lockdown again after certain time in future, but many businesses will be better prepared, given the prior experience. However, in order to transition back to the lockdown situation, would need attention towards segregation of certain capabilities that might be needed to scale up, while others that would be needed to scale down.
The BCP plan would require organizations to prepare the infrastructure (procuring the computing devices, end products, VPN, cloud infrastructure etc.) for new normal.
Scenario 3: There is yet another possibility that the pandemic escalates even before the lockdown is over. This would essentially require organizations to continue work from home. The scenario would require organizations to limit the workforce to commute to the most essential services only. Organizations might fear chaos and challenges around productivity loss, and hence BCP must take such aspects into account.
6. Resuming work from office under new-normal
Resuming back to the workplace is a challenging task. The inputs from Kalpesh Shah, CISO, CIPLA helped to put up a 6-phase approach for it as depicted in the figure below.
Fig. 8: Resume to work
Aware & Apt: Once the workforce planning is complete, as discussed in the previous section, CISO and his/her team must undertake efforts to develop user awareness. To be impactful and relevant, the awareness must be tuned to the specific needs of the teams.
Prepare & Push: Organizations need to develop controls to ensure infrastructure readiness, deployment of hardening standards and baseline security.
Scan & Sanitize: Scanning machines before they get connected back to the office network, check for new vulnerability disclosure in the past 7-8 weeks; check if plug-ins are available and have clear understanding of quarantining the machines becomes the next priority
Allow & Admit: Provisioning access to the network and allow employees’ laptop and desktop back on the corporate network is the next step. Understanding the distribution of employees in the office premise, as well as those at home would be critical for this. Accordingly, access to the network zones should be provisioned.
Track & Trace: Organization need to step up monitoring network behavior. They need to re-configure rules based on use-cases and indicators of compromise observed and developed over the last few weeks. There is fair amount of ‘noise’ in the network, and hence monitoring needs to be finetuned.
Comply & Conclude: One thing that came out very clearly was zero tolerance to non-compliance. Specific efforts should be invested to bring the compliance posture back.
One of the members of the CISO community, Manikant Singh, CISO DMI Finance, shared his inputs on the possible controls that would be important. The controls depicted in the figure are derived from the inputs.
Fig. 9: Control list – resuming back to workplace
7. Managing Security
One of the global IT service providers became victim to the Maze ransomware attack. Even though this isn’t a typical case of attack due to WFH scenario, this incident suggests that hackers will not miss out any window of opportunity to attack the organizations. Ever since organizations have adopted at-scale work from home, hackers have been finding ways of attacking employees and organization through phishing and ransomware attacks.
The very initial step for any organization is to do the cyber-maturity assessment to understand the current status of the cybersecurity preparedness. This combined with risk appetite of the organization, CISOs will be able to have better understanding of the risk profile the organizations fits into.
Further, there are 4 aspects of managing security:
Fig. 10: Ways to manage security holistically
Network Security: Depending on the risk profile, companies can adopt following practices for network security, targeted at infrastructure to enable remote access:
Fig. 11: Network security – basic requirements
Companies, which have higher risk profile and have appetite for investing more in security adopt following practices:
Fig. 12: Network security – basic requirements
Data Privacy: There have been multiple debates around data privacy being ignored in the wake of COVID-19. However, our CISO discussions doesn’t point us in that direction. Surely, they have many other priority areas that have cropped up, data privacy still is on CISO’s priority list.
Organizations should adopt following practices for securing the data:
Encryption of channel connecting remote machines
Monitoring of traffic and connections
Secure protocols to accessing enterprise assets and data
Organizations, which have higher risk profile and have appetite for investing more in security adopt following practices
Data classification
Data leak prevention
Information Rights Management
User behaviour monitoring
Forensic investigation
Email encryption
Information Sharing: It has been observed over time that hackers keep getting better in coming up with the sophisticated techniques of carrying out breaches, it is important that information about changing threat vectors and landscape is shared within and across the sectors.
Though, the organizations and Government across the globe have been sharing information for many years now, for example creation of sector specific ISAC, there is a need to improve and increase the information sharing.
According to one of the Government officials who joined our CISO conversations there is a need of co-operation between organizations and Government, that is the information needs to flow both ways – fromGovernment to organizations and from organizations to the Government, so that everyone in the ecosystem remains updated about the changing threat landscape and understands best practices and advisories that are being issued in response to the threats.
Only through information sharing, we can improve collaboration to enhance situational awareness in the organizations across different verticals.
Continuous Monitoring: Pandemic situation has changed the way and the scale at which we are interacting with technology. Hence for IT admins of any organizations, the network traffic that is out there for monitoring has increased many folds. This increase in the scale has led to another problem for our deployed monitoring tools – separating false positives and false negatives. There is a need to separate out ‘noise’. CISOs agreed that organizations need to put in effort to reduce the noise and set-up monitoring activities.
8. Video Conference Security and Security Capabilities of Collaboration tools
As offices around the globe have advised employees to work from home, video conferencing have replaced physical meeting rooms. Recent increase in cyberattacks through collaboration tool such as Zoom has highlighted the need to follow stronger cybersecurity controls.
As an outcome of our conversations with CISOs, DSCI believes that collaboration tools must be assessed on 4 attributes – Security controls, Privacy, compliance with international standards and integration.
Fig. 13: Features in collaborative tools
Technical Controls: Some of the controls that must be in collaborative tools are as follows:
Multifactor authentication, SAML-based single sign-on
Single sign-on
End to end encryption – for media (e.g. using Secure RTP), and for network communication (e.g. using OAUTH, TLS, Secure RTP)
Advanced protection program, which includes – Threat protection policies, real-time report to monitor ATP performance, automated investigation and response capabilities etc.
Backup encryption, etc.
Privacy: The tools must be compliant with some of the leading privacy frameworks such as GDPR, EU-US and Swiss privacy shield, Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws etc.
Compliance with Security Standards: These standards include ISO 27001, 27018, SOC2, TRUSTe, HIPAA, etc. The compliance provides the trust factor to the users that cybersecurity is being followed
Integration: If collaborative tools can integrate with other leading applications, the chances of air gap in security decreases.
Besides these features, there are some best practices that must be followed while handling video conferencing tools. Some of the practices are:
Don’t click on video conference links shared by unknown individuals
Don’t make meetings public, unless it is necessary
All meetings should require password and should have features such as waiting room to control the admittance of guests
Don’t re-use or re-share the passwords and meeting tokens
9. Legal and Compliance
Legal and compliance is a very important component, especially in the current situation. Holistically covering this component will require to look closely into 4 interfaces, as shown in figure 14.
Fig. 14: Interfaces to understand Legal and compliance
Organization-Employee interaction
One of the key aspects to understand is that due to sudden lockdown, the entire ecosystem of organization-employee interaction has shifted from guarded and secured corporate setup to employee’s home. This has resulted in potential legal risk, especially when it comes to non-disclosure agreements. According to many CISOs we interacted with, they brought up mandatory requirement for employees to sign advanced level teleworker NDA. Organizations are worried about sensitive data leakage at this stage, and NDA can help to assure that due care has been taken by employees for the data.
There is also an issue of licensing compliance within this dimension – organizations need to ensure that employees are processing (or consuming) the data on licensed versions of the software, including Microsoft product suite and other specific tools and applications.
Organization-Client relationship
Clients want to ascertain that organizations adhere to the SLA agreement. SLA agreements cover two aspects – performance and security & privacy. The sudden shift from office to home has brought in cultural change aspect along with it and many CISOs and clients fear that they would impact the productivity and performance. However, as interactions with CISOs progressed over the seven weeks, it was very apparent that CISOs across the sector can either maintain or increase the productivity.
Another aspect to be considered is the legal sign-off from the client for work-product, milestone achievement, planning, vendor onboarding and various other aspects of day-to-day project management.
Conducting important meetings such as board meetings over virtual platform is another important aspect in this relationship. Though it can be made mandatory to sign declarations (just like in the case of physical meetings) before any important meetings, but security and privacy aspects in virtual tools worry companies.
Organization-Regulation compliance
This relationship can be studied through two lenses – Data privacy expectation and cyber incident reporting.
For data privacy, organization should ensure that all data controls are in place so that employees can work on sensitive data, without any data leakage. Such controls also become part of any organization’s compliance program.
If any organization is breached, it is comparatively simpler to report the incident and act swiftly post the incident has occurred. However, if the personal laptop of an employee is breached, it becomes very difficult for organization to act swiftly and report such incidents to regulators. Hence this raises the legal and compliance concern for organizations.
Organization-Government obligations
Government (via CERT-In, DoT, NCIIPC and sectorial ministries etc.) is actively working on issuing advisories on technology usage, including collaboration tools, in work from home scenario, pushing wide-use of contact tracing app and sharing information on threats to Indian organizations.
This implies that organizations must be on a look out for frequent updates to the new advisories, so that new and updated protocols are being adhered by the employees.
10. COVID 19 New Normal: Security Architectural Paradigm
The COVID-19 pandemic outbreak, the transition towards remote working, and likely continual of it for a longer duration brings a new paradigm of cybersecurity. Although security engineering is moving far more beyond the enterprise perimeter, gradually moving to the cloud and putting its reliance on platformized capabilities, COVID-19 accelerated the process. During the series of discussions, the CISOs underlined the use cases that have become important during the pandemic. The following figure summarizes them.
Fig 15: Security use-cases
The WFH paradigm challenges the existing security, which is focused on the perimeter and centralized defence, where all traffic is filtered through the gateway security solutions. It would not be practical in the new paradigm nor would it be feasible from the security perspective. There is a need to overhaul security design, imbibe innovative ideas, and approach it with fresh minds.
The figure illustrates the architectural ideas that would be dominating the new security paradigm. Some pieces have been under experimentation, development and deployment. However, the COVID-19 pandemic pressed the accelerator for more innovation, development technologies and adoption.
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
The current context of global Coronavirus pandemic or more relatively known as COVID-19, has forced Governments, businesses and other institutes globally to take necessary precautions, and impart health guidelines and advisories such as social…
As the world is grappling with the Coronavirus Pandemic, it has led to massive lockdown in most parts of the world. While the COVID-19 scare has upended lives and led to major health concerns, it has also pushed organizations to adopt a full-scale…
Due to the global pandemic of COVID-19, the home has become the new office!Work from home (WFH) has become the need of the hour and the utmost priority is to keep the workforce safe and ensure productivity. In light of these conditions,…
