Building the government-to-citizen (G2C) value chain with cloud-first-security-first approach, ET CIO
India is transforming towards a digital, diverse, secure and inclusive economy and cloud computing is helping the country in bridging the digital divide, step by step. Digital India Mission has transformed the delivery of government services to millions across the country. Now, this pioneering campaign is entering its next phase, to ensure the anytime, anywhere access to citizen services that an increasingly tech-savvy population expects. To rise to the challenge, government enterprises will need a fresh approach to digitization. Therefore, to create of a nationwide digital infrastructure, allied with new tools and technologies – AI, Big Data and the Internet of Things [IoT] which will galvanize various sectors to improve the well-being of every Indian will require Government of India to build and sustain a robust digital architecture. This is where the cloud infrastructure takes the center stage that forms the core of services delivered to citizens of India through multiple applications.
These services are segregated into two major categories:
Services directly consumed by citizens like health records for citizens, benefits for BPL families, applying passport, Schemes for farmers.
Services consumed by different Government departments like procurement through portal for govt departments, weather forecasting.
With cloud playing a major role in the digital journey of government enterprises, it becomes eminent that cyber security and data privacy plays an extremely critical role in ensuring that the customer data is safe from breaches.
With multiple integrations and technologies on a cloud platform and rising sophisticated cloud threats hackers can exploit vulnerability due to misconfiguration, weak or unauthorized access, malicious insider to compromise security controls, establish foothold and move laterally to exfiltrate sensitive data. Often, we have seen that the vulnerabilities in the application or infrastructure are exploited to gain access to customer data. This affects the confidentiality, integrity and availability (CIA) of citizens personally identifiable information (PII) or sensitive information of various projects under the State and Central ministries.
To overcome these challenges, the government will need to start by assessing and uplifting the digital posture of each concerned department, further enabling an interconnected ecosystem of government, private, and peering parties, and offering seamless and secure last mile for Government to Citizen (G2C) services and support. All this while keeping the citizen’s data and identity safe.
Adopting a digital platform is prudent with a Cloud-Internet-Security-First approach – an integrated, scalable and resilient digital core that brings together the best of infrastructure, application, technology stacks and systems integration in a holistic manner to facilitate cohesive operations while meeting the various regulations and compliances and maintaining all security parameters across data privacy, residency, sovereignty and more.
A cloud first strategy will help government departments to build a centralized IT infrastructure which can optimise operations and reduce maintenance costs and downtime. It also helps build and deploy applications in a scalable manner using containers and microservices enabling government to launch new or enhanced citizen services in future. Therefore, it is extremely important that the design, deployment, and compliance of any cloud infrastructure hosting Government applications, should be of highest priority and certified by a competent authority.
The Cloud service provider should ensure that they offer a Sovereign Cloud Platform that provides an integrated hybrid-ready cloud platform, with the flexibility and control government wants along with the assurance of staying compliant with ever evolving regional and regulatory guidelines at all times. To safeguard the national interest, it’s important that foreign authorities have no access over the data and government organizations can physically visit data centers for auditing their assets to ensure the vulnerabilities are accounted for and rectified.
A dedicated Government Community Cloud (GCC) that is secure, efficient and outcome-oriented, is a composable way to drive digitization where a dedicated, federated and secured cloud infrastructure has been created especially for government agencies. Hence, ensuring that government’s extremely sensitive and valuable data is safeguarded – with both user data and control meta-data deployed, monitored, and managed 100% in country and governed by the law of land. This is further complemented by an open API lead approach to accommodate different internal and external agencies for swift and secured digital interconnections.
With ease of access through smartphones, tablets and laptops, the traffic to citizen-services workloads will only increase, resulting in greater need to setup mechanism to counter cyber-attacks and other security threats. Making existence of a trustworthy cyber security infrastructure following the principles of security by design is a precondition for all e-governance initiatives/ Therefore, adoption of a security first strategy is essential to reduce and manage cyber risk. Cyber threats are getting more prevalent, and the scale and severity of attacks are getting more intense. The hyper connected digital environments have expanded the attack surfaces and vulnerabilities. A single security breach may lead to data loss, disruption of day-to-day operations and impact the credibility of the system.
The following best practices are recommended for cyber security that State and Central Governments should adopt to deliver services securely while leveraging cloud technology benefits.
With rising internal attacks from malicious insiders or compromised credentials, escalate security with SSO, MFA and privilege identity management to stop abuse from privileges, and attacks on admin accounts.
With politically motivated advanced persistent groups (APT groups) targeting Indian government run services and infrastructure with distributed denial of services attacks, appropriate security controls to prevent DDoS attacks and ensure uninterrupted delivery of critical services must be deployed.
With fragmentation of cloud endpoints securing this diverse landscape will require multiple endpoint security controls including antivirus or malware protection, host-based intrusion prevention system (HIPS) and file integrity monitoring (FIM) that continuously monitors and verifies the integrity of files and configurations on servers, detecting any unauthorized changes or modifications to protect against tampering, data breaches, and unauthorized access.
To safeguard applications, governments can enforce application level micro-segmentation for cloud, SaaS and web applications. It can also govern cloud usage across different devices and help meet regulatory compliance and data privacy mandates.
Furthermore, governments can partner with cyber security service providers that can work as an extension of their SOC teams to integrate managed detection and response/SIEM solution to quickly detect threats across the cloud estate, and automatically respond to them swiftly. The cyber detection and response services that leverage MITRE ATT&CK framework cyber threat intelligence and threat advisory can provide recommendations on preventing on-going attacks.
Uncover security gaps with vulnerability assessments that help identify misconfigurations, application-level code, configuration and design errors, REST API vulnerabilities, including secure code review and DAST to measure potential risks scores and prioritize security for higher risk assets. This further helps in adhering to regulatory compliance requirements.
The future of e-governance starts from how well streamlined, integrated and automated the government processes are, and how conveniently can they be used by citizens. Digital India will ride on the reach and access to citizen services and information – anywhere, anytime by the Indian citizens.
Tata Communications is on a mission to empower governments and enterprises build a resilient and self-reliant India by protecting the country’s critical infrastructure and systems that Indians rely on every day with smarter and secure solutions.
The author is the Global Head of Cloud and Managed Hosting Services, Tata Communications
Disclaimer: The views expressed are solely of the author and ETCISO.com does not necessarily subscribe to it. ETCISO.com shall not be responsible for any damage caused to any person/organization directly or indirectly.