Manage Enterprise Risk and Compliance

Sitaram Chamarty, Head – Security Research
Sachin Lodha, Head – Data Privacy Research

Security is a core concern in all areas of IT, as important as, if not more than, the notion of quality itself. The technology is expected to give an assurance that the solutions provided are resistant to being exploited or attacked by malicious entities. The concept of security has an enormous number of facets, many of which are inter-linked. For example, application security and network/infrastructure security are also connected with user education. Human factors are also very important, because security and convenience are often in opposition. The e-security group develops the kind of end-to-end security solutions that our customers want.

In addition to security, privacy has also become an important issue lately, driven largely by two factors. Firstly, globalisation and increased automation cause a reduction of the human element in financial or other transactions. This allows anyone with the correct information to masquerade as anyone else, making fraud, especially online fraud, easier. Secondly, though many companies present a single face to the customer, it has become very common for multiple independent entities to be working together behind the scenes, which means information is being shared with an increasing number of smaller entities rather than restricted to one large entity, increasing exposure.

Areas

 The group is currently active in the following problem domains:

• Digital Watermarking Technology (DWM) is an interesting technology that is useful for piracy tracking and detection of pirated Video files. It is not easy to restrict what a user can do with digital media unless all the hardware and software has been supplied by the content owner, and cannot be tampered with, even if the end-user notionally “owns” the hardware. Since this is not always true, the focus has shifted from prevention to detection, and this is where DWM comes in.
  
• Enterprise Digital Rights Management, on the other hand,can protect document content, because the hardware and software are owned, installed, and operated by the enterprise. As a result, it is possible, using cryptography, access controls, and secure viewers, to restrict what a user can do with company-owned documents under his charge. This is what the eDRM project is charged with realising.
  
• Java Web Application Hardening is a somewhat ambitious attempt to make security holes caused by common programming errors a thing of the past. Very few people know all the ins and outs of writing secure software, but these projects attempts to distil some of that knowledge into a system that guides the developer writing code. It does this using static code analysis, security patterns and program transformation, and the net effect is to allow developers to easily scan and fix their code for security violations from right within their IDE.
  
• Privacy Tools: As a part of our research in data privacy, we are formally studying the trade-off between the utility of sharing data between co-operating entities, and the potential lack of privacy or violations of privacy laws. We will like to find a comfortable position between the extremes of fully disclosed and completely withheld data. This has a lot of relevance for TCS given that we often work with the client data either onsite or off-shore. Ideally we would want to keep our experience certainty promise (and, therefore, we need high utility data to work with anywhere) and also help our clients remain competitive (may mean more off-shoring) while maintaining their goodwill (no privacy breaches). We envision data privacy management in an enterprise to comprise of three important facets governed by the Risk and Compliance understanding.