This article first appeared in DNA India on January 11th, 2018.
The recent spate of news regarding the ease with which Aadhar numbers and information could be obtained turned my mind towards security of software systems in general. While the scale of the problem facing the folks working on Aadhar is humungous, all software systems, and more so those in the B2B space, need to pay careful attention to data security.
In the past, data security issues for on-premise systems were relatively simpler with the only point of intrusion being the network interface into the organisation. Thus, a good network security system was able to thwart attackers from gaining access to data. However, with the advent of cloud-based systems, opportunities for data breaches have multiplied. Hackers are able to exploit vulnerabilities all along the data value-chain from the moment data passes through the organisation’s internal network, through the so-called de-militarised zone (DMZ), along the information superhighway to the cloud providers.
While cloud providers like Amazon Web Services (AWS), IBM Softlayer and Microsoft Azure take security very seriously and restrict access to ports, individual users have the ability to compromise that through their own actions. For instance, a user who opens ports indiscriminately on his or her server, exposes multiple points of attack to potential hackers.
The movement away from on-premise to cloud-based solutions has become a flood with even banks, notoriously the most stringent about data security, starting to get comfortable with moving many services to the cloud. The HR function has also been, typically conservative in its approach, towards the security of employee-related information. However, they have also started placing their trust in cloud-based solutions. The HR tech space is now filled with solutions across the entire employee lifecycle that are cloud-based. Hence, it behooves organisations providing HR Tech solutions to ensure that employee data on their servers is safe and that stringent security measures are put in place. Solution providers need to get independent security firms to audit their organisations’ security loopholes and to ensure those audit findings (both major and minor) are fixed promptly.
Moreover, this ought not to be a one-time fix. Data security, like national security, can only be maintained by continuous supervision or as Mad-Eye Moody said in the Harry Potter series – “constant vigilance”! The recent episode with the security threats due to challenges with the Intel chip, called Meltdown and Spectre, tell us that while HR tech start-ups can come up with innovative solutions, at some point in time, they would need to switch from developing features to paying attention to ensuring that their software maintain the highest standards of security. This entails a complete change of mindset for start-ups who are typically in a developmental mode, and thus, may push security concerns down their priority list. Anything less is doomed to result in failure for the company and its clients!