Telecom infrastructure faces daunting risks, TATA CSO says
As CSO for one of the world's largest telecom companies, Adam Rice knows just how easy it is to bring civilization to its knees. Here's what his company is trying to do about it.
By Bill Brenner , Senior Editor
January 28, 2011 — CSO —
WASHINGTON, D.C. -- On Nov. 26, 2008, when terrorists launched multiple coordinated attacks across Mumbai, India's largest city, the bad guys at one point walked right past what would have been a choice target -- one of the major cable centers for TATA Communications.
Adam Rice, CSO for the global telecom giant, knows his organization dodged a bullet that day. In fact, people took refuge from the attacks in that building.
The reality is that TATA faces similar risks all over the globe, and for Rice, managing the risks are a big task. And he knows that at the end of the day, there's only so much they can do to avert catastrophe.
"If you want to do real damage to the global economy -- to civilization, for that matter -- the cables are a big target. It would be impossible to prevent every type of attack, and our security and risk management program takes that into account," said Rice, who compares TATA to "the AT&T of India." Though based in Mumbai, the company has offices in such places as London, Singapore, New Jersey and Quebec.
The company also has the distinction of being one of those who showed up on WikiLeaks.
During an interview at the Washington D.C. Hilton, site of this year's ShmooCon security conference, Rice went over the procedures TATA has in place to minimize risk and keep a major piece of the global infrastructure functioning.
He describes it as a heavy mix of both physical security measures (heavy, reinforced doors, posted guards, barriers around buildings) and IT security (VPNs, vigorous patch management, two-factor authentication, change and configuration control).
TATA relies on a variety of security vendors to protect its critical assets. To help with regular risk assessments and vulnerability scanning, for example, the company uses Nessus, Qualys and Core Impact.
Rice also identifies RedSeal Systems as a major piece of his security program. The San Mateo, Calif.-based vendor describes itself on the company website as "a leading developer of security assurance software for medium to large organizations. RedSeal software enables organizations to continuously, comprehensively and automatically assess and strengthen their cyber-defenses before they are attacked. In addition to in-depth understanding of overall security posture, RedSeal delivers continuous compliance with regulations such as PCI, FISMA, and SOX, and actionable steps for risk remediation."