Telecom infrastructure faces daunting risks, TATA CSO says

WASHINGTON, D.C. — On Nov. 26, 2008, when terrorists launched multiple coordinated attacks across Mumbai, India’s largest city, the bad guys at one point walked right past what would have been a choice target — one of the major cable centers for TATA Communications.

Adam Rice, CSO for the global telecom giant, knows his organization dodged a bullet that day. In fact, people took refuge from the attacks in that building.

The reality is that TATA faces similar risks all over the globe, and for Rice, managing the risks are a big task. And he knows that at the end of the day, there’s only so much they can do to avert catastrophe.

“If you want to do real damage to the global economy — to civilization, for that matter — the cables are a big target. It would be impossible to prevent every type of attack, and our security and risk management program takes that into account,” said Rice, who compares TATA to “the AT&T of India.” Though based in Mumbai, the company has offices in such places as London, Singapore, New Jersey and Quebec.

The company also has the distinction of being one of those who showed up on WikiLeaks.

Also see “The 25 most dangerous cities for offshore outsourcing”

During an interview at the Washington D.C. Hilton, site of this year’s ShmooCon security conference, Rice went over the procedures TATA has in place to minimize risk and keep a major piece of the global infrastructure functioning.

He describes it as a heavy mix of both physical security measures (heavy, reinforced doors, posted guards, barriers around buildings) and IT security (VPNs, vigorous patch management, two-factor authentication, change and configuration control).

TATA relies on a variety of security vendors to protect its critical assets. To help with regular risk assessments and vulnerability scanning, for example, the company uses Nessus, Qualys and Core Impact.

Rice also identifies RedSeal Systems as a major piece of his security program. The San Mateo, Calif.-based vendor describes itself on the company website as “a leading developer of security assurance software for medium to large organizations. RedSeal software enables organizations to continuously, comprehensively and automatically assess and strengthen their cyber-defenses before they are attacked. In addition to in-depth understanding of overall security posture, RedSeal delivers continuous compliance with regulations such as PCI, FISMA, and SOX, and actionable steps for risk remediation.”

Rice has used the vendor for two years, and he’s happy with the results.

“Finding every potential configuration problem and vulnerability on our network is simply too big a job for human efforts alone,” he said. “Red Seal took that whole process out of the equation and automated everything. When we deployed, we found a laundry list of patch and configuration issues and were able to fix them quickly.”

The various technologies go a long way in helping TATA minimize risk.

But Rice is a realist.

He knows the bad guys only have to slip through all those layers once to do a lot of damage. What’s a company to do in the face of that knowledge?

Among other things, Rice said, have an emergency response plan in place. And simply make the targets asdifficult to penetrate as you possibly can.

The rest comes down to moments of luck — like when a band of terrorists walk right past your building without seeming to realize its importance.