Navigating India's Data Landscape: Essential Compliance Requirements under the DPDP Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a pivotal shift in how digital personal data is managed in India, establishing a framework that simultaneously recognizes the individual's right to protect their personal data and the necessity for processing such data for lawful purposes.

For any organization—defined broadly to include individuals, companies, firms, and the State—that determines the purpose and means of processing personal data (a "Data Fiduciary" or DF) [6(i), 9(s)], compliance with the DPDP Act requires strict adherence to several core principles and newly defined rules.

Compliance with the DPDP Act is like designing a secure building: it requires strong foundational principles (Consent and Notice), robust security systems (Data Safeguards and Breach Protocol), specific safety features for vulnerable occupants (Child Data rules), specialized certifications for large structures (SDF obligations), and a clear plan for demolition (Data Erasure). Organizations must begin planning now, as the core operational rules governing notice, security, child data, and retention come into force eighteen months after the publication date of the DPDP Rules in November 2025.  

Here are the most important compliance aspects that Data Fiduciaries must address:

1. The Foundation: Valid Consent and Transparent Notice

The core of lawful data processing rests on either obtaining valid consent from the Data Principal (DP—the individual to whom the data relates) or establishing a "certain legitimate use" [14(1)].

• Requirements for Valid Consent: Consent must be free, specific, informed, unconditional, and unambiguous with a clear affirmative action. It must be limited only to the personal data necessary for the specified purpose.
• Mandatory Notice: Every request for consent must be accompanied or preceded by a notice [14(b), 15(1)]. This notice must clearly inform the Data Principal of [15(i), 214(b)]:
• The personal data and the specific purpose(s) for which it will be processed [214(b)(i), 215(ii)].
• The manner in which the Data Principal can exercise their rights (e.g., correction, erasure, withdrawal) [15(ii)].
• The process for making a complaint to the Data Protection Board of India (Board) [15(iii), 216(iii)].
• Right to Withdraw: The Data Principal has the right to withdraw consent at any time, and the ease of doing so must be comparable to the ease with which consent was given [21(4), 215(i)]. If consent is withdrawn, the DF must cease processing the data (and cause its Data Processors to cease processing) within a reasonable time [22(6)].
• Role of Consent Managers: Data Principals may utilize a Consent Manager (CM) to give, manage, review, or withdraw their consent [24(7)]. DFs must be prepared to interact with these registered entities [24(9)]. CMs have specific obligations, including acting in a fiduciary capacity to the DP and maintaining a net worth of at least two crore rupees.

While the DFs may choose to manage consents themselves, the data principals may choose a registered consent manager in which case, the DFs shall have interfaces built with any of the inter-operable Consent Management platform. There seem to be a some bit of ambiguity in this area which would get clarified eventually.

2. Enhanced Data Security and Breach Protocol

Data Fiduciaries must implement robust security measures to safeguard personal data [33(5)].

• Security Measures: DFs must implement appropriate technical and organizational measures [33(4)]. These safeguards must include techniques like encryption, obfuscation, masking, or the use of virtual tokens [222(1)(a)], along with controlled access to computer resources [223(b)] and measures for continued processing in case of compromise, such as data backups [224(d)].
• Breach Notification: In the event of a personal data breach (unauthorized processing, disclosure, loss of access, etc., that compromises confidentiality, integrity, or availability) [10(t)], the DF must provide intimation to the Board and each affected Data Principal [33(6)].
• 72-Hour Deadline: The intimation to the Board must be made without delay, and detailed information regarding the nature, extent, timing, and likely impact of the breach must be provided within seventy-two hours of becoming aware of the breach (or a longer period if allowed by the Board) [227(2)].
• Mandatory Log Retention: DFs must retain personal data, associated traffic data, and other logs related to processing for a minimum period of one year from the date of such processing, unless otherwise required by law.

3. Special Compliance for Vulnerable Groups and Large Entities

The DPDP Act imposes stringent requirements for handling data related to children and mandates extra compliance for large data processors.

A. Processing Children's Data

• Verifiable Consent: DFs must obtain the verifiable consent of the parent before processing any personal data of a child (an individual under 18 years) [5(f), 37(1), 233(1)]. DFs must use due diligence to verify that the individual identifying herself as the parent is an identifiable adult [233(1)].
• Restrictions: DFs are expressly forbidden from undertaking:
• Processing personal data that is likely to cause any detrimental effect on a child’s well-being [38(2)].
• Tracking or behavioral monitoring of children [38(3)].
• Targeted advertising directed at children [38(3)].
• Exemptions: Certain exceptions exist, for example, for healthcare professionals, educational institutions, and child care centers, where processing (including tracking/monitoring) is restricted to the extent necessary for the safety or health services of the child. Processing for creating a user account limited to email communication is also exempted, provided it is restricted to the necessary extent.

B. Obligations of Significant Data Fiduciaries (SDFs)

The Central Government notifies certain DFs as SDFs based on factors like the volume/sensitivity of data, risk to DPs, and risk to the security/sovereignty of India. SDFs must adhere to:

• Mandatory Appointments: Appoint a Data Protection Officer (DPO) who must be based in India and responsible to the Board of Directors [40(2)(a), 41(ii), 41(iii)]. They must also appoint an independent data auditor [41(b)].
• Periodic Assessments: Undertake a Data Protection Impact Assessment (DPIA) and an audit at least once every twelve months [41(c)(i), 247].
• Technical Verification: Observe due diligence to verify that technical measures, including algorithmic software adopted for data handling, are not likely to pose a risk to the rights of Data Principals.
• Data Localization Measures: Undertake measures to ensure that personal data specified by the Central Government, along with associated traffic data, is not transferred outside the territory of India.

4. Data Lifecycle Management: Retention and Erasure

DFs must actively manage the data they hold.

• Erasure Duty: DFs must erase personal data (and cause their Data Processors to erase it) unless retention is necessary for compliance with any law [34(7)]. This duty applies when the DP withdraws consent or as soon as it is reasonable to assume that the specified purpose is no longer being served [34(7)(a)].
• Deemed Erasure Period: For certain high-volume entities (e.g., e-commerce, online gaming, and social media intermediaries having millions of registered users), the specified purpose is deemed no longer served if the DP has not approached the DF or exercised their rights for a set time period (e.g., three years).
• Notification of Erasure: For DFs subject to these time periods, they must inform the Data Principal at least forty-eight hours before the data is erased, giving the DP a chance to log in or initiate contact.

5. Grievance Redressal and Enforcement

DFs must provide readily available means for DPs to resolve grievances [46(1)].

• Redressal System: DFs must prominently publish details of their grievance redressal system on their website or app.
• Response Time: DFs and Consent Managers must respond to grievances within a reasonable period not exceeding ninety days.
• Enforcement: The Data Principal must exhaust the DF's internal grievance redressal opportunity before approaching the Data Protection Board of India [47(3)]. The Board, which functions as an independent, digital office, has the power to inquire into breaches and impose heavy penalties [68, 82(1)].

6. The Cost of Non-Compliance

Breaches of the DPDP Act carry severe monetary penalties outlined in the Schedule. For instance:

 

Breach of Provision	Maximum Monetary Penalty
Failure to observe reasonable security safeguards	Up to ₹250 crore
Failure to give timely notice of a personal data breach	Up to ₹200 crore
Failure to observe additional obligations related to children	Up to ₹200 crore
Breach of duties by Data Principal (e.g., registering a false grievance)	Up to ₹10,000

Cross-Border Compliance: Navigating Multi-Jurisdictional Risk with AI

When business knows no borders, companies expanding globally face a hidden labyrinth: cross-border compliance. The digital age has turned global expansion from an aspiration into a necessity. Yet, for companies operating across multiple countries, this opportunity comes wrapped in a Gordian knot of cross-border compliance. The sheer volume, complexity, and rapid change of multi-jurisdictional regulations—from GDPR and CCPA on data privacy to complex Anti-Money Laundering (AML) and financial reporting rules—pose an existential risk. What seems like a local detail in one jurisdiction may spiral into a costly mistake elsewhere. Yet the stakes are high; noncompliance can bring heavy fines, reputational damage, and operational disruption in markets you’re trying to serve.

To succeed internationally, organizations must treat compliance not as a checkbox but as a strategic foundation. That means weaving together global standards, national laws, and local customs into a unified compliance program. It demands agility: the ability to adjust as laws evolve or new jurisdictions come online. Navigating multi-jurisdictional risk is a significant challenge due to the volume, diversity, and rapid evolution of global regulations. Traditional, manual compliance systems are simply overwhelmed. Artificial intelligence (AI) is transforming this landscape by providing a more efficient, accurate, and proactive approach to cross-border compliance.

The Unrelenting Challenge of Multi-Jurisdictional Risk

Operating globally means juggling a constantly evolving set of disparate rules. The core challenges faced by compliance teams include:

• Diverse and Evolving Regulations: Every country has its own unique legal and regulatory framework, which often conflicts with others. A practice legal in one market may be prohibited in the next. This landscape presents both significant challenges and opportunities for businesses.
• Regulatory Change Management: Global regulations are increasing by an estimated 15% annually. This involves monitoring updates, evaluating their impact on policies and operations, and then modifying internal procedures to meet the new requirements. It is crucial for mitigating risk, avoiding penalties, and maintaining operational integrity. Manually tracking, interpreting, and implementing these changes in real-time is nearly impossible.
• Data Sovereignty and Privacy: Operating across multiple jurisdictions presents significant risks concerning data sovereignty and privacy, primarily due to complex, varied, and sometimes conflicting legal frameworks. Laws like the EU's GDPR and similar mandates globally create complex requirements for where data is stored, processed, and transferred. Navigating these differences requires a strategic approach to compliance to avoid severe penalties and reputational damage.
• Operational Inefficiencies: Multi-jurisdiction risk leads to significant operational inefficiencies due to conflicting, overlapping, and complex regulatory environments that require organizations to implement bespoke processes and systems for each region in which they operate. Manual compliance processes are time-consuming, prone to human error, and struggle to keep pace with the volume and complexity of global transactions, leading to potential fines and reputational damage.
• Financial Crime Surveillance: Monitoring cross-border transactions for sophisticated money laundering or sanctions evasion requires processing massive datasets—a task too slow and error-prone for human teams alone. Financial institutions must constantly monitor and assess the risk profiles of various countries, especially those identified by bodies like the Financial Action Task Force (FATF) as having strategic deficiencies in their AML/CFT regimes.

How AI Helps in Navigation and Risk Management

AI helps with cross-border compliance by automating risk management through real-time monitoring, analyzing vast datasets to detect fraud, and keeping up with constantly changing regulations. It navigates complex rules by using natural language processing (NLP) to interpret regulatory texts and automating tasks like document verification for KYC/KYB processes. By providing continuous, automated risk assessments and streamlining compliance workflows, AI reduces human error, improves efficiency, and ensures ongoing adherence to global requirements.

AI, specifically through technologies like Machine Learning (ML) and Natural Language Processing (NLP), is the critical tool for cutting compliance costs by up to 50% while drastically improving accuracy and speed. AI and machine learning (ML) solutions, often referred to as RegTech, are streamlining compliance by automating tasks, enhancing data analysis, and providing real-time insights.

1. Automated Regulatory Intelligence (RegTech)

The foundational challenge of knowing the law is solved by NLP-powered systems.

• Continuous Monitoring and Mapping: AI algorithms scan thousands of global regulatory sources, government websites, and legal documents daily. NLP can instantly interpret the intent of new legislation, categorize the updates by jurisdiction and relevance, and automatically map new requirements to a company's existing internal policies and controls.
• Real-Time Policy Generation: When a new regulation is detected (e.g., a change to a KYC requirement in Brazil), the AI can not only flag it but can also draft the necessary changes to the company's internal Standard Operating Procedures (SOPs) for review, cutting implementation time from weeks to hours.

2. Enhanced Cross-Border Transaction Monitoring

AI is essential for fighting financial crime, which often exploits the seams between different legal systems.

• Anomaly Detection: ML models establish a "baseline" of normal cross-border transaction behavior. They can process transactional data 300 times faster than manual systems, instantly flagging subtle deviations that indicate potential fraud, money laundering, or sanctions breaches.
• Reduced False Positives: Traditional rule-based systems generate an excessive number of false alerts, forcing compliance teams to waste time chasing irrelevant leads. AI's continuous learning models can cut false positives by up to 50% while increasing the detection of genuine threats.

3. Streamlined Multi-Jurisdictional Reporting

Compliance reporting is a major manual drain. AI automates the data collection, conversion, and submission process.

• Unified Data Aggregation: AI systems integrate with disparate internal systems (CRM, ERP, Transaction Logs) to collect and standardize data from various regions.
• Automated Formatting and Conversion: The system applies jurisdiction-specific formatting and automatically handles complex tasks like currency conversion using live exchange rates, ensuring reports meet the exact standards of local regulators. This capability drastically improves audit readiness.

4. Enhanced Data Governance and Transfer Management

AI helps organizations manage data across different regions by classifying sensitive information, monitoring cross-border transfers, and ensuring compliance with data localization laws. Techniques like federated learning and homomorphic encryption can facilitate global AI collaboration without transferring raw data across borders, preserving privacy.

5. Predictive Analytics

By analyzing historical data and patterns, AI can forecast potential compliance risks, allowing organizations to implement preemptive measures and build more resilient compliance programs.

Best Practices for AI-Driven Compliance Success

Implementing an AI-driven compliance framework requires a strategic approach:

• Prioritize Data Governance: AI is only as good as the data it’s trained on. Establish a strong, centralized data governance framework to ensure data quality, consistency, and compliance with data localization rules across all jurisdictions.
• Focus on Explainable AI (XAI): Regulators will not accept a "black box." Compliance teams must use Explainable AI (XAI) features that provide transparency into how the AI arrived at a decision (e.g., why a transaction was flagged). This is crucial for audit trails and regulatory dialogue.
• Integrate, Don't Isolate: The AI RegTech solution must integrate seamlessly with your existing Enterprise Resource Planning (ERP), CRM, and legacy systems. Isolated systems create new data silos and compliance gaps.
• Continuous Training: The AI model and your human teams require continuous updates. As regulations evolve, the AI must be retrained, and your staff needs ongoing education to understand how to leverage the AI's insights for strategic decision-making.

Conclusion: Compliance as a Competitive Edge

Cross-border compliance is not merely a cost center; it is a critical component of global business sustainability. In an era where regulatory complexity accelerates, Artificial Intelligence offers multinational enterprises a clear path to control risk, reduce costs, and operate with confidence.

By leveraging AI's power to monitor, interpret, and act on multi-jurisdictional mandates in real-time, companies can move beyond mere adherence to compliance and transform it into a strategic competitive advantage, building trust and clearing the path for responsible global growth.

Data Fitness in the Age of Emerging Privacy Regulations

In today’s digital economy, organizations are awash in data—customer profiles, behavioral insights, operational telemetry, and more. Yet, as privacy regulations proliferate globally—from the EU’s General Data Protection Regulation (GDPR) to India’s Digital Personal Data Protection (DPDP) Act and California’s California's Privacy Rights Act (CPRA) —the question is no longer “how much data do we have?” but “how fit is our data to meet regulatory, ethical, and strategic demands?”

Enter the concept of Data Fitness: a multidimensional measure of how well data aligns with privacy principles, business objectives, and operational resilience. Much like physical fitness, data fitness is not a one-time achievement but a continuous discipline. Data fitness is not just about having high-quality data, but also about ensuring that data is managed in a way that is compliant, secure, and aligned with business objectives.

Defining Data Fitness: Beyond Quality and Governance

While traditional data governance focuses on accuracy, completeness, and consistency, data fitness introduces a broader lens. Data fitness is the degree to which an organization's data is fit for a specific purpose while also being managed in a compliant, secure, and ethical manner. It goes beyond traditional data quality metrics like accuracy and completeness to encompass a broader set of principles critical for navigating the modern regulatory environment. These principles include:

• Timeliness: Data must be available when users need it.
• Completeness: The data must include all the necessary information for its intended use.
• Accuracy: Data must be correct and reflect the true state of affairs.
• Consistency: Data should be defined and calculated the same way across all systems and departments.
• Compliance: The data must be managed in accordance with all relevant legal and regulatory requirements.

 The Regulatory Shift: Why Data Fitness Matters Now

Emerging privacy laws are no longer satisfied with checkbox compliance. They demand demonstrable accountability, transparency, and user empowerment. Key trends include:

• Shift from reactive to proactive compliance: Regulators expect organizations to anticipate privacy risks, not just respond to breaches.
• Rise of data subject rights: Portability, erasure, and access rights require organizations to locate, extract, and act on data swiftly.
• Vendor and supply chain scrutiny: Controllers are now responsible for the fitness of data handled by processors and sub-processors.
• Algorithmic accountability: AI and automated decision-making systems must explain how personal data influences outcomes.

Challenges to Data Fitness in a Regulated World

The emerging privacy regulations have also introduced a new layer of complexity to data management. They shift the focus from simply collecting and monetizing data to a more responsible and transparent approach, which call for sweeping review and redesign of all applications and processes that handles data. Organizations now face several key challenges:

• Explicit Consent and User Rights: Regulations like GDPR and the DPDP Act require companies to obtain explicit, informed consent from individuals before collecting their personal data. This means implied consent is no longer valid. Businesses also have to provide clear mechanisms for individuals to exercise their rights, such as the right to access, rectify, or delete their data.
• Data Minimization: The principle of data minimization dictates that companies should only collect and retain the minimum amount of personal data necessary for a specific purpose. This challenges the traditional "collect everything" mentality and forces organizations to reassess their data collection practices.
• Data Retention: The days of storing customer data forever are over. New regulations often specify that personal data can only be retained for as long as it's needed for the purpose for which it was collected. This requires companies to implement robust data lifecycle management and automated deletion policies.
• Increased Accountability: The onus is on the company to prove compliance. This means maintaining detailed records of all data processing activities, including how consent was obtained, for what purpose data is being used, and with whom it's being shared. Penalties for non-compliance can be severe, with fines reaching millions of dollars.

In this landscape, data fitness becomes a strategic enabler—not just for compliance, but for trust, agility, and innovation.

Building a Data Fitness Program: Strategic Steps

To operationalize data fitness, organizations should consider a phased approach:

1. Data Inventory and Classification
   You can't protect what you don't know you have. Creating a detailed inventory of all personal data collected, where it's stored, and how it flows through the organization is the foundational step for any compliance effort. Map personal data across systems, flows, and vendors. Classify by sensitivity, purpose, and regulatory impact.
2. Privacy-by-Design Integration
   Instead of treating privacy as an afterthought, embed it into the design and development of all new systems, products, and services. This includes building in mechanisms for consent management, data minimization, and secure data handling from the very beginning. Embed privacy controls into data collection, processing, and analytics workflows. Use techniques like pseudonymization and differential privacy.
3. Fitness Metrics and Dashboards
   To measure compliance it is essential to have the appropriate metrics defined and implemented as part of the data collection and processing program. Some such KPIs could be “percentage of data with valid consent,” “time to fulfill DSAR,” or “data minimization score.”
4. Cross-Functional Data Governance Framework
   This framework should define clear roles and responsibilities for data ownership, stewardship, and security. A cross-functional data governance council, with representation from legal, IT, and business teams, can ensure that data policies are aligned with both business goals and regulatory requirements. Align legal, IT, security, and business teams under a unified data stewardship model. Appoint data fitness champions.
5. Leverage Privacy-Enhancing Technologies (PETs): Tools such as data anonymization, pseudonymization, and differential privacy can help organizations use data for analytics and insights while minimizing privacy risks. For example, by using synthetic data, companies can train AI models without ever touching real personal information.
6. Foster a Culture of Data Privacy: Data privacy isn't just an IT or legal issue; it's a shared responsibility. Organizations must educate and train all employees on the importance of data protection and the specific policies they need to follow. A strong privacy culture can be a competitive advantage, building customer trust and loyalty.
7. Continuous Monitoring and Audits
   Use automated tools to detect stale, orphaned, or non-compliant data. Conduct periodic fitness assessments.

Data Fitness and Cybersecurity: A Symbiotic Relationship

Data fitness is not just a privacy concern—it’s a cybersecurity imperative. Poorly governed data increases attack surface, complicates incident response, and undermines resilience. Conversely, fit data:

• Reduces breach impact through minimization
• Enables faster containment via traceability
• Supports defensible disclosures and breach notifications

For CISOs and privacy leaders, data fitness offers a shared language to align risk, compliance, and business value.

Conclusion: From Compliance to Competitive Advantage

In the era of emerging privacy regulations, data fitness is not a luxury—it’s a necessity. Organizations that invest in it will not only avoid penalties but also unlock strategic benefits: customer trust, operational efficiency, and ethical innovation. It's no longer just about leveraging data for profit; it's about being a responsible steward of personal information. By embracing the concept of data fitness, organizations can move beyond a reactive, compliance-focused mindset to one that sees data as a strategic asset managed with integrity and purpose.

It is time for all organizations that handle personal data, irrespective of their sizes to seriously consider engaging Privacy professionals to ensure Data Fitness. As privacy becomes a boardroom issue, data fitness is the workout regime that keeps your data—and your reputation—in shape.

The Mobile Phone Is Your Private Property

This morning, when I was on my morning walk, a person came out of a construction site and was requeting me to lend my phone to make a phone call. I was not comfortable lending my phone primarily for three reasons: First he is a stranger to me; Second, he seem to be working in the construction site and he should have sought help from those around in his workplace as they would be more comfortable helping him; Third, my mobile is my private identity and would not want a stranger to use impersonate me. I did not lend my phone on that occasion.

How about you? Would you mind lending your phone for such requests? I understand, the answer will be "it depends." Thank's to "Selfie" feature, seeking help from a stranger to take a snap on the mobile phone is not required any more. Any ways, I thought it would be useful to list out the concerns, so that one can decide how safe is to part with one's smart phone. These apply for stolen / lost mobile phones as well.

Your Phone Contains Sensitive Information

You have your email configured on your mobile and typically, it does not expect you to login every time you use your mail app on your mobile. So lending a phone may allow the stranger gaining access to your emails and depending the duration it remains with such stranger, the impact of such compromise could be larger. Similarly, all your social media accounts do not expect any additional authentication. It is needless to say that what a smart or malicious stranger could do with access to your social media accounts. Exposing all the intimate details of our lives because of a lost, stolen or hacked phone is a serious issue.

Banking / Payment Applications

"There is an App for everything". Yes, every bank and the investment advisors are rolling out their own Apps with pre-stored credentials for the mobile savvy customers. Mobile users, find it convenient to use such an App, without having to login every time. However, the issue of how many such Apps will you install on your mobile phone is an issue to be discussed in a separate blog. For the purpose this blog let us consider the prevailing App culture. Driven by the Digital economy, there are humpteen number of Payment / eWallet Apps out in the store. The user convenience always wins over the security requirements and as such most such Apps doesn't requie a login to initiate a payment. This could be a potential risk one should be aware of and be careful about.

Personal & Corporate Information

If you are working for an organization, it is most likely that you would have setup your corporate email account as well on your smart phone and there you go, you are putting your organization's data / information at risk. Your organization would have a BYOD policy and procedure, stating what precautions you should take on the corporate data that you use or access using your smart phone. If you are an senior level executive, it is likely that you will have access to your organizational applications configured on your mobile. This includes compromise of your or your organization's cloud storage if any configured on the phone.

Illegitimate Calls / Messages

In addition to your device, your mobile phone number (SIM) is very well linked to your identity. As such any calls or message that such a stranger sends using your phone will be logged against your identity and you are responsible and answerable for consequences if any that may arise out of such calls or messages. Even if the activity is legitimate, it may be possible that the other person might call or message you back in future with or without any specific intent.

AVAST did a research in February 2016 and according to them, their researchers were able to recover the following files from the 20 phones that were sold:

• More than 1,200 photos
• More than 200 photos with adult content
• 149 photos of children
• More than 300 emails and text messages
• More than 260 Google searches, including 170 searches for adult content
• Two previous owners’ identities
• Three invoices
• One working contract
• One adult video

Given the ever evolving capabilities of the smart phones, the devices are increasingly becoming one's identity and as such should be handled with care and caution, or else one has to face the consequences that may arise as a result of such compromise.

Big Data for Governance - Implications for Policy, Practice and Research

A recent IDC forecast shows that the Big Data technology and services market will grow at a 26.4% compound annual growth rate to $41.5 billion through 2018, or about six times the growth rate of the overall information technology market. Additionally, by 2020 IDC believes that line of business buyers will help drive analytics beyond its historical sweet spot of relational (performance management) to the double-digit growth rates of real-time intelligence and exploration/discovery of the unstructured worlds.

This predicted growth is expected to have significant impact on all organizations, be it small, medium or large, which include exchanges, banks, brokers, insurers, data vendors and technology and services suppliers. This also extends beyond the organization with the increasing focus on rules and regulations designed to protect a firm’s employees, customers and shareholders as well as the economic wellbeing of the state in which the organization resides. This pervasive use and commercialization of big data analytical technologies is likey to have far reaching implications in meeting regulatory obligations and governance related activities. 

Certain disruptive technologies such as complex event processing (CEP) engines, machine learning, and predictive analytics using emerging big-data technologies such as Hadoop, in-memory, or NoSQL illustrate a trend in how firms are approaching technology selection to meet regulatory compliance requirements. A distinguishing factor between big data analytics and regular analytics is the performative nature of Big Data and how it goes beyond merely representing the world but actively shapes it.

Analytics and Performativity

Regulators are staying on top of the big data tools and technologies and are leveraging the tools and technologies to search through the vast amount of organizational data both structured and unstructured to prove a negative. This forces the organizations to use the latest and most effective forms of analytics and thus avoid regulatory sanctions and stay compliant.  Analytical outputs may provide a basis for strategic decision making by regulators, who may refine and adapt regulatory obligations accordingly and then require firms to use related forms of analytics to test for compliance. Compliance analytics are not simply reporting on practices but also shaping them through accelerated decision making changing strategic planning from a long term top down exercise to a bottom up reflexive exercise. Due to the 'automation bias' or the underlying privileged nature of the visualization algorithms, compliance analytics may not be neutral in the data and information they provide and the responses they elicit.

Technologies which implement surveillance and monitoring capabilities may also create self-disciplined behaviours through a pervasive suspicion that individuals are being currently observed or may have to account for their actions in the future. The complexity and heterogeneity of underlying data and related analytics provides a further layer of technical complexity to banking matters and so adds further opacity to understanding controls, behaviours and misdeeds. 

 Design decisions are embedded within technologies shaped by underlying analytics and further underpinned by data. Thus, changes to part of the systems may cause a cascading effect on the outcome. Data accuracy may also act to unduly influence outcomes. This underscores the need to understand big data analytics at the level of micro practice and from the bottom up. 

Information Control and Privacy

The collection and storage of Big Data, raises concerns over privacy. In some cases, the uses of Big Data can run afoul of existing privacy laws. In all cases, organizations risk backlash from customers and others who object to how their personal data is collected and used. This can present a challenge for organizations seeking to tap into Big Data’s extraordinary potential, especially in industries with rigorous privacy laws such as financial services and healthcare. Some wonder if these laws, which were not developed with Big Data in mind, sufficiently address both privacy concerns and the need to access large quantities of data to reach the full potential of the new technologies.

The challenges to privacy arise because technologies collect so much data and analyze them so efficiently that it is possible to learn far more than most people had predicted or can predict . These challenges are compounded by limitations on traditional technologies used to protect privacy. The degree of awareness and control can determine information privacy concerns; however, the degree may depend on personal privacy risk tolerance. In order to be perceived as being ethical, an organization must ensure that individuals are aware that their data is being collected, and they have control of how their data is used. As data privacy regulations impose increasing levels of administration and sanctions, we expect policy makers at the global level to be placed under increased pressure to mitigate regulatory conflicts and multijurisdictional tensions between data privacy and financial services’ regulations.

Technologies such as social media or cloud computing facilitate data sharing across borders, yet legislative frameworks are moving in the opposite direction towards greater controls designed to prevent movement of data under the banner of protecting privacy. This creates a tension which could be somewhat mediated through policy makers’ deeper understanding of data and analytics at a more micro level and thereby appreciate how technical architectures and analytics are entangled with laws and regulations. 

The imminent introduction of data protection laws will further require organizations to account for how they manage information, requiring much more responsibility from data controllers. Firms are likely to be required to understand the privacy impact of new projects and correspondingly assess and document perceived levels of intrusiveness. 

Implementing an Information Governance Strategy

The believability of analytical results when there is limited visibility into trustworthiness of the data sources is one of the foremost concern that an end user will have.  A common challenge associated with adoption of any new technology is walking the fine line between speculative application development, assessing pilot projects as successful, and transitioning those successful pilots into the mainstream. The enormous speeds and amount of data processed with Big Data technologies can cause the slightest discrepancy between expectation and performance to exacerbate quality issues. This may be further compounded by Metadata complications when conceiving of definitions for unstructured and semi-structured data.  

This necessitates the organizations to work towards developing an enterprise wide information governance strategy with related policies. The governance strategy shall encompass continued development & maturation of processes and tools for data quality assurance, data standardization, and data cleansing. The management of meta-data and its preservation, so that it can be evidenced to regulators and courts, should lso be considered when formulating strategies and tactics. The policies should be high-level enough to be relevant across the organization while allowing each function to interpret them according to their own circumstances. 

Outside of regulations expressly for Big Data, lifecycle management concerns for Big Data are fairly similar to those for conventional data. One of the biggest differences, of course, is in providing needed resources for data storage considering the rate at which the data grows. Different departments will have various lengths of time in which they will need access to data, which factors into how long data is kept. Lifecycle principles are inherently related to data quality issues as well, since such data is only truly accurate once it has been cleaned and tested for quality. As with conventional data, lifecycle management for Big Data is also industry specific and must adhere to external regulations as such.

Security issues must be part of an Information Governance strategy whichwill require current awareness of regulatory and legal data securityobligations so that a data security approach can be developed based on repeatable and defensible best practices. 

The Promise and Peril of IoT

The Internet of Things can be defined as below:

The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected.

As we can see today, there are many things that we use in our daily livelihood are becoming smarter as they have embedded sensors and related electronics and algorithms, so thay they collect data in real time and convert the same into useful information. The most common smart things that we see now range from tracking devices, cars, refridgerators, security cameras, ovens and even dustbins. The Healthcare industry is leading in adopting the IoT devices and we have devices which are worn under the skin, that on the positive side help address many of the health concerns.


The IoT ecosystem primarily has three things: the device itself, with necessary sensors to collect data; the network that the devices use to share the data with the back end systems; and the back end system which apart from applying various analytical and algorithmic processes on the collected data also manages the devices, like rolling out updates, patches, etc. Certain devices may not have the ability to connect to the internet, in which case, the devices reach out to the back end through intermediate broker devices, like smart phones.

IoT is here to Stay

More and more IoT devices are coming out and will soon be everywhere and experts predict that the number can grow to 50 billion by year 2020. The IoT will undoubtedly be beneficial, but not without any perils. The pervasive interconnectedness of the IoT devices will also help the businesses in better understanding customer behavior and adopt appropriate business and marketing strategies targeting the specific customers. While the businesses like healthcare service provicers may make the most out of this IoT push, it poses many concerns ranging from data security to life safety of those who either directly or indirectly use such devices.

As the benefits seem to outweigh the drawbacks, it is very likely that IoT is here to stay and the concerns have to be addressed as it matures in the coming years. Let us examine the Promises that IoT era is about to bring in and also the Perils that come along.


The Promise

Healthcare

As mentioned earlier, healthcare providers are among the earliest to adopt the IoT. The wider deployment of electronic medical records (EMRs) and deployment of telemedicine technology that relies heavily on the type of remote data collection needed IoT to take it further and this convergence is expected to fuel the growth of IoT. With IoT, patients can submit their vitals from home without having to personally visit their physician and thus experiencing an enhanced and timely care, which could be life saving many times. This also helps in healthcare providers innovate further and come up with preventive care plans. Typical IoT devices that we see now are the fitness trackers, smart watches and other wearable devices like smart shoes.

Automobile

Next to Healthcare, Automobiles makers have shown greater interest in leveraging the IoT and thus the cars are becoming smart with capabilities like driverless cars, parking assist, switching on the A/c remotely, etc. IoT, if not already, will enrich the in car experience of the driver and passengers. The applications include enhanced in-car infotainment, improved safety controls and improved remote maintenance. For example, the car tyres are getting smarter with the ability to notify the tyre pressure in real time and even extend it further to automatically inflate or deflate the tyre on the go. The cars rolling out today already have some level of smartness built in, giving an enhanced safety and driving experience.

Manufacturing

The IoT brings revolutionary changes to society, economy, and technology, in such a manner that no one can just ignore to leverage it for its benefits. Manufacturing companies for that matter are seriously working to leverage IoT to: gain enhanced visibility over the production process; link the production to the business processes; and build responsive monitoring processes that improves the efficiency and quality of the products and services. Application of IoT in the above areas will lead to significants benefits like, securing and monitoring the movement of goods within and outside the factory, improving the quality of the products, preventive maintenance and upkeep of the plant & machinery, etc. When implemented correctly in every stage of the manufacturing process, IoT will be a significant benefit to employees on the manufacturing floor to the shippers and finally to the customer.

Retail

Retail industry would not want to be left out in this race of adopting the IoT as it has the biggest potential to leverage for a better business results. Being in direct contact with the end consumers, retailers can make use of in-store sensors and can track smartphones throughout the store and record path-to-purchase data that can later be used to optimize store layouts. Check out process can be made easier with smart shopping bags, so that the moment an item is dropped into the bag, the same is added to the order making the billing process a lot easier. IoT is likely to be very useful in fraud prevention, like theft of inventory, etc. Early adopters will be positioned to more quickly deliver IoT-enabled capabilities that can increase revenue, reduce costs and drive a differentiated brand experience. The IoT will be a disruptive force in retail operations.

Other Benefits

Energy sector is adopting IoT with smart meters and grids to gather real-time data for remote monitoring of resource consumption, malfunctions, etc. Needless to mention, IoT enables buidling of smarter homes with smart-connected home appliances and thermostats giving an ability to the users to remotely monitor and manage. IoT is also entering our homes in the form of internet-connected lightbulb, thermostat, door lock, washing machine or oven you can control from inside or outside your house.  IoT has the power of transforming our lives by offering the needed sensing, connectivity and intelligennce to improve our wellbeing. 

Having seen the some of the promises, some of which are already real, let us now check out the dangers that come along.

The Perils

With IoT devices, consumers are often exposed to newer risks and concerns that these new generation devices and gadgets bring in. The concerns include their own safety, possible effects on networks used apart from the data protection and legal issues.

Another concern for the businesses is the amount of data produced by all IoT devices. The enormous data produced by various sensors must be transmitted over the networks, needing high performance networks and stored calling for the storage and related infrastructure. The volume of data managed by enterprises between 2015 and 2020 is expected to grow 50 times year-over-year. The concern is not just on the volume, but also on the quality and security of the data. The legal issues around the data ownership, accountability and responsibility cannot be ruled out as well.

Security & Privacy

IT professionals are no longer just protecting data, circuits, and transmissions, but need to focus on the relationships between “things”, “service to things” and “things to people.” Safety must be ensured along with availability, confidentiality and integrity. IoT devices might expose vlunerabilities, exposing an easy way for hackers to get into networks and databases of personal data. While manufacturers are responsible for the security of their products, organizations and end users are equally responsible deploying and monoitoring within their network. 

The ways and means of securing IoT is unclear as the industry is still evolving with thousands of start ups coming with cheaper and basic connected devices, ignoring security and safety in mind. The concerns around security and privacy stems out basically at three levels. The first being from the device itself. The device containing sensors to gather data and to perform certain actions should have a mechanism securely identify and authenticate the host system, so that it respond to the authorized hosts only and not to any. The second being the network used for sending and receiving data. Most of the IoT devices use the wireless protocols like bluetooth, to reach out to an intermediate device for further connectivity with internet. Securing these networks is very important as well to ensure data protection. The third is the Back End, where the huge volume of data gathered are stored for making it into more meaningful information for further actions.

The Internet of Things can be a complex market with multiple nodes, and businesses should aim to simplify this process. There’s no better way to assure a customer of the simplicity and security, than communicating regularly. It might seem like a rudimentary thing to do, but the true test of a successful business is to ensure that there’s a process in place amidst all that clutter. 

Other Concerns

Today's connected cars contain a multitude of computers collecting data, from driving habits to location data to media or entertainment use. With connectivity, data collected by the vehicle’s computers are sent to a manufacturer or third-party and data is received as well in the form of command & control or as updates to the programs & algortihms. In addition to privacy concerns, these technologies potentially allow hackers to remotely access a vehicle’s control systems and thus impact the safety of the human life

The consumer behavior is being used to the advantage of the retailers. For example, your trousers might get horrified by your weight gain and in turn will have the TV showing contextual ads about new fad diets, the fridge selling you low-fat yogurt, etc.

By getting smarter, the things get expensive with a shorter life span. For instance, your mattress may not need replacing every couple of years, but the smart mattress with a sensor inside may need a maintenance and replacement sooner than that. For cheaper connected devices like the kettle, toaster, waist belt, light switches and door knobs; expect replacement of these components to become a new, regular expense.

The current generation kids are born with smart devices on hand and are extremely addicted to digital gadgets and the smartphone notifications keep them busy staying away from in-person socilaization, leading up for a complete digital burn-out. 

Principles of Information Governance

With the evolution of tools and technologies around big data, the variety and volume of customer information collected has increased many fold. This also requires the responsible use of such information by the organization. Many countries have promulgated legislations to regulate the use and protection of such information in every organization.

The set of multi-disciplinary structures, policies, processes and controls that are used to manage the customer information and thereby supporting the current and future reglatory, legal and operational requirements make up the Information Governance framework of the organization. Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. It is interesting to note that big data innovators recognize the importance of governance to the success of their projects.

The Principles identify the critical hallmarks of information governance and provide both a standard of conduct for governing information and metrics by which to judge that conduct. In doing so, they give assurance to the public and society at large that organizations of every kind are meeting their responsibilities with respect to the governance of information.

Transmational organizations looking forward to demonstrate the highest level of maturity in the Information Governance design their Governance framework based on the following key principles:

Accountability:

Accountability to is key for the success of any program and on the same lines, for the Information Governance, to be successfull shall have an accountable senior leader, who shall oversee the governance practices and should require regular reporting for monitoring purposes. The organization should adopt policies and procedures to guide its workforce and agents and ensure its program can be audited and continually improved to support the organization’s goals.

An information governance program should at the minimum:

• Establish an information governance structure for program development and implementation
• Designate a qualified accountable person to develop and implement the program
• Document and approve policies and procedures to guide its implementation
• Remediate identified issues
• Enable auditing as a means of demonstrating the organization is meeting its obligations to both internal and external parties

A high maturity organization would demonstrate the following:

• The organization’s senior management and its governing board place great emphasis on the importance of information governance. 
• The records manager directs the records management program and reports to an individual in the senior level of management. 
• The chief information governance officer and the records manager are essential members of the organization’s governing body. 
• The organization’s initial goals related to accountability have been met, and it has an established process to ensure its goals for accountability are routinely reviewed and revised. 

Transparency

An organization’s processes and activities relating to information governance shall be documented in an open and verifiable manner. Documentation shall be available to the organization’s workforce and other appropriate interested parties within any legal or regulatory limitations, and consistent with the organization’s business needs. Transparency of the organization’s governance practices must extend to definitions of appropriate information uses and the processes for ensuring compliance with policies on appropriate information use.

An information governance program includes its information management and information control policies and procedures. To ensure the confidence of interested parties, records documenting the information governance program must themselves adhere to the fundamentals of information management.

At the highest maturity level, an organization should practice and demonstrate the following:

• The organization’s senior management considers transparency as a key component of information governance. 
• The software tools that are in place assist in transparency. 
• Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the organization’s responses. 
• The organization’s initial goals related to transparency have been met, and it has an established process to ensure its goals for transparency are routinely reviewed and revised. 

Integrity

An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability. Integrity of information, which is expected by patients, consumers, stakeholders, and other interested parties such as investors and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete. For the healthcare industry, these dimensions of integrity are essential to ensuring trust in information.

For safety, quality of care, and compliance with applicable voluntary, regulatory and legal requirements, integrity of information should include at least the following considerations:

• Adherence to the organization’s policies and procedures
• Appropriate workforce training on information management and governance
• Reliability of information
• Admissibility of records for litigation purposes
• Acceptable audit trails
• Reliability of systems that control information

Transformational organizations, which are at the highest maturity level should demonstrate the following abilities:

• There is a formal, defined process for introducing new record-generating systems, capturing their metadata, and meeting other authenticity requirements, including chain of custody. 
• Integrity controls of records and information are reliably and systematically audited. 
• The organization’s initial goals related to integrity have been met, and it has an established process to ensure its goals for integrity are routinely reviewed and revised. 

Protection

An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Information protection takes multiple forms. First, each system must enable management of security access controls. Only members of the workforce and other authorized parties with the appropriate levels of access or security clearance may access information relevant to their roles or duties. Reliably protecting electronic and physical assets requires use of tools such as user authentication, key card access restrictions, and other relevant measures. This also requires that as the workforce and other authorized parties transition in status or job function, respective level of access is changed immediately to a level appropriate to the new role and duties.

The highly matured organizations would practice and demonstrate the following:

• Executives and/or senior management and other governing bodies (e.g., board of directors) place great value in the protection of information. 
• Audit information is regularly examined, and continuous improvement is undertaken. 
• Inappropriate or inadvertent information disclosure or loss incidents are rare. 
• The organization’s initial goals related to protection have been met, and it has an established process to ensure its goals for protection are routinely reviewed and revised. 

Compliance

An information governance program shall be constructed to comply with applicable laws and other
binding authorities, as well as with the organization’s policies. Every organization should:
Know what information should be entered into its records to demonstrate its activities are being conducted in a lawful manner.

Enter that information into its records in a manner consistent with laws and regulations.
Maintain its information in the manner and for the time prescribed by law or organizational policy.
Develop internal controls to monitor adherence to rules, regulations, and program requirements, thus assessing and ensuring compliance.

The following capabilities when demonstrated will mark the highest maturity level:

• The importance of compliance and the role of records and information in it are clearly recognized at the senior management and governing body levels.
• Auditing and continuous improvement processes are well-established and monitored by senior management. 
• The roles and processes for information management and discovery are integrated, and those processes are well-developed and effective. 
• The organization suffers few or no adverse consequences based on information governance and compliance failures. 
• The organization’s initial goals related to compliance have been met, and it has an established process to ensure its goals for compliance are routinely reviewed and revised. 

Availability

An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

A successful and responsible organization must have the ability to identify, locate, and retrieve the information required to support its ongoing activities. This information may be used by:

• The healthcare team, patients, and other caregivers Authorized members of the workforce and others authorized consistent with regulations 
• Legal and compliance authorities for discovery and regulatory review purposes
• Internal and external reviewers for purposes including but not limited to: payer audit, financial audit, case management, and quality assurance.

High maturity organizations practice and demonstrate the following:

• The senior management and governing body provide support to continually upgrade the processes that affect records and information availability. 
• There is an organized training and continuous improvement program across the organization. 
• There is a measurable return on investment to the organization as a result of records and information availability. 
• The organization’s initial goals related to availability have been met, and it has an established process to ensure its goals for availability are routinely reviewed and revised. 

Retention

An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

As part of its retention program, an organization must develop an information retention schedule, which specifies what information must be retained and for what length of time. Retention decisions are based on the type of information, and the organization’s legal, regulatory, fiscal, operational, clinical, role/mission, and historical requirements. Information retention schedules should be reviewed periodically and revised regularly. Some internal changes in the organization such as mergers and acquisitions or lines of business changes, or types of records generated, as well as external events such as legal, regulatory, or fiscal changes, may require revisions.

High maturity organizations consider practising the following:

• Retention is an important item at the senior management and governing body level.
• Retention is looked at holistically and is applied to all information in an organization, not just to official records. 
• Information is consistently retained for appropriate periods of time. 
• The organization’s initial goals related to retention have been met, and it has an established process to ensure its goals for retention are routinely reviewed and revised. 

Disposition

An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Disposition includes not only destruction, but also any permanent change in custodianship of the information, such as when it is transferred to another party due to a merger or acquisition of another hospital, clinic, or physician practice or when a organization discontinues a practice, service, or other business. In many cases, the appropriate disposition is the destruction of information, in which case the organization should ensure the information is transported and destroyed in a secure and environmentally responsible manner. The organization should document or certify that the information has been destroyed completely and irreversibly when required.

The processes of a high maturity organization should address the following:

• The disposition process covers all records and information in all media. 
• Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. 
• Disposition processes are consistently applied and effective. 
• Processes for disposition are regularly evaluated and improved. 
• The organization’s initial goals related to disposition have been met, and it has an established process to ensure its goals for disposition are routinely reviewed and revised.

---

Reference:

1. Information Governance Maturity Model

WAF - Typical Detection & Protection Techniques

WAF - Web Application Firewalls is a new breed of information security technology that offers protection to web sites and web applications from malicious attacks. As the name suggests, WAF solution is intended scanning the HTTP and HTTPS traffic alone. The WAF solutions have evolved over the last few years and are capable of preventing attacks that network firewalls and intrusion detection systems can't. The WAF offering typically comes in the form of a packaged appliance, i.e. with a purpose built hardware and a software running on it and is plugged in to the network. Different appliances offer different level of deployment capabilities, like, active / passive modes, support for High Availability,etc.

Different vendors have come up with various techniques to detect and protect web applications of the enterprise and thus the capabilities of the solution differ. However, at a minimum these devices offer the following detection and protection capabilities:

Detection Techniques

Normalization techniques

Web applications of those days were simple and mostly was comprising of the HTML content. Various tools and solutions have emerged to leverage the HTTP protocol for use by various applications to receive and send complex data including encoded binary data of higher volumes and also extend the use of the HTTP methods. Hackers also leverage these techniques to attack a web application. This calls for the WAF device should have the ability to use a technique to transform the input data into a normalized form, so that the same can be inspected for potential malicious content that could be leverage to perform an attack.

Signature Based Detection

This technique involves use of a string or regular expression based match against the incoming traffic for a specific signature and thus detecting a potential attack. For this purpose, the need to maintain a database of such attack signature is essential. Most popular WAF solution vendors maintain their own databases, whereas others subscribe to such databases.These databases need frequent updates to take into account the signatures used in recent attacks elsewhere.

Rule Based Detection 

Rule based Detection technique is similar to Signature Based Detection, but it allows use of a more complex logic. For instance, even if a signature match is detected, it can be further subjected to certain other conditions, like if the data is from a trusted source, the traffic may still be allowed to pass through with or without appropriate alerts and triggers for manual inspection. While the WAF solution is shipped with the standard rules, the same would be configurable to meet the security needs of the customer. The standard rules may also be part of the signature / rule database as may be maintained or subscribed to by the vendor

APIs for Extensibility

Despite the standard signature and rule based detection techniques, the actual deployment scenario at the customer site may require customization of the techniques used in detection. WAF solutions vendors usually support this need by offering extensible APIs, plug-ins, or scripting. These extensiblity options if not appropriately secured, can be exploited by hackers too.


Protection Techniques

Brute Force Attacks Mitigation

These attacks use automated scripts that attempt to login to the web application with common user name and passwords. The attacks usually originate from a large number of sources consisting of both legitimate web servers and private home computers. Once a username and password is successfully guessed, the hackers or their scripts / tools use the gained admin credentials for the next stage of attacks. Given that the user name passwords follow stricter rules and thus these attack is most likely to fail in guessing the valid credentials, but these attacks generate unduly high traffic, which will result in resource drain and in turn affect the availability of the web application.

Protection from Cookie Poisoning

Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. Cookie poisoning is in fact a Parameter Tampering attack, where the parameters are stored in a cookie. In many cases cookie poisoning is more useful than other Parameter Tampering attacks because programmers store sensitive information in the allegedly invisible cookie. Most WAF solutions offer protection from Cookie poisoning by facilitating the signing and / or encryption of cookies, virtualizing the cookies or a custom protection mechanism as the specific web application may demand.

Session Attacks Mitigation

Session store is an important component of a web application and this store is used to share some of the common parameters pertaining to the user and the specific session across various actions within the application. Thus the session data is a key component that is used to secure the web applications. The hackers on the other hand try various techniques to hijack the session or tamper the session parameters. While tampering the parameter values is similar to Cookie Poisoning, Session Hijacking is stealing the session identifier and simulating requests from different sources with the stolen session identity. WAF solutions provide protection to session hijacking by signing and / or encrypting the session data and also linking the session identifier with the originating client.

Injection Attack Protection

An SQL injection attack is insertion of a SQL query via the input data from the client to the application. A successful SQL injection attack can read sensitive data from the database, modify database data, or shutdown the server. Similarly operating system and platform commands can often be used to give attackers access to data and escalate privileges on back-end servers Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website to access anything that the PHP program could: databases, password files, etc. Most WAF solutions using the normalization technique and the signature and rule database would be able to deny requests carrying such data, command or instruction that could lead to any of the injection attacks.

DDoS Protection

Distributed Denial of Attack is a common technique used by hackers to impair the availability of a website or application by directing unusually huge traffic against the site or application. This will result in all the computing resources used up and eventually leading to the site not being available at all. The WAF solutions making use of the normalization techniques and the signature and rule databases would be able to block such requests. Some common techniques used by the WAF solutions are to have a check on the content length and by evaluating the number of requests or sessions from the same originating client within a given time period.


Obviously, what is listed above are most common detection and protection techniques that any WAF solution would offer. But vendors are constantly improving these techniques and thus adding more detection and protection features. This has to be a constant endeavor as the hackers on the other hand are also coming up with newer techniques to exploit various vulnerabilities.

Human Technology Interfaces - What The Future Has In Store

All of us would have been reading something or other on technology advancements that work with human body. For example, we have Health IT companies experimenting embedding memory chips under the skin of human body to store the individual's health records, so that when you walk into clinic, the clinic will get to know about your health history and would be able to suggest the further course and all this can happen with a non human front office assistant. Similarly, with the advancement in the brain interfaces and in the lines of the movie "Minority Report", the Police and investigation authorities may get on to crime prevention mode, i.e. they will get to know the moment you think of committing a crime and technologies like virtual presence, surrogates etc, this might be accomplished without any human casualties.

There are more such advancements and in this blog, my attempt is to present few scenarios that could be a possibility in the near future and the effects that this can have on various attributes of mankind.

Glass: With further advancement Google Glass kind of gadgets could be miniaturized and could be worn like contact lenses. These lenses would be able to interface with things around you. For instance, the refrigerator will greet you with the current temperature and you will know what is inside various containers, by looking at it (without opening) and will also indicate its details like quantity, how many days it is stored, etc. Again with added gamification, one will enjoy performing various tasks on the kitchen table. These things while assisting you on performing these tasks like chopping vegetables, it will also keep a score of how you perform, so that you enjoy doing these tasks. These gadgets coupled with access to public and private data stores help you in decision making, which can enhance one's Personal Intelligence (PI). Check out this video to have a glimpse of what I have tried to narrate here.

Brain Interface: Gadgets like Brain Link are already in the market, which coupled with related applications on smartphones gives beneficial gaming experience like attention training, meditation, neuro-social gaming, research and knowledge about brain. Most of us would have watched the movies 'Surrogates' wherein humans would stay indoors while their surrogates would go out to work and 'Minority Report' where the police and justice department would get alerts the moment some one think of committing a crime. Quite many science fiction imaginations in the past have become reality now. Recent research accomplishments evidences that even the fiction exhibited in the above movies might become a reality some day that is not very far away. For instance, researchers at Harvard have demonstrated a non invasive brain-to-brain interface wherein humans could control animals with their thoughts alone.

Given that continued advancements on the brain interface will further this accomplishments and coupled with various other inventions, the next generation of man kind may experience the following:

• Personal Intelligence can be augmented by wearing or embedding devices and / or gadgets.
• Though humans can have private thoughts, these will be subject to review or audit by government agencies and no wonder securing your thoughts would become absolutely essential.
• Shopping will be virtual and all products can be virtually felt / experienced sitting at home and then can be ordered.
• All 'things' would have interfaces to interact with human.
• Blink or double blinks can be programmed to perform certain actions like taking a snapshot of what you have been seeing at that moment, etc.
• Artificial or Virtual dreams will become reality and one can have choice of dreams and choice of character. Extending this, one would be able to watch a favorite movie as they sleep and cast themselves as a character in the movie.
• With Body Area Networking and embedded nano chips across various critical body parts, self diagnosis with alerts might be a possibility.
• Human disabilities can be worked around using robotic body parts and brain interface technology.
• The hacking community would sharpen their skills and would explore opportunities of hacking human thoughts and human memory, which could be the biggest security and privacy threat to combat for the security experts.

Here are some more videos demonstrating the innovations that are taking place around human technology interfaces:

• Ford takes SYNC to the next level through the use of configurable controls and the use of an electronic personal assistant, or "avatar," named Eva
• Someday well be living be living on and under the oceans. This idea isnt farfetched and if it comes true then heres the answer to a new type of underwater transportation system.
• Using a brain-computer interface technology pioneered by University of Minnesota biomedical engineering professor Bin He, several young people have learned to use their thoughts to steer a flying robot around a gym, making it turn, rise, dip, and even sail through a ring.
• Cathy Hutchinson has been unable to move her own arms or legs for 15 years. But using the most advanced brain-machine interface ever developed, she can steer a robotic arm towards a bottle, pick it up, and drink her morning coffee.
• At Barcelona University, scientists are working on a European Research Project to link a human brain to a robot using skin electrodes and video goggles so that the user feels they are actually in the android body wherever it is in the world.

Webservice Security Standards

SOA adoption is on the rise and Webservices is predominantly used for its implementation. Webservice messages are sent across the network in an XML format defined by the W3C SOAP specification. Webservices have come a long way and has sufficiently matured to offer the required tenets especially on the security domain. In this blog let us have a quick look at the available standards with respect to the security dimensions and look at how the related security requirements are addressed.

Secure Messaging

• WS-Security - This specification was originally developed by IBM, Microsoft and Verisgn and OASIS (Organization for the Advancement of Structured Information Standards) continued the work on this standard. This standard addresses the Integrity and Confidentiality requirements of the webservice messages. The specification describes the signing, encrypting of the SOAP messages and also about attaching security tokens. Various signature formats and encryption algorithms are supported. The security tokens supported include: X.509 Certificates, Kerberos tickets, User ID/Password credentials, SAML assertions and custom tokens. Due to the increased size of the SOAP messages and the cryptographic requirements, this standard requires significantly higher compute resources and network bandwidth.
• SSL/TLS - SSL was developed by Netscape Communications Corporation in 1994 to secure transactions over the World Wide Web. Soon after, the Internet Engineering Task Force (IETF) began work to develop a standard protocol that provided the same functionality. They used SSL 3.0 as the basis for that work, which became the TLS protocol. In applications design, TLS is usually implemented on top of any of the Transport Layer protocols, encapsulating the application-specific protocols such as HTTP, FTP, SMTP, NNTP and XMPP. Historically it has been used primarily with reliable transport protocols such as the Transmission Control Protocol (TCP). This standard helps address the Strong authentication, message privacy and integrity requirements.

Resource Protection

• XACML - eXtensible Access Control Markup Language defines a declarative access control policy language implemented in XML and a processing model describing how to evaluate access requests. Version 3.0 of this standard has been published by OASIS in January 2013. The new features of the latest version of this standard include: Multiple Decision Profile, Delegation, Obligation Expressions, Advice Expressions and Policy Combination Algorithms.While there are many ways the base language can be extended, many environments will not need to do so. The standard language already supports a wide variety of data types, functions, and rules about combining the results of different policies. In addition to this, there are already standards groups working on extensions and profiles that will hook XACML into other standards like SAML and LDAP, which will increase the number of ways that XACML can be used.
• XrML - Developed by Content Guard, a subsidiary of Xerox, and supported by Microsoft, eXtensible Rights Markup Language would provide a universal method for specifying rights and issuing conditions associated with the use and protection of content in a digital rights management system. XrML licenses can be attached to WS-Security in the form of tokens. XACML and XrML both deal with authorization. They share requirements from many of the same application domains. Both share the same concepts but use different terms. Both are based on XML Schema. Microsoft's Active Directory Rights Management Services (AD RMS) uses the eXtensible rights Markup Language (XrML) in licenses, certificates, and templates to identify digital content and the rights and conditions that govern use of that content.
• RBAC, ABAC - Similar to XrML, RBAC and ABAC are established approaches to define and implement Role Based Access Control and Attribute Based Access Controls and can be attached to WS-Security as tokens. The use of RBAC or ABAC to manage user privileges (computer permissions) within a single system or application is widely accepted as a best practice.
• EPAL - The Enterprise Privacy Authorization Language (EPAL) is an interoperability language for exchanging privacy policy in a structured format between applications and can be leveraged for addressing the privacy concerns with the SOAP messages. An EPAL policy categorizes the data an enterprise holds and the rules which govern the usage of data of each category. Since EPAL is designed to capture privacy policies in many areas of responsibility, the language cannot predefine the elements of a privacy policy. Therefore, EPAL provides a mechanism for defining the elements which are used to build the policy.

Negotiation of Contracts

• ebXML - e-business XML is a modular suite of standards advanced by OASIS and UNCEFACT and approved as ISO 15000. While the ebXML standards seek to provide formal XML-enabled mechanisms that can be implemented directly, the ebXML architecture is focused on concepts and methodologies that can be more broadly applied to allow practitioners to better implement e-business solutions. ebXML provides companies with a standard method to exchange business messages, conduct trading relationships, communicate data in common terms and define and register business processes. A CPA (Collaboration Protocol Agreement) document is the intersection of two CPP documents, and describes the formal relationship between two parties.
• SWSA - The SWSA(Semantic Web Services Architecture) interoperability architecture covers the support functions to be accomplished by Semantic Web agents (service providers, requestors, and middle agents). While not all operational environments will find it necessary to support all functions to the same degree, the distributed functions to be addressed by this architecture to include: Dynamic Service Discovery, Service Engagement (Negotiating & Contracting), Service Process Enactment & Management, Semantic Web Community Support Services, Semantic Web Service Lifecycle & Resource Management Services and Cross Cutting Issues.

Trust Management

• WS-Trust - The goal of WS-Trust is to enable applications to construct trusted SOAP message exchanges. This trust is represented through the exchange and brokering of security tokens. This specification provides a protocol agnostic way to issue, renew, and validate these security tokens. The Web service security model defined in WS-Trust is based on a process in which a Web service can require that an incoming message prove a set of claims (e.g., name, key, permission, capability, etc.). If a message arrives without having the required proof of claims, the service SHOULD ignore or reject the message. A service can indicate its required claims and related information in its policy as described by WS-Policy and WS-PolicyAttachment specifications.
• XKMS - XML Key Management Specification is a protocol developed by W3C which describes the distribution and registration of public keys. Services can access an XKMS compliant server in order to receive updated key information for encryption and authentication. The XML Key Management Specification (XKMS) allows for easy management of the security infrastructure, while the Security Assertion Markup Language (SAML) makes trust portable. SAML provides a mechanism for transferring assertions about authentication of entities between various cooperating entities without forcing them to lose ownership of the information.
• SAML - Security Assertion Markup Language is a product of the OASIS Security Services Technical Committee intended for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application. SAML specifies three components: assertions, protocol, and binding. There are three assertions: authentication, attribute, and authorization. Authentication assertion validates the user's identity. Attribute assertion contains specific information about the user. And authorization assertion identifies what the user is authorized to do. Protocol defines how SAML asks for and receives assertions. Binding defines how SAML message exchanges are mapped to Simple Object Access Protocol (SOAP) exchanges.
• WS-Federation - WS-Federation extends the WS-Security, WS-Trust and WS-SecurityPolicy by describing how the claim transformation model inherent in security token exchanges can enable richer trust relationships and advanced federation of services. A fundamental goal of WS-Federation is to simplify the development of federated services through cross-realm communication and management of Federation Services by re-using the WS-Trust Security Token Service model and protocol. A variety of Federation Services (e.g. Authentication, Authorization, Attribute and Pseudonym Services) can be developed as variations of the base Security Token Service. 

Security properties

• WS-Policy, WS-SecurityPolicy - WS-Policy represents a set of specifications that describe the capabilities and constraints of the security policies on intermediaries and end points and how to associate policies with services and end points. Web Services Policy is a machine-readable language for representing these Web service capabilities and requirements as policies. Policy makes it possible for providers to represent such capabilities and requirements in a machine-readable form. A policy-aware client uses a policy to determine whether one of these policy alternatives (i.e. the conditions for an interaction) can be met in order to interact with the associated Web Service. Such clients may choose any of these policy alternatives and must choose exactly one of them for a successful Web service interaction. Clients may choose a different policy alternative for a subsequent interaction.
• WS-ReliableMessaging, WS-Reliability - WS-ReliableMessaging, was originally written by BEA Systems, Microsoft, IBM, and Tibco and later submitted to the OASIS Web Services Reliable Exchange (WS-RX) Technical Committee for adoption and approval.Prior to WS-ReliableMessaging, OASIS produced a competing standard WS-Reliability that was supported by a coalition of vendors. The protocol allows endpoints to meet the guarantee for the delivery assurances namely, Atmost Once, Atleast Once, Exactly Once and In Order. Persistence considerations related to an endpoint's ability to satisfy the delivery assurances are the responsibility of the implementation and do not affect the wire protocol.