Managed security service for risk management: The Kotak Mahindra story

Kotak Mahindra Bank outsourced infosec management after the realization that information security is not its core expertise. How effective has this been?

Banks face two dilemmas — constantly evolving security threats and the fact that information security is not their core expertise. This leaves them with the option of outsourcing their security management functions. However, Indian banks are very apprehensive about outsourcing security. In this context, Kotak Mahindra Bank has been a forerunner of sorts. One of the leading Indian private sector banks, Kotak Mahindra Bank took a bold step when it decided to completely outsource its information security requirements in 2007.

Prior to 2007, Kotak Mahindra Bank managed its information security requirements through multiple security service providers and the internal team. This arrangement led to a lack of overall visibility. As security threats got more complex, the bank found it challenging to build and retain in-house security expertise.

To prepare itself for more comprehensive information security management, Kotak Mahindra Bank decided to outsource its security operations to Paladion, a managed security service provider. "Outsourcing security to the experts made sense from an expertise as well as cost perspective. While this ensures quick turnaround times and faster resolution, ownership and accountability are still with the bank," explains Sanjay Belsare, the vice president of IT for Kotak Mahindra bank.

Security technologies under the MSS model
1. Multi-layer firewall architecture for the data center.
2. Intrusion Detection Systems.
3. Gateway level protection (email and Web) against malicious code using reputation filtering.
4. Email archival and patrolling systems.
5. Desktop management suite for remotely enforcing security compliance on desktops and servers.
6. IP VPN for the bank's wide area network.
7. Secured third party connectivity.
8. Secured wireless connectivity.
9. Protection of documents published on the Intranet.
10. Laptop encryption to protect against data compromise if it gets lost or stolen.

According to Belsare, two factors led to the selection of Paladion as a managed security service provider. Paladion already provided certain security management services to Kotak Mahindra Bank, so the bank was aware of the service provider's capabilities. However, Paladion's capability to deliver multiple information security services proved decisive.

The managed security service (MSS) model called for enhancements in the bank's information security policy. The bank rolled out an information security management system (ISMS) document based on the ISO 27001 standard and Reserve Bank of India (RBI) guidelines. This document helped Kotak Mahindra Bank to adopt a more proactive and structured manner, as opposed to the earlier ad-hoc approach.

The managed security service model 
Instead of opting for standard offerings, Kotak Mahindra Bank discussed its specific business needs with the service provider. The bank made it clear that security technologies are not sufficient, unless they are more operation-focused and result-oriented. The bank has focused on quantifying security through a structured service level agreement (SLA) that is visible to top management through dashboards. Belsare says that the designed SLAs are result or outcome based in nature. This ensures that SLAs measure direct or indirect business benefits.

Kotak Mahindra Bank's entire managed security service model is based on three principals — holistic, continual and integrated. The bank places special emphasis on security monitoring and compliance. An audit schedule is also followed to review existing systems, with daily, weekly and monthly compliance reports. Every new initiative (application, process and third party outsourcing) goes through a security signoff process to ensure that the risks are mitigated and controlled at the initial stage.

The bank has a 24x7 security monitoring center to monitor security logs. It also monitors security devices, network devices, servers and databases.

Some of the MSS' prominent features are:

Risk engine: This is the repository of risks across delivery channels, business applications, underlying technology infrastructure, and business processes around IT. Assets (along with the business value of assets) are captured in the risk engine. The risk engine quantifies risks and enables prioritization for mitigation. The security intelligence service (part of MSS) tracks global threats. All these are inputs to the risk engine for comprehensive risk identification and mitigation.

IS steering committee: Kotak Mahindra Bank's top management has representation in the bank's periodic Information Security Committee (ISC) meetings. They are updated with status of MSS through various reports, and their directives on critical information security are tracked and implemented.

Management dashboards: This helps the bank's management to view security status, gives information on covered risks, asset classification, pending vulnerability assessment observations and pending audit observations.

Earlier, user awareness and constant monitoring of security threats were major challenges. However, the MSS model has helped Kotak Mahindra Bank to handle these issues in a more effective manner. According to Belsare, the managed security service has significantly transformed the bank's security landscape. "Losses from phishing incidents and breaches of IT systems are almost nil. Phishing sites are brought down in less than four hours, while response times for security infrastructure attacks are less than 30 minutes on an average," says Belsare. Data is not compromised in case of loss or theft of laptops.

Kotak Mahindra Bank has experienced a significant increase in the number of online transactions across all channels, and a 100% surge in payment gateway transactions in 2008. The bank has also been successful in creating better security awareness among customers and employees. "We have experienced significant cost benefits, as we invest only in the services and not in resources or tools," says Belsare.

Read more on IT risk management