's methodology for risk management: A detailed overview

Leading travel portal Cleartrip believes in identifying and addressing security risks at the initial stages. A look at its methodology for risk mitigation.

For leading Indian travel website, the business mantra is all towards helping journeys simpler and more comfortable for its customers. The four year old online travel portal includes flight, train and hotel bookings. From this perspective, security risks (especially data loss), are a major concern for the e-commerce site. To this end,'s methodology to manage risk involves taking care of security issues right at the initial stages while designing software. develops its core software in-house as part of its methodology to manage risk. This helps the portal in managing a great amount of risk because standard tracking processes (exploited by phishers) are avoided due to this approach.

The daily attack logs at are huge, but these risks are well-duped since the enterprise has two levels of firewalling. This methodology of risk management helps the portal to effectively manage risks. While one firewall is at the top level, the second is at the network level. Whenever there is a hit at the network level, it is always on the load balancers. These attacks don't hit the servers because there is no direct connectivity to the servers.

At the load balancer level, checks verify whether a hit is genuine or not. Only if the hit is genuine, does it go to the servers. Further, the load balancer terminates the old connection and starts a new connection to forward the hit to the server. This way, two different sessions are created using this methodology of risk management. Hence, the entire system is protected.

Additionally, according to its enterprise systems are safe because there is no access from outside. "By the time you try to crack them, you should have triggered at least two alarms, resulting in a lot of password failures. Following this, the account gets locked automatically," says PKX Thomas, the chief operating officer of As part of the company's methodology to manage risk, the first access control layer is the lightweight directory access protocol (LDAP) authentication. Only if the user has crossed LDAP authentication, does he access the login page.

In's case, users need not feed any details to access the page. They can search for the desired data. Once they click on 'book', the site requests information about them.

How does prevent leaks due to internal access?
In spite of multiple levels of security, there's always the possibility of internal data leakages. For example, there are chances that a developer with the company may have full knowledge of the data structures and various controls, and pull out some data.

As part of its methodology to manage enterprise risk, addresses this issue by scrambling production data. "Out of this scrambled data, new data is generated and used for testing purposes. This is the only time when the production data has some linkage with the testing data, and the enterprise has to be really careful so as to avoid any risk. By mistake, if production data is put in the test data while scrambling, then it's trouble time. But we have checks and balances to prevent that from happening," says Thomas.

In addition, access to the system is granted depending on each employee and his requirements. Thomas explains: "For example, if a person manages the train booking system, he won't get access to the flight booking system. Similarly, call center executives do not have access to all the data."

Securing payment gateways
As part of its methodology for risk management, develops its payment gateways in-house. "We have used consolidators such as curve injection, as well as foreign consolidators for our international business," Thomas informs. "When a client sees the address bar and green bar coming on our site, he's aware that the site isn't fake and is very secure."

It's easier to attack banking sites and social networking sites because their first screen is a login screen. In such cases, the risks are higher, because users cannot see any of the functionalities before actually logging in. By contrast, in the case of, users don't have to log in to access the page. They can search for data, find the right flight (or train), select the hotel, and then click on 'book.' Only when 'book' is clicked is the information taken. Hence what happens is that users have to actually go through the 'search' functionality. Phishers can't set up a search of three pages exactly like the original one with a similar set of URLs, and therefore these attacks are nullified.

According to, phishers won't gain anything out of such attacks. At the most, they can harm a person by canceling his trip. But, that won't result in a monetary loss, as the money will get deposited in the person's bank account.

However, banks handle the PCI DSS and PA DSS certifications for "We haven't got the certifications done from our side. The bank's consultant talks to us, and does the compliance test on a regular basis, so what actually happens is third-party verification," says Thomas.

Proprietary or open source software? has used proprietary and open source software. First, it was using Sage ACT CRM solution, and then it moved on to SugarCRM.

According to Thomas, there are pros and cons to both approaches. As part of the methodology to manage risk, if various aspects are evaluated, there are standard ways of cracking proprietary software. "But that doesn't mean open source is safer, because there are ways to crack this too. In our case, the systems are safe because there's no access to them from outside. However, the cost of maintaining security in proprietary software is very expensive, as compared to doing so in open source software," says Thomas.

Read more on IT risk management