By Nitin Singhal, Managing Director, Sinch India
With ‘digital’ and ‘data’ being today’s buzzwords, India’s growth story is for everyone to see. Digitization has augmented lives in more ways than one, enabling brands to get closer to customers. In such a context, the discussion around data privacy becomes crucial.
Businesses and customers have all started gaining out of scores of new and emerging technologies that are springing up, such as tokenization, Web3 and AI- pervading our lives like never before. Resultantly, all of us are part of some or the other online community and are ushering in a new landscape that prioritizes such digital belongingness. People trust their sensitive data with companies for buying groceries, medicines, flight tickets, or even getting their salaries credited. There’s so much happening every day and the need to secure and protect customers is a responsibility we cannot overlook.
Protecting API’s and Cloud Communications
Data protection is a driving principle built into a design from the beginning. A company can take all the time to examine and reexamine their codes and configuration prior to deploying and following the best practices and guidelines. Regular vulnerability scans, log analysis, anomaly detection, pattern deviation, firewall rule monitoring, system hardening policy, impossible logins – their security operations center is on top of everything. Whether training in security awareness or crisis management drills, they fiercely protect data in any form and resort to tabletop exercises and different types of gamification for the same.
Educating customers and employees about compliance and security risks
Having a CPaaS partner is imperative. Customers are looking to engage with businesses on their own terms; therefore, brands must find a way to avoid this crucial association with CPaaS providers. Consequently, one should check for the following:
Vendor’s maturity: CPaaS is a crowded space. One can hear pitches every now and then. When shortlisting a vendor, one should continually assess their maturity in the space, their tools, or the processes and protocols they follow to keep communication secure. The IT teams may want to score CPaaS vendors post verifying their certifications to achieve the best for their business. One should know that any laxity here may expose unprotected APIs to hackers, so due diligence is necessary.
Endpoint management: To protect the cloud network and customer data, endpoint management is a good practice. Similarly, VPN security must be noticed and must go on for smooth functioning. At the same time, CPaaS partners must recommend necessary changes to ensure that the proper standards are in place.
Now, let us look at the bright side as well. A great CPaaS solution to an existing communication infrastructure will strengthen security. Business users will be able to understand the flow of data without really needing to dig into many legacy systems. In the absence of a strong CPaaS though, the data flow may run the risk of loss.
The CPaaS companies make every effort to educate customers on plausible risks and data theft associated with API abuse, and that’s the first step. Any personal data is protected under the company’s privacy policy and applicable laws. Data in transit is encrypted to prevent a man-in-the-middle attack. A robust authentication mechanism blocks access to unauthorized entries. API endpoints are hosted behind a firewall, with appropriate security in place, including access tokens and rate limiting, wherever required, for any denial of service or brute force attack. As a practice, CPaaS companies make API endpoints accessible to white-listed public IPs, which adds another layer of protection against cyberattacks.
All applications that are exposed to the customers also have to undergo the Vulnerability Assessment and Penetration Testing (VAPT) at least twice a year.
Security is an evolving sphere. Today one may have cracked it, but it may be equally important to prepare for newer security attacks. Cyber attackers are always on the lookout for API vulnerabilities or bugs in the logic with requests that masquerade as normal ones but may have enough data within to discern the flaws and exploit them.
A continuous monitoring of network, data and systems for any suspicious activity or vulnerabilities becomes necessary at this time. Risks could become more sophisticated with attackers leveraging AI. Therefore, CpaaS players should stay abreast of any latest developments on security threats and vulnerabilities by following industry experts. Companies can also subscribe to security services, which regularly assess security posture and identify areas vulnerable to future threats.
For employees, companies should strictly implement the clear desk policy and data management policies that restrict any unwarranted dissemination and leak of data. Players should also build a security culture at the workplace which is possible only when one routinely educates their employees about risks of non-compliance and threats from phishing mails, malwares, ransomwares, websites that can spoof, etc. Today, security is part of every organizational DNA.
The role of the government in formulating policies
Ever since we’ve got a phone in hand, there has been a sea change in data collection. The fact that the draft Digital Personal Data Protection Bill has garnered attention is a step in the right direction. It will help stakeholders to put forth their concerns, and the final version of the law will be in the interest of Indian citizens.
It may be worthwhile to point out a few clauses that require clarity. These include a definition of sensitive personal data, rules for data transfer outside the country and sanctions for non-compliance.
The Bill does not provide enough transparency when it comes to how personal data is being used or stored. This can lead to a situation where individuals are unaware of how their data is being handled or secured. However, the draft Bill is a welcome move since it will help deal with non-compliance with a heavy hand.