Financial services organizations, banks, retailers, insurance providers, and payment application developers are seeing rapid changes in the way they do business. Attack vectors are growing in sophistication, and organizations are increasingly relying on hardware security modules (HSMs) to provide the highest possible security. To address this, CISO MAG recently hosted a closed-door virtual roundtable dubbed, “Gearing for Greatness- The future of India’s BFSI ecosystem with Sachin Y Shende, General Manager, Reserve Bank of India, chairing the discussion.”
The discussion saw several topics like changing dynamics in the hardware security module (HSM) industry, merging of general-purpose and financial HSM technologies, emerging role of cloud key management and cloud financial HSMs, among several others. As General Manager of RBI, was in-charge of RBI’s Primary Data Centre (Tier IV DC), implemented and managed mission-critical payment systems of national importance (i.e. NEFT, RTGS & SFMS) and various applications as well as critical IT infrastructure. He was instrumental in implementing the information Security Operation Centre (iSOC), a new approach for holistically managing cybersecurity. Shende continually revamped IT infrastructure for better availability and to meet the exponential growth of NEFT / RTGS transactions and played a marquee role in the establishment of RBI private cloud.
The speakers in the roundtable included Ramesh Lakshminarayanan, Group Head – Information Technology and CTO, HDFC Bank; Sankarson Banerjee, Chief Information Officer, RBL Bank; Deepak Sharma, President & Chief Digital Officer, Kotak Mahindra Bank Ltd; Supriya Datta, Senior VP Technology at NSE (National Stock Exchange of India); Manoj Shrivastava, Chief Information Security Officer, Future Generali India Insurance Company; Siba Narayan Panda, a Subject Matter Expert; and Adam Cason, Vice President, Global and Strategic Alliances, Futurex.
“HSMs have historically been mandated for applications such as financial acquiring, card issuance, and mobile payment security. In recent years, however, organizations have been using HSMs for even greater numbers of use cases, such as within Cheque Truncation Systems (CTS), Real Time Gross Settlement (RTGS) applications, and tokenization for retailers.”
– Sachin Y Shende, General Manager, Reserve Bank of India
Shende began the discussion on the adoption of HSMs and asked about which among cloud vs. on-premises was more advisable? Sankarson Banerjee took the lead to explain how his organization has deployed both.
“We have both in place. I believe for short-term transactions, it is sensible to have it on cloud, as the encryption is also for a shorter duration. But for long-term projects, it is better that they are hosted on-premises.”
– Sankarson Banerjee, Chief Information Officer, RBL Bank
“Since 2004, HSMs have been active and were deployed for several key projects. But back in the day, cloud wasn’t available. In fact, for the next 5-10 years, cloud was just coming in. And that trend continues for several organizations. Even though the BFSI sector has transformed significantly, many companies have still not adopted HSM on cloud.”
– Siba Narayan Panda, a Subject Matter Expert
He also noted that several new players have entered the sector and have changed its landscape, but the older ones are continuing with their legacy platforms. According to him, it is paramount for every organization to have a robust security culture.
“NSE continues to deploy many functions on-premises, while areas like emails are ones with HSMs on the cloud.”
– Supriya Datta, Senior VP Technology at NSE (National Stock Exchange of India)
She also pressed for a hybrid approach. Supriya Datta is currently engaged with the National Stock Exchange (NSE) as Senior VP of Technology. Here, she executes the role of a CIO for the Exchange Index and Market Data Business line, Exchange Commodity segment, and NSE IFSC. Additionally, she also leads innovation in blockchain at NSE and is responsible for the identification of possible blockchain use cases along with business, conducts feasibility and proof of concepts, furthering production deployment.
Ramesh Lakshminarayanan spoke about evaluating cloud infrastructure. According to him, “You must have all the controls and tenancy even if it is hosted on the cloud.” He also advocated that HSM assessment need some standardization.
– Ramesh Lakshminarayanan, Group Head – Information Technology and CTO, HDFC Bank
Adam Cason concurred with the idea and added that GP HSM and Payment HSM can be converged into a single infrastructure.
“I personally prefer the hybrid approach.” As Vice President, Global and Strategic Alliances at Futurex, Cason works with technology and channel partners worldwide to help them integrate Futurex’s FIPS 140-2 Level 3 and PCI HSM validated hardware security modules and key management solutions into their customers’ enterprise security architecture, in both on-premises and cloud environments.
– Adam Cason, Vice President, Global and Strategic Alliances, Futurex
“We have everything on-premises. The challenge that comes to my mind is the current key management solution.”
– Deepak Sharma, President & Chief Digital Officer, Kotak Mahindra Bank Ltd
According to him, even HSM-as-a-service has a lot of scope. Sharma heads Kotak Mahindra Bank’s digital initiatives where he drives digital transformation, business model innovation, and future-ready initiatives of the bank. He is responsible for efficiency, productivity, customer experience, and growth of the business through digital intervention across digital channels, lending, payments, investments, insurance, trade & forex for the Retail, SME, Private Wealth, and Institutional Banking segments.
Manoj Shrivastava continued, “There must be guidelines from the government on what should go on cloud and what should stay on-premises.”
– Manoj Shrivastava, Chief Information Security Officer, Future Generali India Insurance Company
According to him, security challenges even have psychological effects, and cyberattacks can affect the GDP and the economy. Shrivastava is an information and cybersecurity professional and into the Information Technology field for about two decades.
The roundtable also saw discussions on Crypto-as-a-Service – single HSM and key management infrastructure for multiple business applications, and also the impact of COVID-19 on the BFSI Sector.