PCQuest : Top Stories : Data security in Portals

Data security in Portals

The Indian Airlines had an internal system not available to the general public for reservations and passenger services. But when they went online with their portal, they faced a few challenges. A K Rastogi, Ex Director IT, Indian Airlines shares his experiences

Saturday, October 01, 2005

Print Comment Email Digg Del.icio.us Reddit Twitter

A common problem most enterprises face when they decide to go 'online' and throw open previously internal facilities for public use is the sudden need to secure their networks and, quite critically, their data. As long as the network is available only to a select few that are connected to it over a well-known LAN, the problems are known in advance and controllable easily. There is only one mode between this network and the outside world. But when you expose a part of this network to the Web, a plethora of new problems surface and dealing with those may not be as easy. And this is what the Indian Airlines faced when they went online with their passenger services portal. We found that our internal leased-line run network was not secure enough and we had to race to protect it. Their methodology in tacking this meant we had to classify our data, determine where it would reside and then plan firewall and IDS/IPS systems. We had to ensure that traffic from the Internet did not interfere and harm the data within our network. Finally we decided on a three-level strategy. At the first level, there were firewalls that filtered malicious traffic. Then the application itself would filter out and place access control. Finally, strong checks within the application logic would ensure proper disposal of requests and commands.

A K Rastogi
Ex Director IT, Indian Airlines

The protection offered by the system's OS was also roped in to bolster security. The biggest challenge we faced in the implementation part was in acquiring the relevant solutions from the vendor and then verifying if it satisfied their needs. But, a lot of security still works based on trust and depending on the malicious user in not knowing what data to take. Our policy simply involved user-level security and enforcing periodic password change. Different kinds of users are also required to have different kinds of passwords according to their access levels. For instance, system administrators, travel agents, passenger-users and internal users all require different types and levels of access and the more sensitive a user's role is and the wider the pool and scope of the data he uses, the stronger should be the password for that user. Everything is logged and these logs are checked. If a threat was perceived, action is taken. However, there are still no written policies on data security within Indian Airlines. We are yet to come across a user trying to go beyond his authorized area.

Awareness is the key

Page(s) 1 2




	Data security across different industries
	Data security in Stock Trading
	Data security in Health Care
	Legal Compliance

Untitled Document

ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Global Services Media] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]