written 5.3 years ago by |
Cyber Law has a very vital role to play at the application level, because oi the critical nature of financial data transfer. The financial messages should have the under noted features:
- The receipt of the message at the intended destination (data transmission)
- The content of the message should be the same as the transmitted one (data integrity)
- Sender of information should be able to verify its receipt by the recipient (data acknowledgement)
- Recipient of the message could verify that the sender is indeed the person (data authenticity)
- Information in transit should not be observed, altered or extracted (data security)
- Any attempt to tamper with the data in transit will need to be revealed (data security)
- Non-repudiation (non repudiation of the data)
These features boil down essentially to authentication , authorisation, confidentiality, integrity and non- repudiation
There should be an appropriate institutional arrangement for key management and authentication. This is normally done through Certification Agencies. For the banking and financial sector, the RBI should appoint a suitable agency/institution as the Certification Agency. There should also be an institutional arrangement for appropriate assessment of participants of the financial network in terms of their credit-worthiness, financial soundness, etc. These assessments will provide valuable input to the banking and financial sector.
Initially the Indian Financial Network (INFINET) will be a Closed Used Group (CUG) network, but in due course this network will have to be connected to public networks like the Society for World-wide Interbank Financial Telecommunication (SWIFT) etc. It is essential to look at the possibility of having firewall implementations and they need to meet the following criteria:
All in and out traffic must pass through the firewall. The firewall should check and authorise the traffic. The firewall in itself should be immune to penetration.
Implementation of firewalls can be done using packet filtering routers, application and circuit level gateways and also network translation devices.
Statefull multilayer inspection gateways combine the advantages of the above and also gives a better performance, flexibility and security. This environment can handle all kinds of applications, namely, Transmission
Control Protocol (TCP), User Data-gram Protocol (UDP), Remote Procedure Call (RPC), Internet Control Message Protocol (ICMP) etc. New applications can be added easily and this environment is totally transparent to end users.
Firewalls are used to implement access control security as well as to provide for user authentication and to ensure data integrity by using encryption. It is important that the banks have their own security policy and then design security solutions accordingly. Regular reviews of Security Policies and their implementation are also important. Highly secured (e. g., funds related), secured, non-secured messages should be clearly demarcated in the security policy. Banks are, therefore, advised to have dedicated groups with enough competence and capability.
Since security is the prime concern for the banking and financial sector, continuous research should be carried out as is done in the Internet community. Institutions like IDRBT should have collaborative arrangements with national and international agencies for carrying out research in this field. Such Institutions could develop Tiger teams (hackers) and the banks can engage the team to test and determine the strength of the firewall implementation.