Nakabandi safeguards needed for Digital India

Published on: Mar 22, 2024 10:01 pm IST

Share Via

Copy Link

With guerrilla tactics increasingly employed by hackers and cyber-prowlers, it is time for digital “nakabandi"

With guerrilla tactics increasingly employed by hackers and cyber-prowlers, it is time for digital “nakabandi”— nakabandi being the tactical term for access control and area domination by law enforcement authorities. CERT-In, along with CSIRT-Fin, recently issued a whitepaper on Application Programming Interface (API) security. This should give a boost to digital nakabandi.

APIs facilitate seamless data exchange between applications. In the dynamic digital sphere, APIs are integral for innovation. Particularly transformative in finance, they empower banks to enhance customer experience and create revenue streams. Though the API architecture has revolutionised development cycles, it has also increased the vulnerabilities. Given India is pacing towards a largely digital economy — in which API is the mainstay of the sharing mechanism — the whitepaper has to be swiftly executed.

The Union government’s e-governance initiatives like the Open Government Data (OGD) platform have over 5 lakh resources, 12,000 catalogues and over 1 lakh APIs. Then, there is the Policy on Open Application Programming Interfaces that sets out the government’s approach to the use of Open APIs to promote software interoperability for all e-governance applications. API Setu, launched in March 2020, aims to bring all the APIs from the Centre to a single place and make them available for consumption by government departments and industry.

The National Data and Analytics Platform (or NDAP) is NITI Aayog’s flagship initiative that hosts datasets from across India’s vast statistical infrastructure. The National Data Governance Policy, slated to be introduced, is seminal to the India Datasets Programme for non-personal data, ensuring safe access for research and innovation. It aims to have standard APIs and other technology standards for whole-of-government data management. At present, there is no model data-sharing toolkit to help chief data officers in managing risk associated with the sharing and release of data sets. As a result, many data cells are reluctant to share data sets.

Against such a backdrop, one goal is to ensure secure connections and protect the back-end systems, keeping the source code hidden from partners while linking various systems. Imagine APIs as digital keys granting access to your virtual doors; maintaining an API inventory is akin to having a record of your keys. Strong authentication mechanisms like the use of token-based authentication to securely manage access tokens, securely managing and storing API keys, conducting security assessments, and regularly updating response plans to efficiently address and mitigate the impact of potential API attacks are some norms for API security.

As API attacks grow in complexity, traditional rules-based security falls short. As of now, a person can access an API any number of times from one IP or ID. Therefore, many data breaches have this route of data aggregation through excessive exposure and then misusing it. The digital nakabandi hence must include implementing rate-limiting to distribute the allowed number of search requests evenly over time and tying request limits to user authentication. If the search involves sensitive or resource-intensive data, one might need to set lower request limits. Also, there is a need to implement rate-limiting to restrict the number of requests from a single user or IP address to prevent attacks.

Organisations must turn to artificial intelligence(AI)-driven security, leveraging machine learning to analyse unique user behaviours. Analysing the typical search behaviour of one’s users, with AI-based models, is a must. Factors such as device, call timing, and authentication details are considered, enabling the system to differentiate normal patterns from anomalies.

Amandeep Singh Kapoor is DIG, ATS & SOG, Jaipur. The views expressed are personal