Anand Pande, Senior Vice President – CISO, GSTN.Bangalore: Even before the Indian central government officially announced the roll out of the new Goods and Services Tax (GST) on July 1, there have been a lot of apprehensions and fears around the ITinfrastructure and data security aspect of GST and its network among businesses, organisations and tax practitioners.
Well, these are obvious fears and quiet significant from IT and info security perspective. However, the GST Network’s IT infrastructure and security structure is well-designed and implemented in such a way that it is highly resilient and advance enough to mitigate evolving threats and risks, according to Anand Pande, Senior Vice President – CISO, GSTN.
GSTN – The IT backbone of GST
GSTN is the core IT backbone of GST supported by a strong, independent IT infrastructure with strategic control of the government. The GST IT strategy is divided into two parts, frontend and backend. The frontend has all the business processes and functions while the backend has systems, both from the states and centre, which are integrated with each other but only through API interface and not directly.
Likewise, there are two portals, a GST common site backed by GSTN IT systems and a state/centre portal supported by State/Centre Tax IT systems. Keeping in view threats linked with direct exposure to the internet and external threats, both these websites along with their database (taxpayer and tax authority data) and GST application is programmed in such a way they communicate indirectly via API interface.
Threats mitigating principles
According to Pande, GSTN has followed and embedded major threats mitigating principles that address both internal and external threats. These include potential data tampering attempts for commercial benefit by individuals or groups, industrial espionage, insider and external attacks to steal or tamper data, along with cyber attacks on GST system and unauthorized data and system access.
“The core GST system is not directly exposed to the internet. It has multi-layered security architecture built with some of the advanced technologies and products. The system access is role based through secured channels and any data transfer from the GST System to State or other systems is in encrypted format,” explained Pande during a security meet here.
Besides, all the collected information and system logs are monitored in real-time and periodic security testing and audits are conducted as well. The GSTN and IT systems are designed and built on a platform approach that uses a faceless Open API architecture and Open Standards as per DEITY guidelines, which makes it entirely vendor neutral.
“Information security is one of the major focused areas and it is embedded in GST System,” emphasized Pande.
In fact, from an application perspective, the Open Source software used in GST System is scrutinized and scanned thoroughly for malware detection and other security risks. Following the scrutiny, only the approved applications are used. A centralized repository of approved software has been created to maintain and review software applications periodically, ensuring that secure coding practices are followed throughout the software development life cycle.
The GST System and IT infrastructure are hosted in four datacentres with the DC/DR (main datacentres) and NDC/NDR (near datacentres) approach at separate locations. These datacentres function in an active-active mode to support load balancing and avoid single-point of failure and any data loss.
These tier- III type datacentres has a multi-level security mechanism, including building’s physical security fortified with CCTV monitoring round the clock, access control via a mix of biometric and badge access for approved users. Besides, the central monitoring system comes integrated with DOTL (door-too long buzzers) and environmental controls such as fire and rodent detectors, VESDA (very early smoke detection system) and WLD (water lead detection) systems.
In addition, security tools and technologies like ATP, firewall, routers, anti-virus and malware solutions and IPS (host and network based intrusion prevention system. Also, there’s DDoS (distributed denial of service) attack protection via a clean pipe (WAN link) from service providers and additional security appliance at GST System and the datacentres.
“We have a dedicated Security Operations Centre (SOC) based in Chennai to monitor all the information and incidents across IT systems, applications, devices and databases of GSTN on round the clock basis,” informed Pande.
“Also, we have a dedicated team that manages the Network Operations Centre (NOC) in Delhi and closely monitors all the key parameters such as performance, utilisation, availability, etc., of the IT infrastructure and network devices,” continued Pande.
Pande further stated that there’s also a Security Monitoring & Analytics Centre (SMAC) that is focused on threat management, forensics, analytics and the entire security landscape.
Since most parts of the GSTN, GST System, applications and IT infrastructure are programmed to function via API interface and not directly, even security measures are in place for securing those APIs.
Security testing and audit procedures
While these are some of the major security mechanism in place around GSTN and the entire IT infrastructure, from the governance and compliance perspective all the security testing and audit procedures are in accordance with ISO 27001/22301/20001 certifications along with IT – Act and Government of India guidelines.
“The entire security architecture is reviewed by independent security advisors. We have followed the IMS approach for the information security framework,” concluded Pande.
Certainly, based on what Pande has shared and discussed here, particularly on the information security aspect of GSTN and IT infrastructure, hopefully it should provide businesses and organisations with more confidence that the GSTN is well secured with a sophisticated information security mechanism to mitigate threats and risks.