The Complete Magazine on Open Source

Case Study- We do the necessary hardening before we use open source technologies: CTO, ING Vyasa Bank

SHARE
/ 343 0
When you have to check the security levels of any technology, the standard is that one should look at its implementations in sensitive sectors like BFSI, Telecom, et al. And most of the proprietary software propagators will be surprised (read: shocked) to know that open source technology is doing pretty well, in these sectors too. ING Vyasa Bank, which is now Kotak Mahindra Bank, is one such example. Diksha P Gupta from Open Source For You spoke to Ashwin Khorana, CTO, ING Vyasa Bank to check his tryst with open source technology. And here’s what we got to know…

Q. What is your company all about and what role does technology play in day to day operations of your company?

We were earlier known as ING Vyasa bank, but we have recently been acquired by Kotak. So we are now known as Kotak Mahindra Bank. Banking without technology is definitely not a possibility today. Technology is important to ensure that we remain continuously available in a manner where there is complete trust, from the people who are banking with the bank. So, technology is really mainstream for us. Technology and the products we offer go hand-in-hand. It’s not about being a department in the background, it’s about being a department in the forefront.

Q.Is open source technology a part of your gamut?

While we were ING Vyasa bank, we used to be one of the big shots when it came to using open source technologies. In fact, the percentage of Linux boxes used in our organisation was very high. We believe in open source technologies and exploiting them. So we did not restrict ourselves to just the operating system, that is Linux. We went on to use MySQL databases for our internal efficiency systems. We also went on to implement a load balancer, which was an open source software. Load balancer mainly comes as an appliance from big companies. But before we jumped into buying the appliance, we used an open source software load balancer for about 18 months. Eventually, we had to go for the appliance, because it is something that is customer facing and needs to work continuously. Hence, the investment was required to be done, and we did that. We are also a user of AlFrescon which is, again, a community edition software, that we are using for internal workloads. To top it all, our core banking solution runs on GTM database, which is a proprietary open source database from Fidelity Information Systems (FIS). Our journey started off from this core banking database and it gave us confidence that things are moving on in the desired direction with open source technology.

Q. BFSI is one sector where security is of prime importance and there are government regulations which are formulated to ensure security of customers’ data. Were there any inhibitions about security when you started with open source technology? How did you convince your management about using this technology?

Anything that you buy from the market, whether it is open source or licensed software, comes with ‘default settings’. If you don’t hide that, then whether it is an open source software or a licensed product, it is open to the community, and they can do things that they want to. So, the first thing we believe in is that whether we use a licensed product or an open source software, we have our hardening policy in place, which will ensure that whatever we deploy in our environment is secure. As a bank, we have something called operating system guidelines, for each component of technology that we use. We have to ensure that these guidelines are followed before we send the boxes for production, because there are a lot of activities that need to be carried out, before we say that the box is really ready for production. This practice ensures that the environment is secure. Whether it is about a database, an operating system or an appliance that we are trying to put in, we ensure that each product goes through this process of hardening and make sure that all the default settings are changed, and everything that needs to be secured, is secure. Now coming to the part as to how we need to convince our management. The open source databases we use are for internal efficiency. We have not yet exposed our external systems to databases that are open source. So, if I am doing internet banking, I run Oracle. If I need high availability, I still use Oracle. But, if both these things are not required, why do I need to invest in these technologies? So, we have clearly demarcated on how we will implement open source within the organisation.

Q. So, does that mean you don’t use open source technologies when it comes to some of the risky affairs?

Other than the operating systems, the rest we do not expose to the Linux systems. Other than the Red Hat Linux OS ( Operating System), any of our external technology is not exposed to Linux.

Q. What is the reason for that? You don’t have confidence in Linux technologies?

No, it is not about the confidence or faith. It is more about the speed of support. For instance, if I am running Internet banking on Linux 24X7, where do I look for expertise in times of failure? That’s the challenge that comes our way. Moreover, there are not many people, who have worked on those technologies. One of the key aspects that we look into is that the people we work with, should be exposed to the technologies that we use. When we look at the risk matrix from the cost perspective, open source technologies givse a benefit of 20 – 30 per cent. However, from the perspective of getting support, it becomes a little challenging. So that is why, wherever our need is critical, we haven’t dabbled on open source.

Q. Can you elaborate on how the support bit becomes unmanageable with open source technologies?

It is not about being difficult, it is about being challenging. Let’s say we have an identified set of people who have worked on a certain open source technology. Where as, in case of Oracle, any day, I will find more people who are exposed to this technology. So, the challenge is more on the resourcing part.

Q. So, I believe that open source technologies have the biggest advantage of having a community around them. However, having only the ‘community’ is its biggest disadvantage. Is this statement correct for a situation like yours?

Yes, pretty much. There is always a response time required when it comes to harnessing the community benefits. If I have luxury time in my hands, where I can wait for the response to come, this model is okay. Normally, one is able to find a solution, but the problem comes when one is unable to find a solution. The community in the open source world is extremely vibrant and there are people constantly working on the product, but it is not necessary that you get response when you need it. It may take some time. So, for critical things where every minute counts, we would want to choose a solution which is available easily.

Q. When did you begin your tryst with open source technologies?

We began our journey on open source in 2009. We started looking at Linux operating system, for some of our users, which we could push from proprietary operating system. From the security perspective, Linux was pretty secure and from the patching perspective, it was pretty manageable. Also, from the performance perspective, it was superior. We compared it with the benchmark options that we used and we found that this is an apt option with respect to availability and need. At a point of time, about 60 per cent of our boxes were running on Linux, in our data centre. After that, we started to divulge into various other technologies, like the MySQL database, load balancer, AlFresco, et al.

We also use OpenOffice software in our branches. So, if I am setting up a branch, I would prefer a majority of people working on OpenOffice and only a couple of people working on Microsoft Office.

Q. So, you have started pushing open source technology at the user level as well?

Yes. Like I said, 70 per cent of our staff in ING Vyasa brnaches were using OpenOffice.

Q. Has this changed with Kotak’s acquisition?

We are still in the integration phase. Kotak works with Microsoft Office all the way. We nhave yet not started deploying Microsoft Office all the way in our branches. We are still deploying the same technologies, how we used to deploy.

Q. What were the struggles you had faced while you were deploying open source technologies in your environment?

From the user community, there is a lot of resistance that we came across. Some people tend to think that if he is given OpenOffice to work, he is not important enough. So, we had to change that mindset. We had to explain the users about the benefits of the software, the cost it saves, and make them feel that they were contributing to the growth of the branch. Where things of central deployments were concerned, there were no challenges. You just have to ensure that there is enough support available if there is a glitch. In this case, the end user doesn’t even know that they are working on open source technologies, as he uses his Web page access to get into the system. For him, it doesn’t matter what technology has been deployed at the back end, as long as the performance is fine and he gets his work done. But as I said, there were several challenges we had to face while deploying open source technology at the desktop level. We also tried a pilot for deploying Linux on workstations but it didn’t work and we had to come out of it.