Do we need an ONDC for Cybersecurity?
A few decades ago, to withdraw, when bank ATMs got introduced, you could transact only in your own bank’s ATMs. In 1997, the concept of shared ATMs were introduced in India, wherein you could withdraw money from any connected bank ATM. That was a big relief!
Similarly, from about 2006, India saw the rise of Mobile Wallets. Some of the big names included Oxigen, Paytm, Payzapp, PhonePe, PayUmoney, MobiKwik, Freecharge, JIO Money, Airtel Money, Ola money etc. To use them, one had to add money into their wallet, and then pay for services or transfer to others using the money in the wallet. This eased the payment process to great extent and made it faster, but there were challenges. Many vendors would support one or the other and the consumer had to have an account in that wallet to make payment. Also, you unspent money was locked in the wallet, earning no interest. Then came United Payments Interface (UPI) in 2016 and changed the game.
From NPCI’s website:
‘UPI is a system that powers multiple bank accounts into a single mobile application (of any participating bank), merging several banking features, seamless fund routing & merchant payments into one hood. It also caters to the “Peer to Peer” collect request which can be scheduled and paid as per requirement and convenience’.
UPI removed the friction and provided a single system where all payment processors could come together, allowing pull and push instant money transfers from virtually anywhere to anywhere. Money was deducted and transferred into bank accounts directly, removing the need to keeping it in wallets. Today, UPI has become ubiquitous all over India and possibly the default choice for making small payments. From a modest 21 banks in Apr 2016 to 338 banks in July 2022, UPI has come a long way. As of July 2022, UPI transactions account for a market share of 64% payment transactions by volume and 50% by value, far surpassing all other modes of payment like credit cards, debit cards, online banking etc.
I think the wild success of UPI is primarily due to reducing consumer side friction to minimum. All one needs is any one of the payment apps supporting UPI payments and payments could be demanded or made to anyone with an UPI ID. It needed a NPCI to create the necessary underlying framework, allowing multiple stakeholders to connect to it for ease of doing payments.
Today, we are witnessing yet another digital revolution with the birth of ONDC; this time in the retail and local commerce space. ONDC carries the same promise of transformation in ecommerce space, what UPI did for e-payments.
Nowadays, when we shop online, we go to some platforms such as Amazon, Flipkart, Myntra, Pepperfry etc. Although many of these platforms have a very wide range of products, we are still limited to the inventory that they display. What if a laptop is cheaper in one platform as compared to the other, or a furniture has a different price point between two platforms? Price conscious consumers have to check and compare between multiple platforms before making final decision. What about those brick and mortar offline retail furniture shops? How would online prices compare to similar item from a local shop? These are the modern user experience friction points in the ecommerce space.
ONDC seeks to create an open network, allowing buyers and sellers to plug into it, be digitally visible and transact, regardless of what platform or application they use. This is very similar in concept to UPI.
Imagine shopping for a pair of jeans and the search results include all the options from Amazon, Myntra, many other online platforms, Levi’s outlets, multi brand retail outlets, local clothing stores, all from a single place. That’s the vision of ONDC.
There are many areas that will still need to be resolved though; such as delivery services, discounts, post sale support such as returns, customer helpdesk, sharing of responsibilities etc. We’ll see how these are handled as the network matures.
Just like UPI sounded a death knell to mobile wallets, ONDC’s promise of shifting from platform centric approach to network approach will perhaps force major changes to the predominately platform centric ecommerce businesses in India. The biggest beneficiary, as in the case of UPI, will be the consumers.
When I delved deeper into ONDC, I realized that the cybersecurity industry is very similar. The cyber security landscape is full of disparate independent solutions.
As a result of above, organizations end up deploying multiple solutions, sometimes more than a hundred different solutions.
This wide landscape puts the onus of making sense of this mess onto the Incident Response teams, who have to some how get all these, mostly independent, solutions to work in cohesion.
Many times, this results in a problem of plenty, overlapping capabilities across multiple tools, and adversely affects the capability to correlate events and alerts from different tools/ solutions. This is perhaps the biggest pain point for defenders today. While each solution maybe the best in isolation, the whole is less than the sum of its parts.
Perhaps the industry realized it and over the last few years, we have seen a conscious effort to offer more of a platform based approach. Solutions like XDR, NDR, Cloud native services etc., offer relatively integrated solutions, though there’s still quite a way to go before realizing the full potential of tightly integrated platforms.
Success of platforms rely on deep integration between disparate solution, whether from the same vendor or third party. This integration layer relies primarily on APIs and thus is limited by the capabilities of the API, as exposed by the creator. Some APIs may expose the entire raw data, while others may be limited to just alerts. And then the challenge of making sense of the data pipeline as received from these APIs. Without a thorough understanding of the data, analytics will suffer, resulting in sub optimal outcomes for the consumer. It also means that the more tools/ platforms you have, the larger the investment in human capital to make sense of it all.
Thus, I opine, that the cyber security industry is still trying to reach the efficiencies of platforms that ecommerce companies have mastered for many years. Even if the efficiencies were to be achieved, I am not sure whether every consumer will prefer the platform approach. There are many consumers who prefer the best of breed approach for every solution and/or managing the risk of fail secure. In defense in depth scenario with multiple solutions, the risk of failure of one can be, at least temporarily, managed by others. In a consolidated environment of platforms, that risk would be considerably higher.
Perhaps an approach similar to ONDC may work? Today, the cyber security landscape is full of independent solutions and platforms, meshed together through complex web of APIs, resulting in sub optimal outcomes for consumers.
What if we had a network/solution like ONDC, where providers (log and data sources) and consumers (analytics layer solutions) could plug in and seamlessly get access to data, irrespective of where it resided? In an era of proprietary solutions and no common logging standards, it will not be easy. But if somehow it can be achieved, imagine the possibility of running analytics, automated or otherwise, over this entire diverse and normalized data set, providing rich insights to the cyber defenders.
This will require massive changes in our thought process and approach. Today, most solutions/ platforms want to be the full stack; collecting raw data, analyzing and correlating it, deriving insights, alerting and potentially undertaking response actions. Today, the vendors have a incentive to bring in consumers and retain them as long as possible within their platforms/ solutions; just like an Amazon or Flipkart or Pepperfry etc.
One could argue that the premise of SIEM was very similar to that of ONDC. A typical SIEM supports hundreds of different input sources and undertakes normalization. That would be technically correct, but not all SIEMs support all inputs and the biggest challenge with SIEMs was that the analytic layer was left to the consumer, resulting in sub optimal outcomes.
Or take XDR, which includes an analytic layer, but because of the abject dependency on complete understanding of the input source, they tend to collect their own telemetry or support extremely limited third party integrations. These integrations are again limited by the capabilities of the third party APIs, used for the integrations.
A post ONDC cyber security world could be layered; one for data collection, other for analytics, for reporting and yet other for response. Solutions developed in each layer seamlessly interacting with others through the ONDC like network. This would perhaps be a more consumer centric approach, allowing flexible plug and play modules that are selected by the consumers as per their requirements.
While theoretically it sounds good, in practice it is not easy. Both UPI and ONDC required some form of central push from government related entities to make them a reality. On their own, various platform owners would love to add more users to their platform at the expense of other, and this is perfectly legitimate. A neutral third party was required to get everyone onboard with UPI and ONDC for the betterment of consumers.
I recently came across this good initiative in this field called Open Cybersecurity Schema Framework. This open source project aims to deliver an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. Their goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes. Maybe something like this gets popular and gets adopted by the cybersecurity industry.
Cybersecurity is a global industry without national boundaries. A neutral third party needs to exist first and create the network and structure, in order to empower vendors to improve collaboration. Maybe industry will move in this direction; maybe not. Let’s see what the future beholds.
