by Poojitha Jayadevan

How Sutherland virtualized its clean-desk policy

Feature
Apr 12, 2021
Data and Information SecurityPrivacySoftware Development

The business process outsourcing company developed a robust security solution using AI, cloud, RPA, and other security technologies to monitor the activities of staff as they deal with sensitive client information.

Tech Spotlight   >   Cybersecurity [IFW]   >   Hands at a keyboard with binary code on the display.
Credit: M-A-U / Getty Images

Security concerns have become an even higher priority for CIOs since the business world started its shift to working from home. With India now entering the second wave of the pandemic and a return to the office seeming ever further away, IT leaders are now envisaging permanent solutions to secure remote working.

Sutherland, a provider of business process outsourcing and digital transformation services, works with banking, finance, and healthcare organizations handling confidential information. To ensure it could protect the data privacy of its clients’ customers, it had to quickly roll out solutions for real-time app monitoring and masking personally identifiable information (PII).

When Sutherland’s customer service consultants began working from home last March, its clients raised concerns about data security, says Harita Gupta, the company’s global head of enterprise business and country head for India.

“We have a clean-desk policy at the office, where our consultants who work on critical projects are not allowed mobile phones, paper, or even pens at their office desks. They handle sensitive information like credit card details and personally identifiable information. If someone takes a photograph of it, it becomes a high security risk for us,” says Gupta.

Replicating a similar security protocol in the virtual environment was imperative for Sutherland to give its customers a sense of security. To solve this business problem and to give their customers the confidence that they had all the security measures in place even while working remotely, the team at Sutherland developed a cloud-based SaaS solution it calls Sentinel.

The business team and the platform development team, as Sutherland calls its IT team, brainstormed for a couple of weeks before beginning development, and within a month presented a working demo.

Sentinel: a smart guard

Sutherland’s consultants’ computers each have a webcam that takes photographs at regular intervals chosen by line managers. The images are then compressed by an algorithm developed in-house and uploaded to the cloud for processing by a layer of artificial intelligence.

“The AI layer compares the photograph of the consultant in our HR records to the photograph taken by the webcam to make sure only the authorized person is working on the application. In case an unauthorized person is working, an error flag is immediately sent to the manager,” Gupta explains.

The system also scans the captured images for unauthorized objects including paper, pens, or mobile phones on the consultant’s desk, and can assess patterns of regular interruptions by family members or other objects, sending flags to the manager accordingly.

“We used standard libraries to detect different objects. There are many libraries from Microsoft and open source that help you do this,” Gupta said. “In a month we had a working model with the said functionalities. It was completely built in-house. We have experienced architects and designers who led the project. We have been building digital platforms for almost three decades now, so we have strong teams specializing in cloud, AI, and agile development.”

Since all Sutherland’s applications run over its VPN, the consultants’ machines are entirely controlled by the company.

The AI software layer also includes a Robotic Process Automation (RPA) component that helps in masking PII and other sensitive data. The system’s behaviour can be customized for each consultant, to show them only the data or applications they are authorized to access.

The entire project was developed using an agile methodology; the project started with a basic framework: to take a picture and show the customer that the consultant had a clean desk. It then underwent multiple iterations based on feedback from customers and Sutherland’s delivery team. In fact, masking of data and PII was added much later, after a customer suggested it.

Almost a year after its deployment, the major advantage of this project has been customer satisfaction. “We wanted a robust security solution to ensure our customers feel safe. Now, we see our customers wanting to buy the solution. We started with a business problem which later led to commercializing the product, though that wasn’t intended,” Gupta says.

Gupta stresses the need for strong communication with employees when developing or deploying such systems.

“Most business solutions have a technology solution, and the pandemic really showed us that. It’s true that technology solves problems, but we need to change management and educate our employees and explain to them why a particular solution is being developed,” she says. “Here we had to explain why it was important for us to take their photographs every now and then. We need strong communication to help our business and tech to succeed together.”