Home > Cover Story> Full Story

Enterprise Security: Chinks in the armor

Digitized information is a highly valued asset for most enterprises, but how serious are companies about information security? by Brian Pereira

YOUR information isn't safe! We live in a world where teenagers hack into computer systems that are more secure than Fort Knox—and viruses/worms infect servers and desktops around the globe in a few hours. Securing information assets is fast becoming a high priority job—companies appoint Chief Security Officers and follow stringent security standards such as ISO17799, BS7799 and COBiT. Before the hacking incidents on BARC and the defacement of some government websites, few really took security seriously—in fact computer security was limited to antivirus solutions and firewalls. But the threat factor has increased exponentially ever since. So how serious are Indian enterprises about information security today, and what is the level of security awareness among our Chief Information Officers (CIOs) and Chief Technology Officers (CTOs)?

Apart from the Banking & Finance segment, Indian enterprises have been slow to implement a security policy and deploy security solutions. While the larger companies allocate IT budgets (and spend on security solutions), it seems that smaller organizations are contended with just antivirus solutions.

"Electronic security measures in today's corporate world are limited to antivirus measures and firewalls. But the rise in security incidents and attacks on well-known websites has led to increased awareness of various aspects of information security," says Milind Dikshit, Practice Head-Infrastructure Design & Security, Bangalore Labs.

KPMG Management Assurances Services recently undertook a survey of 800 Indian companies across various industries. The results were included in a report titled 'India Risk Management Survey Report 2001.' In the survey, 78 percent of the respondents said their organizations had not recently evaluated the controls portfolio in relation to risks faced by them.

"Today, majority of a company's critical business information is stored electronically, but the lack of security policies, a proliferation of storage locations and the Internet is leaving many companies vulnerable," says Hanif Sohrab, National Manager, e-Secure, HCL Comnet. "Some organizations are looking at security as a lifecycle initiative while others are not."

Information is a highly prized asset for many businesses, yet the amount spent to secure that information isn't much.

"Worldwide, corporates spend between 2.5 percent to 8 percent of their total IT budgets on security. In India, unfortunately, security spend is less than 1 percent of IT budgets. This illustrates a tremendous potential to make executives security-aware and help them build their security infrastructure," says Rajeev Wadhwa, COO, Global E-Secure.

K.K. Mookhey, CTO, Network Intelligence India, agrees. "The amount companies spend on security solutions is very small, about 1-2 percent, maximum 5 percent. Most of it is channelled towards antivirus software."

Some security consultants believe that the few corporates that do spend on security solutions, do so either out of compulsion or because they have linked their networks to the Internet and conduct transactions online. Financial institutions like banks have to abide with regulations that have prescribed levels of security.

But although the average Indian enterprise isn't spending too much on security, awareness levels have certainly increased.

Awareness

Even the government sector, which usually lags behind the private sector when it comes to spending on IT infrastructure, is more serious about security these days.

"As more government organizations get connected to each other facilitating various e-governance schemes, they are becoming increasingly aware about security," says Bangalore Labs' Milind Dikshit. "The major government sectors that focus more on security are the Financial and Banking sectors. New infrastructures for electronic transactions are being implemented, which require security to be integrated tightly."

The recent government initiative for creating a root certification authority is an example of this. This authority will issue digital certificates that would ensure secure commercial transactions.

The Information Technology Act 2000 also provides legal recognition for electronic data interchange and other means of electronic communication.

Some states like Karnataka have set up Cybercrime cells manned by trained personnel to address problems of non-repudiation (mis-representation), cyber squatting, and hacking with criminal intent.

"World-wide trends show that the government agencies and the financial sectors have very high level of security standards. We expect that the same would happen in India sooner or later," says an optimistic Dikshit.

Security awareness levels have also increased in Indian corporates and CTOs are certainly aware that they need to create/implement a security policy. But security consultants say few companies really take the initiative to enforce a security policy and usually do so only after a security incident.

"Most CTOs today understand the need for security, however they do need guidance on how to focus and prioritize their investments for security. The corporate attitude predominantly remains reactive rather than proactive," says HCL Comnet's Hanif Sohrab.

S.V. Ramana, VP-Systems Engineering, Cisco Systems agrees. "Corporates today consider the purchase and installation of security hardware, usually only after detection of an exposure. And they consider this to be the end of the problem. As a result, security solution implementation remains incomplete and an ongoing problem."

Security Policy

Information Security begins with Vulnerability Scanning/Risk Assessment. An organization will form its security policy after analyzing the reports generated through system audits. While drafting a policy every enterprise will have its own security priorities largely based on its operating environment, requirements and perceived threats.

"In India today, even though most corporates are aware of the security issues, many of them do not have a formal security policy and do not provide any training or education on security policies to their employees," says Cisco's Ramana.

An organization will usually work with a security consultant to draft its security policy. The policy takes into account existing threats and vulnerabilities as well as future threats.

According to Ramana, some of the components that a security policy needs to address are:

• Regular audits of the security posture and policy to identify any new threats and vulnerabilities.
• Secure firewalls, patched servers, strong authentication, deployed/updated antivirus solutions, denial of service filters, password policy and well-written applications add to a secure end-to-end solution.

"An effective security policy needs to have some significant forward-looking policy directives, which will ensure a foolproof security planning. It needs to be a formal document which clearly delineates areas of responsibility amongst the staff. It needs to provision for appropriate training of employees to make sure that the system remains foolproof and optimally tuned. Further, it needs to be constantly tested, upgraded and reviewed—so that it stays in line with the changing environmental dynamics," adds Ramana.

Implementation of the security policy leads to deployment of security solutions. These are available in various categories

Services & Solutions

A decade back, vendors pushed off-the-shelf security products, but these days the emphasis is on Services and Solutions. The 'Solutions' or 'Services' buttons on vendor websites is testimony to this.

As mentioned earlier, security solutions like antivirus and firewalls are predominant in enterprises. Intrusion Detection systems and Access Control systems are gaining importance. But PKI (Public Key Infrastructure) and encryption products are seldom used.

"Typically, research labs, banks, service providers and medium/large organizations make use of symmetric encryption technology to enable data to be encrypted during transmission over telecom circuits or shared public networks," says S. Soundararajan, Head-Infrastructure & Security Consulting Practice (ISeC), Infosys Technologies. "However the use of encryption technology to store data and for communication in a Local Area Network (LAN) environment is restricted to a miniscule number. The use of encryption products to enable mail communication and application-to-application communication is also very restricted in today's scenario. PKI technology is again a non-starter in today's

environment in India and there are few PKI implementations. The government after substantial deliberations on the PKI bill did finally enable service providers to start ROOT CA services in the country. However despite the initial enthusiastic approach, the service providers have not been able to move into the next phase of the activity."

On the antivirus front, the action has shifted from desktops to corporate gateways. Viruses/worms spread among desktops in a corporate LAN in a few minutes. So antivirus vendors have realised that it makes sense to detect/remove viruses at the gateway—the entry point to a corporate LAN. It also makes sense for e-mail service providers to implement gateway scanning solutions.

"People now realize that desktop antivirus deals only with a copy of the infected file. The original stays on the mail server. If the server isn't protected, the virus can replicate itself into an enterprise-wide infection that could cost a company thousands, if not millions, of dollars in clean-up costs and loss of productivity. Hence protection at the gateway level is most critical," says Goh Chee Hoh, Regional Sales Director-Overseas Business Unit, Trend Micro.

Firewalls were once kept on the periphery of the network, but are now also available for desktops. Firewall vendors now offer personal firewalls for desktop and notebook computers.

"The current trend is to have multiple firewalls. You have the main firewall, behind which is your intranet. The Finance server with critical data will have its own firewall thereby restricting internal access. And finally, the individual users can be protected with personal firewalls running on their desktops. A CFO may have sensitive information on his laptop and can protect it from unauthorised access by installing a personal firewall, personal IDS and also personal encryption—which give total protection," says Vishwajeet Deshmukh, Country Manager (SAARC), Network Associates.

Market Watch

Elsewhere in the world, the demand for security solutions is increasing steadily.

According to a report titled '2000 Security Software Market Share,' published by the Gartner Group, the total security software market grew 25 percent to $3.3 billion in 2000, up from 1999's solid growth of 22 percent. Gartner says the downturn in the US economy starting in mid-2000 did not have an appreciable effect on the security software market during the remainder of 2000. In fact, segments such as intrusion detection and public key infrastructure (PKI) saw very high growth as enterprises sought means to open up their networks to customers and partners while still defending their perimeter.

The Asia-Pacific region saw the strongest growth in 2000, jumping 45 percent from $145 million in 1999 to $210 million in 2000. Other regions saw somewhat slower growth, but on a much larger base. Europe and the United States, comprising 82 percent of the total security software market, saw 17 and 36 percent growth, respectively.

According to the IDC report 'Internet Security Software Market Forecast and Analysis, 2000-2004', the compound annual growth rate (CAGR) of security software expenditure from 1999 to 2004 in the Asia Pacific region is expected to be 28.9 percent. As Asian companies are building up Internet access and relying more on the Net to do business, security awareness is expected to be greater, says IDC.

Brian Pereira can be reached at brianp@networkmagazineindia.com

A Network Security Strategy for your enterprise

• Think enterprise wide: Create an Enterprise Information Security Policy
• Perform risk analysis: your security is as strong as your weakest link
• Deploy security solutions depending on the risks involved
• Do not depend on a single defense, use multi-layered security
• Use intrusion detection, analyze logs, be conscious of security breaches and take action
• Perform periodic security audits, take actions on audit results
• Have a disaster recovery plan ready, just in case…

Source: MIEL e-Security Pvt. Ltd.