> Cover Story> Full Story
Security: Chinks in the armor
information is a highly valued asset for most enterprises,
but how serious are companies about information security?
by Brian Pereira
information isn't safe! We live in a world where teenagers
hack into computer systems that are more secure than Fort
Knoxand viruses/worms infect servers and desktops around
the globe in a few hours. Securing information assets is fast
becoming a high priority jobcompanies appoint Chief
Security Officers and follow stringent security standards
such as ISO17799, BS7799 and COBiT. Before the hacking incidents
on BARC and the defacement of some government websites, few
really took security seriouslyin fact computer security
was limited to antivirus solutions and firewalls. But the
threat factor has increased exponentially ever since. So how
serious are Indian enterprises about information security
today, and what is the level of security awareness among our
Chief Information Officers (CIOs) and Chief Technology Officers
Apart from the Banking & Finance segment, Indian enterprises
have been slow to implement a security policy and deploy security
solutions. While the larger companies allocate IT budgets
(and spend on security solutions), it seems that smaller organizations
are contended with just antivirus solutions.
security measures in today's corporate world are limited to
antivirus measures and firewalls. But the rise in security
incidents and attacks on well-known websites has led to increased
awareness of various aspects of information security,"
says Milind Dikshit, Practice Head-Infrastructure Design &
Security, Bangalore Labs.
KPMG Management Assurances Services recently undertook a survey
of 800 Indian companies across various industries. The results
were included in a report titled 'India Risk Management Survey
Report 2001.' In the survey, 78 percent of the respondents
said their organizations had not recently evaluated the controls
portfolio in relation to risks faced by them.
majority of a company's critical business information is stored
electronically, but the lack of security policies, a proliferation
of storage locations and the Internet is leaving many companies
vulnerable," says Hanif Sohrab, National Manager, e-Secure,
HCL Comnet. "Some organizations are looking at security
as a lifecycle initiative while others are not."
Information is a highly prized asset for many businesses,
yet the amount spent to secure that information isn't much.
corporates spend between 2.5 percent to 8 percent of their
total IT budgets on security. In India, unfortunately, security
spend is less than 1 percent of IT budgets. This illustrates
a tremendous potential to make executives security-aware and
help them build their security infrastructure," says
Rajeev Wadhwa, COO, Global E-Secure.
K.K. Mookhey, CTO, Network Intelligence India, agrees. "The
amount companies spend on security solutions is very small,
about 1-2 percent, maximum 5 percent. Most of it is channelled
towards antivirus software."
Some security consultants believe that the few corporates
that do spend on security solutions, do so either out of compulsion
or because they have linked their networks to the Internet
and conduct transactions online. Financial institutions like
banks have to abide with regulations that have prescribed
levels of security.
But although the average Indian enterprise isn't spending
too much on security, awareness levels have certainly increased.
Even the government sector, which usually lags behind the
private sector when it comes to spending on IT infrastructure,
is more serious about security these days.
more government organizations get connected to each other
facilitating various e-governance schemes, they are becoming
increasingly aware about security," says Bangalore Labs'
Milind Dikshit. "The major government sectors that focus
more on security are the Financial and Banking sectors. New
infrastructures for electronic transactions are being implemented,
which require security to be integrated tightly."
The recent government initiative for creating a root certification
authority is an example of this. This authority will issue
digital certificates that would ensure secure commercial transactions.
The Information Technology Act 2000 also provides legal recognition
for electronic data interchange
and other means of electronic communication.
Some states like Karnataka have set up Cybercrime cells manned
by trained personnel to address problems of non-repudiation
(mis-representation), cyber squatting, and hacking with criminal
trends show that the government agencies and the financial
sectors have very high level of security standards. We expect
that the same would happen in India sooner or later,"
says an optimistic Dikshit.
Security awareness levels have also increased in Indian corporates
and CTOs are certainly aware that they need to create/implement
a security policy. But security consultants say few companies
really take the initiative to enforce a security policy and
usually do so only after a security incident.
CTOs today understand the need for security, however they
do need guidance on how to focus and prioritize their investments
for security. The corporate attitude predominantly remains
reactive rather than proactive," says HCL Comnet's Hanif
S.V. Ramana, VP-Systems Engineering, Cisco Systems agrees.
"Corporates today consider the purchase and installation
of security hardware, usually only after detection of an exposure.
And they consider this to be the end of the problem. As a
result, security solution implementation remains incomplete
and an ongoing problem."
Information Security begins with Vulnerability Scanning/Risk
Assessment. An organization will form its security policy
after analyzing the reports generated through system audits.
While drafting a policy every enterprise will have its own
security priorities largely based on its operating environment,
requirements and perceived threats.
India today, even though most corporates are aware of the
security issues, many of them do not have a formal security
policy and do not provide any training or education on security
policies to their employees," says Cisco's Ramana.
An organization will usually work with a security consultant
to draft its security policy. The policy takes into account
existing threats and vulnerabilities as well as future threats.
According to Ramana, some of the components that a security
policy needs to address are:
Regular audits of the security posture and policy to identify
any new threats and vulnerabilities.
Secure firewalls, patched servers, strong authentication,
deployed/updated antivirus solutions, denial of service
filters, password policy and well-written applications add
to a secure end-to-end solution.
effective security policy needs to have some significant forward-looking
policy directives, which will ensure a foolproof security
planning. It needs to be a formal document which clearly delineates
areas of responsibility amongst the staff. It needs to provision
for appropriate training of employees to make sure that the
system remains foolproof and optimally tuned. Further, it
needs to be constantly tested, upgraded and reviewedso
that it stays in line with the changing environmental dynamics,"
Implementation of the security policy leads to deployment
of security solutions. These are available in various categories
Services & Solutions
A decade back, vendors pushed off-the-shelf security products,
but these days the emphasis is on Services and Solutions.
The 'Solutions' or 'Services' buttons on vendor websites is
As mentioned earlier, security solutions like antivirus and
firewalls are predominant in enterprises. Intrusion Detection
systems and Access Control systems are gaining importance.
But PKI (Public Key Infrastructure) and encryption products
are seldom used.
research labs, banks, service providers and medium/large organizations
make use of symmetric encryption technology to enable data
to be encrypted during transmission over telecom circuits
or shared public networks," says S. Soundararajan, Head-Infrastructure
& Security Consulting Practice (ISeC), Infosys Technologies.
"However the use of encryption technology to store data
and for communication in a Local Area Network (LAN) environment
is restricted to a miniscule number. The use of encryption
products to enable mail communication and application-to-application
communication is also very restricted in today's scenario.
PKI technology is again a non-starter in today's
environment in India and there are few PKI implementations.
after substantial deliberations on the PKI bill did finally
enable service providers to start ROOT CA services in the
country. However despite the initial enthusiastic
approach, the service providers have not been able to move
into the next phase of the activity."
On the antivirus front, the action has shifted from desktops
to corporate gateways. Viruses/worms spread among desktops
in a corporate LAN in a few minutes. So antivirus vendors
have realised that it makes sense to detect/remove viruses
at the gatewaythe entry point to a corporate LAN. It
also makes sense for e-mail service providers to implement
gateway scanning solutions.
now realize that desktop antivirus deals only with a copy
of the infected file. The original stays on the mail server.
If the server isn't protected, the virus can replicate itself
into an enterprise-wide infection that could cost a company
thousands, if not millions, of dollars in clean-up costs and
loss of productivity. Hence protection at the gateway level
is most critical," says Goh Chee Hoh, Regional Sales
Director-Overseas Business Unit, Trend Micro.
Firewalls were once kept on the periphery of the network,
but are now also available for desktops. Firewall vendors
now offer personal firewalls for desktop and notebook computers.
current trend is to have multiple firewalls. You have the
main firewall, behind which is your intranet. The Finance
server with critical data will have its own firewall
thereby restricting internal access. And finally, the individual
users can be protected with personal
firewalls running on their desktops. A CFO may have sensitive
information on his laptop and can protect it from unauthorised
access by installing a personal
firewall, personal IDS and also personal encryptionwhich
give total protection," says Vishwajeet Deshmukh, Country
Manager (SAARC), Network Associates.
Elsewhere in the world, the demand for security solutions
is increasing steadily.
According to a report titled '2000 Security Software Market
Share,' published by the Gartner Group, the total security
software market grew 25 percent to $3.3 billion in 2000, up
from 1999's solid growth of 22 percent. Gartner says the downturn
in the US economy starting in mid-2000 did not have an appreciable
effect on the security software market during the remainder
of 2000. In fact, segments such as intrusion detection and
public key infrastructure (PKI) saw very high growth as enterprises
sought means to open up their networks to customers and partners
while still defending their perimeter.
The Asia-Pacific region saw the strongest growth in 2000,
jumping 45 percent from $145 million in 1999 to $210 million
in 2000. Other regions saw somewhat slower growth, but on
a much larger base. Europe and the United States, comprising
82 percent of the total security software market, saw 17 and
36 percent growth, respectively.
According to the IDC report 'Internet Security Software Market
Forecast and Analysis, 2000-2004', the compound annual growth
rate (CAGR) of security software expenditure from 1999 to
2004 in the Asia Pacific region is expected to be 28.9 percent.
As Asian companies are building up Internet access and relying
more on the Net to do business, security awareness is expected
to be greater, says IDC.
Brian Pereira can be reached at firstname.lastname@example.org
Network Security Strategy for your enterprise
Think enterprise wide: Create an Enterprise Information
Perform risk analysis: your security is as strong as your
Deploy security solutions depending on the risks involved
Do not depend on a single defense, use multi-layered security
Use intrusion detection, analyze logs, be conscious of security
breaches and take action
Perform periodic security audits, take actions on audit
Have a disaster recovery plan ready, just in case
Source: MIEL e-Security Pvt. Ltd.