After investing in firewalls and anti-virus solutions, Indian businesses are now considering authentication and intrusion detection solutions. Richard Turner, Vice President, Asia-Pacific, RSA Security discusses the changing security market and trends in the Asia-Pacific region. by Minu Sirsalewala

Why is e-security becoming an integral part of an enterprise?
With the proliferation of the Internet and revolutionary new e-business practices, there has never been a more critical need for sophisticated technologies and solutions. Today as public and private networks merge and organizations increasingly expand their business to the Internet, the critical need to address e-security has been realized. RSA Security focuses on four core e-security aspects: Authentication, Web access management, encryption and digital signatures.

According to a KPMG information security survey, 43 percent of the firms are implementing or planning to implement a wireless network but over a third using these networks do not protect them, leading to a new phenomenon called 'drive-by hacking'.

Companies have identified hackers and viruses as the top security threats. Less than half of the organizations had board level responsibility for information security, while 73 percent of security staff had no formal qualification.
75 percent of survey respondents said their Internet connection was a frequent point of attack, compared with 33 percent who cited their internal systems as such. 40 percent detected system penetration from the outside, 85 percent detected computer viruses and 70 percent of those attacked reported vandalism according to data from a survey by Computer Security Institute.

What are the core issues enterprises face when it comes to security solutions?
Most organizations give passwords or codes to access the information and data. If organizations would place all passwords they had with some strong user authentication to access the data, they would have considerably more secured information systems. They can report all applications and data being used from the database.

The practice of giving access to corporate data to anyone who might need it—mobile workers, telecommuters, business partners, suppliers—from wherever they are, over wired or wireless links turns that sensible decision into a foolish one.

Application companies need to give specific access to all their employees, as passwords are easy to crack or to guess. You get an information overflow in an enterprise, and you cannot limit the data being accessed through passwords. People have access to information which, they do not need to access as a result of which the security of the business is compromised. This makes it important to make sure that people prove 'who' they are before accessing the data as extremely sensitive information is being delivered.

Security technology changes quickly and some things fade out. What determines the success of a technology?
If you give the customer a technology that is difficult to use, they will not use it, as they will not be able to perfect its use. For example if you introduce a system like Biometrics, you have to train the staff, deploy the reader infrastructure, and deploy additional hardware and software. You may not want to deploy a biometrics system because it is expensive and the technology is also relatively new.

Many companies spend hundreds or thousands if not millions of dollars to make the information readily available to their staff and users. Wherever they are in the world or whatever time is it in the day. But if the information is not accessible when required there is negative productivity. Similarly if security technology is unreliable and difficult to use then why invest such huge sums in making information available as it is not going to be put to optimum use.
So the technology or the solution has to be easy to use and easy to deploy and generate productivity to the business. Once the user is familiarized with his applications and requirements the selection of the technology or security solution is more pertinent to his business.

What trends do you observe in the Indian security market?
Typically, companies here invest in firewall and anti-virus technology to protect their networks from viruses and intrusions. But there has to be a gradual move from one stage to another. Now that the need is there and awareness has been created it is the right time to be in the market.

Each market has to mature to a certain level to where it is receptive to that technology. For example smart cards are working well in Europe but that does not mean it will work well for India too. This year we think the Indian market has matured for authentication. Indian customers have reached a level where people have been investing in anti-hacking tools like firewall and intrusion detection systems in the last few years. Having done that, now they are restricting the access to only the right people.

Authentication is playing an important role. Awareness has come in and people are investing in these solutions. Especially in key markets like banking & finance, telecommunications, pharmaceuticals, manufacturing and hi-tech IT manufacturing companies—software or hardware, where information needs to be secured and accessed only by the right people.

According to IDC, security authentication, authorization and administration solutions will see an increase in market share from 28 percent in 2001-02 to 34 percent in 2002-03. It is also expected that with the implementation of regulatory requirement (the IT Act 2000 and RBI guideline for banks), PKI technology and security training will also play a key role in the growth of the overall security market.

PKI which has been talked about a lot in the two years will witness increased activity in the coming year, due to an increase in e-commerce transactions by banks, financial institutions and government departments. As per IDC estimates, the Indian security market is currently at $241 million, which is expected to touch $441 million by 2003.

What about network security trends in the Asia-Pacific?
The indications are already there towards telecommunications. The telecommunications infrastructure in Asia is proof, as to how organizations are growing—the Asian economy is beginning to compete on the global scale. There is WAN, remote access and all these technologies are growing rapidly. So there is a definite indication as to where the market is heading. With enterprises vying for the global space and increasing online activity is directing companies towards higher network security. Another visible trend is Key Authentication, as more Asian countries become Web-enabled. It will be the main driver for access management as they embrace e-business for all their transactions. And then a transition from Web-based to electronic digital world—that is PKI and the authentication world. There is tremendous opportunity and a distinct move from the manual paper-based world to the digital world. Enterprises would do away with the manual paper-based processes and make a move to the digital world, which would require both network and e-security.

Minu Sirsalewala can be reached at minus@networkmagazineindia.com