Home > Cover Story
 Print Friendly Page ||  Email this story

Cover Story: Enterprise Security
Information Security: A new approach

Due to factors like globalization and directives from regulators, certain Indian companies are now more serious about Information Security. But the rest are complacent and need to do a lot more than just solutions implementation. by Brian Pereira

As we entered the new millennium, IT managers were busy safeguarding their (legacy) systems from the Y2K bug. Around that time, the threat of Internet viruses and worms loomed large. Naturally, every connected enterprise had to have an anti-virus solution and perhaps a firewall. And that's what security was all about. Today, Information Security (InfoSec) takes on a broader meaning. What's more, certain Indian enterprises have no choice but to take a more proactive stance towards security, through means like security certification. As one industry analyst puts it, "Security has become all-encompassing—it's not just about technology and point products anymore."

The prime driver for enterprise security is (Internet) Connectivity. IDC says the worldwide InfoSec market was worth $6.7 billion in 2000. With a CAGR of 25.5 percent, this market is projected to more than triple to $21 billion by the end of 2005.
An IDC analyst says remote LAN, Internet, extranet/intranet, and wireless access services will drive the need for advanced information security services, as technologies for circumventing network security systems continue to keep pace with the technologies designed to defend against them.

Anil Menon, Sr. Vice President-Operations, SecureSynergy (an Information Assurance firm), says the transition from a 'bounded environment' to an 'unbounded environment' has made information security crucial today. "With connectivity, the traditional way of securing information is no longer relevant," he says.

Elaborating further, Menon says enterprise networks became unbounded when companies started interconnecting their various branches and offices. Then enterprises opened up their networks to the outside world, by linking their intranets to the Internet. Before that, enterprise networks were bounded; 99 percent of the users were internal; and there were islands of IT infrastructure.

"With the unbounded network we were concerned about the Confidentiality, Integrity and Availability (CIA) of information. But today we are inviting people from outside into our network, so we also need to be concerned about access controls, authentication, and non-repudiation," adds Menon.

The other driver for security is Globalization. International companies seeking to outsource work to Indian firms insist on security certification, or adherence to laws, standards and business practices prevalent in their respective countries. Not surprisingly, all the top software services companies, IT-enabled services companies, and BPO outfits are going in for security certifications like BS 7799 or ISO 17799.

Indian firms that deal with US companies are also asked to comply with US laws like the Graham-Leach-Bailey Privacy Act and the Patriot Act. Other countries (like Germany) have similar laws.

The third driver for increased security awareness is the Regulator.

The Reserve Bank of India (RBI) has created a comprehensive document that lays down a number of security-related guidelines and strategies for banks to follow in order to offer Internet banking. The guidelines broadly talk about the types of risks associated with Internet banking, the technology and security standards, legal issues involved, and regulatory and supervisory concerns. Any bank that wants to offer Internet banking must follow these guidelines and adhere to them as a legal necessity.

Taking a cue from RBI, SEBI has now come up with a risk management framework for mutual funds.

Recent information security surveys indicate that the Banking and Finance sector companies are most serious about security, are the major investors in security solutions, and regularly revise their security policies following periodic audit trials.

Next in line are the software services companies, BPO firms, and IT-enabled services companies.

But verticals like manufacturing continue to lag, with the exception of companies that have extensive ERP setups, or those that drive their supply chain through the Web. Aside from these three verticals, companies in other verticals have a long way to go in establishing information security.

The various consultants and industry analysts that we spoke to cited various reasons for the sloppy attitude, but they all agreed on one thing—security should not be the concern of only the IT manager or the IT department. Security is the responsibility of, and concerns every employee in the company (including top management).

Click on image for larger view

Says Sunil Chandiramani, Partner, Ernest & Young, "Security has already become a boardroom issue for MNCs. But CEOs, the board of directors, and auditing committees of large enterprises need to increase their security awareness."

Alok Shende, Industry Manager (IT Practice), Frost & Sullivan, says the old economy companies have a long way to go. "While the awareness is building up, the money is not yet flowing. Actual sales (for security solutions) are not happening (in a big way) in verticals like manufacturing."

Reflecting on the PWC-CII Information Security Survey 2002-2003, Sameer Kapoor, Executive Director, PricewaterhouseCoopers, says, "We see that organizations in India are becoming more aware about security. But when we compare ourselves to international benchmarks, we have a long way to go."

According to the PWC-CII Information Security survey, 80 percent of the respondents reported breaches in the last 12 months, as compared to 60 percent in 2000-2001. This has led to increased security awareness and 74 percent of the respondents said they increased their security budgets over the previous year to counter threats (See box story, 'Security barriers and counter measures.') Kapoor says there are two sides to this. "The good news is that people have started rethinking security, and that isn't just about firewalls, anti-virus and IDS. The sad part is that people are thinking only in terms of which new technology to adopt."

Organizations who are thinking about improving security need to first change their Attitude about it.

Chandiramani of Ernest & Young feels InfoSec is still considered a technology issue. "It is still something that only the IT personnel worry about, and they are often the (only) ones who take decisions related to security. Security has to move away from being a technology issue and become a business related issue," he says.

The reason for this is that IT personnel miss out on the business objectives or business processes when making decisions about solutions procurement and deployment.

Kapoor of Pricewaterhouse Coopers says security is left to the individuals (like administrators) who are managing the infrastructure. "We have to rely on a person's discipline or knowledge levels. Instead, security should be controlled through a procedure or framework."

SecureSynergy's Menon feels enterprise security should involve employees at all levels, customers, and all entities that deal with the organization.

There is also a consensus among auditors that the approach to InfoSec is not correct. For instance, security is either too tight or too lax. That calls for a right balance—systems should be configured to let in business associates and at the same time keep out hackers, viruses and worms. Kapoor recommends a two-fold approach.

"Firstly, you need to protect infrastructure. Secondly, you need to enable business. Ideally, security should protect your assets and at the same time, not hinder business," says Kapoor.

An organization's approach to countering security breaches must also change. Capt. Raghu Raman, Practice Head, Special Services Group, Mahindra Consulting says it is important to have vision and have the ability to think like an attacker when planning an information security strategy.

"Attackers can exploit your social weaknesses and use you to extract personal/competitive (corporate) information. So information security is not just a technology issue—this is a people and process issue too. The answer to this is education and awareness,” he says.

Brian Pereira can be reached at brianp@networkmagazineindia.com

Security: the fourth wave

Reflecting on the evolution of security, we see four waves or phases. In the first phase (before the mid-90s) enterprises had not yet connected to the Internet. In fact inter-office or inter-branch connectivity were rare or not constant. The prime objective was confidentiality and integrity of information. Organizations put in access controls to lock up information, making selective information available to select individuals or groups.

In the second wave (mid to late 90s), companies began connecting to the Internet. This was also the time when the major security threat was Internet worms and viruses (it still is today). So anti-virus products were prime security solutions.

Then people resorted to more sophisticated means of attack. Malicious code on Web pages or embedded in e-mail overwhelmed corporate Web servers. Hacking tools were available on websites, and anyone could download these and use it to launch attacks on Internet servers. So enterprises started using Firewalls to filter out malicious code and safeguard themselves from Script Kiddies.

In the third wave (present day), worms spread within minutes and disrupt corporate networks. Hackers no longer attack just to brag about it. They now seek financial gain and steal credit card numbers or competitive information from corporate servers.

More enterprises have opened up their networks to global customers, mobile workers, and suppliers. More sophisticated defenses are necessary to keep out the 'bad guys' and let in business associates. Sensitive information in transit needs to be secured. New tools like PKI (encryption and digital signatures), Intrusion Detection Systems, Virtual Private Networks, Access Control mechanisms etc are being used.

The fourth wave is around the corner. It's about Security Audit and Certification. This covers not just technology, but also people and processes. Enterprises will approach security from the attacker's end and safeguard against new risks like social engineering and dumpster diving.

Some wisdom about Information Security

"Information Security is a combination of various factors. It involves technology, people and policy."
— Sameer Kapoor, Executive Director, PricewaterhouseCoopers Pvt. Ltd.

"Information Security is not just a technology issue—this is a people and process issue too. The answer to this is education and awareness. You should talk to your employees."
— Capt. Raghu Raman, Practice Head,

Special Services Group, Mahindra Consulting.
"Security has to move away from being a technology issue and become a business related issue."
— Sunil Chandiramani, Partner, Ernest & Young

"There is a risk aspect to security too. Security breaches create a risk for the enterprise. So it's not just about hardware and software solutions."
— Alok Shende, Industry Manager (IT Practice), Frost & Sullivan

"Security is now essential since it has become a business enabler. Enterprise Security should involve employees at all levels, customers and all entities that deal with the organization."
— Anil Menon, Sr. Vice President-Operations, SecureSynergy

Please click on graphs for a larger view of the same

How attacks affect IT Availability

Critical information systems become unavailable due to various forms of attack. Ernest & Young's Information Security Survey 2002 reveals that around 76 percent of the respondents experienced unexpected unavailability. Despite this, only 47 percent of Indian companies (as compared to 53 percent globally) have a Business Continuity Plan. Over half the respondents do not have agreed recovery timescales, which could mean wide expectation gaps in the event of business interruption.

The two main causes of unavailability of systems cited by Indian companies, were:

  • Malicious technical acts by outsiders (26 percent)
  • Third-party failure (14 percent).

Only 17 percent of the respondents said that invoking the BCP/DRP had been effectively done. However only 12 percent of the respondents have tested their plans in the past three months.

What might this mean for your business?
Evidence abounds about the number of businesses without business continuity arrangements which fail to survive a disaster. Poor management of IT operations and third parties, are likely to increase the number of avoidable failures of business critical systems. Businesses should be able to articulate the financial impact of unexpected system failures.

The Emerging Picture
The Ernest & Young survey findings conclude that security and privacy concerns are the top barriers to further connectivity. Increasing vulnerabilities: 70 percent of Indian CIOs, IT directors and business executives surveyed indicate that they expect to experience greater vulnerability as connectivity increases.

Barriers to further connectivity: Most Indian companies see security and privacy concerns (67 percent) and lack of standards (17 percent) as the top two barriers/inhibitors to external connectivity.

Use of security technologies: Current take-up of advancing information security technologies is still relatively low. Five percent of Indian respondents are piloting or widely deploying Public Key Infrastructure (PKI) and a further 33 percent are planning to pilot it. Biometrics is in use at only 6 percent of the organizations and only a further 11 percent plan to pilot it in future. Given the increased interest in authentication on recent months, this is surprisingly low. Only 17 percent of the organizations are using Intrusion Detection Systems.

Barriers to emerging technologies: Most Indian companies see the cost of implementation and training as the major barrier to increased use of emerging technologies.

What might this mean for your business?
Organizations that use several technologies but have not invested in other proven technologies may be missing an opportunity to address some of their security concerns.

Businesses that have not clearly articulated their business needs (e.g. further connectivity) and mapped it to their technology investments may miss out the potential benefits of such investments and also run the risk of having an inadequate security infrastructure around such technology.

Security barriers and countermeasures

The Confederation of Indian Industry (CII) and PricewaterhouseCoopers, conduct an Information Security Survey every year, to access the preparedness of Indian enterprises towards countering security threats and breaches.

The survey for 2002-2003 indicates that although Indian enterprises are more aware now, and are keen to invest in security solutions, there are certain barriers preventing them from doing so.

Around 49 percent of Indian corporates attribute capital expense as a barrier to the effective deployment of secure systems. This is up from a mere 4 percent during 2000-01 and 55 percent globally.

Technology related concerns like pace of change of technology, complexity of technology and lack of trained manpower, were the primary barriers during 2000-01. Their relative influence as a barrier to effective security has reduced in the current year.

his implies that the understanding of the technologies being deployed by organizations has improved from 2000-01. This is clearly reflected in the finding that 74 percent of the businesses increased their security spend during 2002-2003 and a simultaneous increase of more than 11 times in the listing of inadequate capital expense as a barrier to security.

As can be seen from the graph, almost all the barriers are being experienced by more corporates globally as compared to India. Nevertheless, the Indian corporates are facing more security breaches. This reiterates the lower appreciation of security as a business issue and therefore the lower priority accorded to information systems security by Indian enterprises. Lack of time, poorly defined policy and lack of mature tools are the other significant barriers to implementing effective security across the organization.

Current countermeasures

Access Controls
The survey shows that there has been a paradigm shift in security measures in the wired world from "denial of access" to granting access to all on a "need to know" basis. This shift has resulted in higher importance being given to access controls and stronger means of authentication. The means of authentication that are currently in vogue are dual factor authentication, one time passwords, digital signatures etc.

Organizations across the world are realizing that password-based authentication is not adequate to address the risks arising as a consequence of this paradigm shift.

However, 97 percent of the respondents in India use only basic password-based access controls and 63 percent use multiple logons.

The trend of decreasing cost of public communications and increased availability of bandwidth has encouraged Indian businesses to use public networks for corporate communications, moving away from closed user group technologies such as VSAT. This change in communication technology has added the burden of needing to protect transmitted information. Unless information is encrypted while moving over public networks it can potentially be intercepted.

Around 36 percent of the respondents do not use any form of encryption, and over two-fifths of the respondents who use encryption do so for less than 10 percent of the data traffic. Only 17 percent of the respondents that use encryption technologies (11 percent of total respondents) are encrypting over 90 percent of their data traffic.

While the usage of encryption seems to be still low in absolute terms, there has been a rise in the use of encryption over 2000-01.

This is brought out by an increase of nearly three times, as compared to last year, in companies encrypting over 50 percent of their data traffic. The encryption technologies used in India are in line with the levels of encrypted traffic. Use of Secure Sockets Layer (SSL), which is one of the widely used technologies for Web-based encryption, is far lower in India than the global average.

Interestingly, 13 percent of the respondents use public key infrastructure (PKI) technologies, although the first license for public certification authority has been issued as recently as January 2002. Hence, a trend of faster adoption of PKI technologies, coupled with other security technology/tools such as single sign on (SSO), can be expected.

Other tools
Every business with Internet connectivity should ensure that it has a firewall in place between its Internet gateway and its local area network. Without a firewall to protect it, the corporate network is exposed to a variety of possible attacks from the Internet.

Yet only 69 percent of the respondents have deployed a firewall while over 90 percent have connected their corporate network to the Internet. This compares unfavorably with the global average, which stands at 83 percent. A firewall is only effective if it is adequately hardened and kept up-to-date with the latest security patches.

Information security can be enhanced by using an intrusion detection system (IDS) and vulnerability assessment (VA) tools. The use of IDS and VA tools in India is still low at 21 percent and 8 percent respectively.

The use of virtual private network (VPN) for end-to-end authentication and encryption of traffic is on the rise. PWC expects the use of VPNs to increase from its current level of 38 percent. This will be closely tied to lowered costs of public communications, especially long distance communications, in the future.