Due to factors like globalization
and directives from regulators, certain Indian companies
are now more serious about Information Security. But
the rest are complacent and need to do a lot more than
just solutions implementation. by Brian Pereira
As we entered the new millennium,
IT managers were busy safeguarding their (legacy) systems
from the Y2K bug. Around that time, the threat of Internet
viruses and worms loomed large. Naturally, every connected
enterprise had to have an anti-virus solution and perhaps
a firewall. And that's what security was all about.
Today, Information Security (InfoSec) takes on a broader
meaning. What's more, certain Indian enterprises have
no choice but to take a more proactive stance towards
security, through means like security certification.
As one industry analyst puts it, "Security has
become all-encompassingit's not just about technology
and point products anymore."
The prime driver for enterprise security is (Internet)
Connectivity. IDC says the worldwide InfoSec market
was worth $6.7 billion in 2000. With a CAGR of 25.5
percent, this market is projected to more than triple
to $21 billion by the end of 2005.
An IDC analyst says remote LAN, Internet, extranet/intranet,
and wireless access services will drive the need for
advanced information security services, as technologies
for circumventing network security systems continue
to keep pace with the technologies designed to defend
Anil Menon, Sr. Vice President-Operations,
SecureSynergy (an Information Assurance firm), says
the transition from a 'bounded environment' to an 'unbounded
environment' has made information security crucial today.
"With connectivity, the traditional way of securing
information is no longer relevant," he says.
Elaborating further, Menon
says enterprise networks became unbounded when companies
started interconnecting their various branches and offices.
Then enterprises opened up their networks to the outside
world, by linking their intranets to the Internet. Before
that, enterprise networks were bounded; 99 percent of
the users were internal; and there were islands of IT
"With the unbounded network
we were concerned about the Confidentiality, Integrity
and Availability (CIA) of information. But today we
are inviting people from outside into our network, so
we also need to be concerned about access controls,
authentication, and non-repudiation," adds Menon.
The other driver for security
is Globalization. International companies seeking to
outsource work to Indian firms insist on security certification,
or adherence to laws, standards and business practices
prevalent in their respective countries. Not surprisingly,
all the top software services companies, IT-enabled
services companies, and BPO outfits are going in for
security certifications like BS 7799 or ISO 17799.
Indian firms that deal with
US companies are also asked to comply with US laws like
the Graham-Leach-Bailey Privacy Act and the Patriot
Act. Other countries (like Germany) have similar laws.
The third driver for increased
security awareness is the Regulator.
The Reserve Bank of India (RBI)
has created a comprehensive document that lays down
a number of security-related guidelines and strategies
for banks to follow in order to offer Internet banking.
The guidelines broadly talk about the types of risks
associated with Internet banking, the technology and
security standards, legal issues involved, and regulatory
and supervisory concerns. Any bank that wants to offer
Internet banking must follow these guidelines and adhere
to them as a legal necessity.
Taking a cue from RBI, SEBI
has now come up with a risk management framework for
Recent information security
surveys indicate that the Banking and Finance sector
companies are most serious about security, are the major
investors in security solutions, and regularly revise
their security policies following periodic audit trials.
Next in line are the software
services companies, BPO firms, and IT-enabled services
But verticals like manufacturing
continue to lag, with the exception of companies that
have extensive ERP setups, or those that drive their
supply chain through the Web. Aside from these three
verticals, companies in other verticals have a long
way to go in establishing information security.
The various consultants and industry analysts that we
spoke to cited various reasons for the sloppy attitude,
but they all agreed on one thingsecurity should
not be the concern of only the IT manager or the IT
department. Security is the responsibility of, and concerns
every employee in the company (including top management).
|Click on image for larger view
Says Sunil Chandiramani, Partner,
Ernest & Young, "Security has already become
a boardroom issue for MNCs. But CEOs, the board of directors,
and auditing committees of large enterprises need to
increase their security awareness."
Alok Shende, Industry Manager
(IT Practice), Frost & Sullivan, says the old economy
companies have a long way to go. "While the awareness
is building up, the money is not yet flowing. Actual
sales (for security solutions) are not happening (in
a big way) in verticals like manufacturing."
Reflecting on the PWC-CII Information
Security Survey 2002-2003, Sameer Kapoor, Executive
Director, PricewaterhouseCoopers, says, "We see
that organizations in India are becoming more aware
about security. But when we compare ourselves to international
benchmarks, we have a long way to go."
According to the PWC-CII Information
Security survey, 80 percent of the respondents reported
breaches in the last 12 months, as compared to 60 percent
in 2000-2001. This has led to increased security awareness
and 74 percent of the respondents said they increased
their security budgets over the previous year to counter
threats (See box story, 'Security barriers and counter
measures.') Kapoor says there are two sides to this.
"The good news is that people have started rethinking
security, and that isn't just about firewalls, anti-virus
and IDS. The sad part is that people are thinking only
in terms of which new technology to adopt."
WHAT NEEDS TO BE DONE
Organizations who are thinking about improving security
need to first change their Attitude about it.
Chandiramani of Ernest &
Young feels InfoSec is still considered a technology
issue. "It is still something that only the IT
personnel worry about, and they are often the (only)
ones who take decisions related to security. Security
has to move away from being a technology issue and become
a business related issue," he says.
The reason for this is that
IT personnel miss out on the business objectives or
business processes when making decisions about solutions
procurement and deployment.
Kapoor of Pricewaterhouse Coopers
says security is left to the individuals (like administrators)
who are managing the infrastructure. "We have to
rely on a person's discipline or knowledge levels. Instead,
security should be controlled through a procedure or
SecureSynergy's Menon feels
enterprise security should involve employees at all
levels, customers, and all entities that deal with the
There is also a consensus among
auditors that the approach to InfoSec is not correct.
For instance, security is either too tight or too lax.
That calls for a right balancesystems should be
configured to let in business associates and at the
same time keep out hackers, viruses and worms. Kapoor
recommends a two-fold approach.
"Firstly, you need to
protect infrastructure. Secondly, you need to enable
business. Ideally, security should protect your assets
and at the same time, not hinder business," says
An organization's approach
to countering security breaches must also change. Capt.
Raghu Raman, Practice Head, Special Services Group,
Mahindra Consulting says it is important to have vision
and have the ability to think like an attacker when
planning an information security strategy.
"Attackers can exploit
your social weaknesses and use you to extract personal/competitive
(corporate) information. So information security is
not just a technology issuethis is a people and
process issue too. The answer to this is education and
awareness, he says.
Brian Pereira can be reached at
Reflecting on the
evolution of security, we see four waves or phases.
In the first phase (before the mid-90s) enterprises
had not yet connected to the Internet. In fact
inter-office or inter-branch connectivity were
rare or not constant. The prime objective was
confidentiality and integrity of information.
Organizations put in access controls to lock up
information, making selective information available
to select individuals or groups.
In the second wave
(mid to late 90s), companies began connecting
to the Internet. This was also the time when the
major security threat was Internet worms and viruses
(it still is today). So anti-virus products were
prime security solutions.
Then people resorted
to more sophisticated means of attack. Malicious
code on Web pages or embedded in e-mail overwhelmed
corporate Web servers. Hacking tools were available
on websites, and anyone could download these and
use it to launch attacks on Internet servers.
So enterprises started using Firewalls to filter
out malicious code and safeguard themselves from
In the third wave
(present day), worms spread within minutes and
disrupt corporate networks. Hackers no longer
attack just to brag about it. They now seek financial
gain and steal credit card numbers or competitive
information from corporate servers.
have opened up their networks to global customers,
mobile workers, and suppliers. More sophisticated
defenses are necessary to keep out the 'bad guys'
and let in business associates. Sensitive information
in transit needs to be secured. New tools like
PKI (encryption and digital signatures), Intrusion
Detection Systems, Virtual Private Networks, Access
Control mechanisms etc are being used.
The fourth wave is
around the corner. It's about Security Audit and
Certification. This covers not just technology,
but also people and processes. Enterprises will
approach security from the attacker's end and
safeguard against new risks like social engineering
and dumpster diving.
Security is a combination of various factors.
It involves technology, people and policy."
Sameer Kapoor, Executive Director, PricewaterhouseCoopers
Security is not just a technology issuethis
is a people and process issue too. The answer
to this is education and awareness. You should
talk to your employees."
Capt. Raghu Raman, Practice Head,
Group, Mahindra Consulting.
"Security has to move away from being a technology
issue and become a business related issue."
Sunil Chandiramani, Partner, Ernest &
"There is a
risk aspect to security too. Security breaches
create a risk for the enterprise. So it's not
just about hardware and software solutions."
Alok Shende, Industry Manager (IT Practice),
Frost & Sullivan
now essential since it has become a business enabler.
Enterprise Security should involve employees at
all levels, customers and all entities that deal
with the organization."
Anil Menon, Sr. Vice President-Operations,
|Please click on graphs
for a larger view of the same
information systems become unavailable due to
various forms of attack. Ernest & Young's
Information Security Survey 2002 reveals that
around 76 percent of the respondents experienced
unexpected unavailability. Despite this, only
47 percent of Indian companies (as compared to
53 percent globally) have a Business Continuity
Plan. Over half the respondents do not have agreed
recovery timescales, which could mean wide expectation
gaps in the event of business interruption.
The two main causes
of unavailability of systems cited by Indian companies,
- Malicious technical
acts by outsiders (26 percent)
- Third-party failure
Only 17 percent of
the respondents said that invoking the BCP/DRP
had been effectively done. However only 12 percent
of the respondents have tested their plans in
the past three months.
What might this
mean for your business?
Evidence abounds about the number of businesses
without business continuity arrangements which
fail to survive a disaster. Poor management of
IT operations and third parties, are likely to
increase the number of avoidable failures of business
critical systems. Businesses should be able to
articulate the financial impact of unexpected
The Ernest & Young survey findings conclude
that security and privacy concerns are the top
barriers to further connectivity. Increasing vulnerabilities:
70 percent of Indian CIOs, IT directors and business
executives surveyed indicate that they expect
to experience greater vulnerability as connectivity
Barriers to further
connectivity: Most Indian companies see security
and privacy concerns (67 percent) and lack of
standards (17 percent) as the top two barriers/inhibitors
to external connectivity.
Use of security technologies:
Current take-up of advancing information security
technologies is still relatively low. Five percent
of Indian respondents are piloting or widely deploying
Public Key Infrastructure (PKI) and a further
33 percent are planning to pilot it. Biometrics
is in use at only 6 percent of the organizations
and only a further 11 percent plan to pilot it
in future. Given the increased interest in authentication
on recent months, this is surprisingly low. Only
17 percent of the organizations are using Intrusion
Barriers to emerging
technologies: Most Indian companies see the cost
of implementation and training as the major barrier
to increased use of emerging technologies.
What might this
mean for your business?
Organizations that use several technologies but
have not invested in other proven technologies
may be missing an opportunity to address some
of their security concerns.
Businesses that have
not clearly articulated their business needs (e.g.
further connectivity) and mapped it to their technology
investments may miss out the potential benefits
of such investments and also run the risk of having
an inadequate security infrastructure around such
of Indian Industry (CII) and PricewaterhouseCoopers,
conduct an Information Security Survey every year,
to access the preparedness of Indian enterprises
towards countering security threats and breaches.
survey for 2002-2003 indicates that although Indian
enterprises are more aware now, and are keen to
invest in security solutions, there are certain
barriers preventing them from doing so.
Around 49 percent
of Indian corporates attribute capital expense
as a barrier to the effective deployment of secure
systems. This is up from a mere 4 percent during
2000-01 and 55 percent globally.
concerns like pace of change of technology, complexity
of technology and lack of trained manpower, were
the primary barriers during 2000-01. Their relative
influence as a barrier to effective security has
reduced in the current year.
his implies that the
understanding of the technologies being deployed
by organizations has improved from 2000-01. This
is clearly reflected in the finding that 74 percent
of the businesses increased their security spend
during 2002-2003 and a simultaneous increase of
more than 11 times in the listing of inadequate
capital expense as a barrier to security.
As can be seen from
the graph, almost all the barriers are being experienced
by more corporates globally as compared to India.
Nevertheless, the Indian corporates are facing
more security breaches. This reiterates the lower
appreciation of security as a business issue and
therefore the lower priority accorded to information
systems security by Indian enterprises. Lack of
time, poorly defined policy and lack of mature
tools are the other significant barriers to implementing
effective security across the organization.
survey shows that there has been a paradigm shift
in security measures in the wired world from "denial
of access" to granting access to all on a
"need to know" basis. This shift has
resulted in higher importance being given to access
controls and stronger means of authentication.
The means of authentication that are currently
in vogue are dual factor authentication, one time
passwords, digital signatures etc.
the world are realizing that password-based authentication
is not adequate to address the risks arising as
a consequence of this paradigm shift.
However, 97 percent
of the respondents in India use only basic password-based
access controls and 63 percent use multiple logons.
The trend of decreasing cost of public communications
and increased availability of bandwidth has encouraged
Indian businesses to use public networks for corporate
communications, moving away from closed user group
technologies such as VSAT. This change in communication
technology has added the burden of needing to
protect transmitted information. Unless information
is encrypted while moving over public networks
it can potentially be intercepted.
36 percent of the respondents do not use any form
of encryption, and over two-fifths of the respondents
who use encryption do so for less than 10 percent
of the data traffic. Only 17 percent of the respondents
that use encryption technologies (11 percent of
total respondents) are encrypting over 90 percent
of their data traffic.
While the usage of
encryption seems to be still low in absolute terms,
there has been a rise in the use of encryption
This is brought out
by an increase of nearly three times, as compared
to last year, in companies encrypting over 50
percent of their data traffic. The encryption
technologies used in India are in line with the
levels of encrypted traffic. Use of Secure Sockets
Layer (SSL), which is one of the widely used technologies
for Web-based encryption, is far lower in India
than the global average.
percent of the respondents use public key infrastructure
(PKI) technologies, although the first license
for public certification authority has been issued
as recently as January 2002. Hence, a trend of
faster adoption of PKI technologies, coupled with
other security technology/tools such as single
sign on (SSO), can be expected.
business with Internet connectivity should ensure
that it has a firewall in place between its Internet
gateway and its local area network. Without a
firewall to protect it, the corporate network
is exposed to a variety of possible attacks from
Yet only 69 percent
of the respondents have deployed a firewall while
over 90 percent have connected their corporate
network to the Internet. This compares unfavorably
with the global average, which stands at 83 percent.
A firewall is only effective if it is adequately
hardened and kept up-to-date with the latest security
can be enhanced by using an intrusion detection
system (IDS) and vulnerability assessment (VA)
tools. The use of IDS and VA tools in India is
still low at 21 percent and 8 percent respectively.
The use of virtual
private network (VPN) for end-to-end authentication
and encryption of traffic is on the rise. PWC
expects the use of VPNs to increase from its current
level of 38 percent. This will be closely tied
to lowered costs of public communications, especially
long distance communications, in the future.