The need for security is
directly influenced by business dependence on IT and
the budgets allocated for it. Therefore security solutions
used are specific to the different verticals. by Minu
Enterprises from various industry
verticals have diverse security needs based on the nature
of their business. After interacting with IT Heads from
industry verticals like Banking and Finance, Manufacturing,
IT-enabled services and others, we found that the need
for security is directly influenced by IT dependence
of the business and the budgets allocated for it. Indeed,
there is much more to enterprise security than firewalls
and anti-virus solutions.
In an enterprise, IT security
requirements are generally specific to the business
type, or the vertical the enterprise belongs to.
The manufacturing industry for
instance may have high investments in IT to automate
its processes, but may not require advanced security
solutions as they are still at the closed user group
networks level. So their security solutions are still
limited to anti-virus and firewall solutions.
Security at manufacturing
Pratap S. Gharge, General Manager-IT, Bajaj Electricals
Ltd. said, "Indian enterprises, particularly the
likes of manufacturing companies, are not yet ready
with Internet-based applications, which is why security
needs are still looked at as anti-virus and firewalls.
If the need is not felt, then organizations need not
open unnecessary ports on the servers and other devices."
In the Indian enterprise investment
in security formulates a negligible part of the IT budget.
Though there are advanced technologies available in
the market, these technologies cannot be optimized in
the Indian enterprise yet.
Enterprises that have opened
themselves to the online world to reach out to their
customers and partners are the ones who have gone beyond
firewalls and anti-virus.
Arun Gupta, Senior Director-Business
Technology, Pfizer Ltd. says, "Large companies
and MNCs do think beyond firewalls and anti-virus solutions
due to the cascading of security policies to all countries
connected to the global networks."
Indian companies have been
giving significant focus to security in the recent past,
but fall short on implementation beyond the basic firewall
and anti-virus solutions. Though the awareness levels
are high, the budget allocations are not in line with
There are some manufacturing
companies like Honda Siel Cars that do have a little
more than the basic security requirements like network
security, data securitybackup solutions, access
level security, content filtering, firewall and security
They use security solutions to secure/consolidate and
for data backup on different platforms, as well as for
individual backup and consolidation.
Honda Siel Cars uses the following
- Anti-virus solutions to
protect from viruses.
- Solutions for mail scanning
- Firewalls for protecting
the network from outsiders through WAN.
- First level security at
the WAN port itself.
Hilal Isar Khan, Head-IT, Honda
Siel Cars says that security needs are not traditional
but purely business driven. He feels that on the basis
of cost-benefit analysis, more importance should be
given to real risk rather than perceived risk. In enterprise
security, risk to business continuity and disaster recovery
is far more important than the perceived threats related
to hacking etc.
Hilal adds, "A system is there and so is the need
to protect the risk arising out of it." Internet,
storage consolidation, server consolidation, application
consolidation have all eased enterprise life on one
hand and created security level threats on the other
hand. Thus it becomes mandatory to have a business continuity,
security and disaster recovery plan in place.
Security at financial institutions
Most financial institutions have anti-virus and firewalls
in place. Depending on the nature of their business
and IT implementations, they further make use of IDS
solutions, PKI, VPNs and other tools. Many enterprises
have policies and procedures in place to protect their
intangible assets like product information, IPR (intellectual
property rights), their practices, people, etc.
The level of security implementations
is primarily influenced by the nature of the business.
For example, Banking and Finance, and firms in the services
business, where information is a valuable asset, have
higher levels of security.
Harish Shetty, Asst. Vice President-IT,
HDFC Bank says, "We have a security policy in place
as per the expected guidelines of the RBI and also to
build our customers' and partners' confidence in us.
Security for us is to identify the risk, carry out a
risk assessment and then take the necessary steps to
minimize the risk to our assetswhether internal/external
or tangible/non-tangible. So we use the required tools
and procedures to proactively monitor and take the necessary
steps to avert any damage to our assets or leak of information.
Offering some words of wisdom,
Shetty says security is not limited to just averting
the risk, but also towards having minimum downtime,
and being able to recover and restore operations to
normalcy after any attack.
HDFC Bank uses IDS solutions,
PKI, VPNs along with firewall and anti-virus solutions
to secure its assets. It has a team that monitors and
evaluates risk in introduction of new products in its
business, and which suggests steps to minimize the risk.
"With a high growth in
services being offered to clients and partners, it is
important to have high security standards in order to
provide optimum service," says Shetty. "Though
the current solutions do fulfill the security requirements,
we still need some advanced tools that are automated,
in terms of applying patches, monitoring logs, reporting
Information security becomes
more crucial in the Banking and Finance sector since
business information and data translate to money.
Shetty feels security is too
IT driven, and businesses need to be educated about
the risk and its impact. He says people need to be cautious
about how they keep their password, what information
they exchange and where. "Information security
is more about creating awareness of security and how
easily it can be breached by using social engineering,"
Security for service providers
NSE.IT also believes that information security is of
prime importance to earn client trust. NSE.IT a subsidiary
of NSE (National Stock Exchange) has implemented all
the conventional security solutions for NSE to safeguard
its business, and is looking forward to include more
advanced security solutions.
C. Kajwadkar, Vice President,
NSE.IT said, "We do not consider security policy
as part of IT. For us our business user is a designated
security supervisor for the organization." The
purpose is best understood by the business, since at
times the IT people may get into the product and its
evaluation, and miss out on the real purposebut
the business user knows what security is important."
The trading exchange plans
to evaluate digital signatures with some kind of authentication
server as they feel PKI-based digital certification
will be of higher value.
The use of security solutions
is business drivenat NSE they believe that any
new technology should be embraced for the purpose of
its relevance to the business, and not just because
it is available.
There is a large community
out there who still limit security to firewalls and
anti-virus solutions. "There is awareness, there
is desire but for most organizations the dependence
on IT is not high. Therefore the budget, the visibility,
and the focus that goes into an IT department isn't
But for organizations like
NSE where business will stop if IT stops, security is
of prime concern to keep the business running. Thus
the nature of security solutions is related to dependence
Lakshman Krishnamoorthi, Sr.
Manager-Security at Sify Ltd. says, "Security for
such companies is process basedmoving the corporate
security requirement from an isolated independent perspective
to one which would be part of everyday activity."
Sify uses extensive security solutions to protect itself
It uses the following security
- Firewalls to offer basic
- Network IDS to take reactive
steps at the earliest, and also to analyze the emerging
trends in the attack patterns.
- Anti-virus to provide protection
for individual servers from known viruses and worms.
- Secured channel communications
to offer end-to-end secured and encrypted data paths
between various systems deployed for security requirements.
- Centralized syslog server
to collate system logs across the various segments.
- Vulnerability assessment
and system update tools to assess the known/reported
vulnerabilities across the segments and provide for
a centralized update mechanism.
- Network and system audit
tools to periodically audit the network segments and
the systems connected.
Though enterprises have deployed
extensive solutions, there is a need for some integrated
Lakshman opines, "The
systems do meet the expected security demands, however
the management or the maintenance of the systems often
result in time and hardware resource bottlenecks."
He added, "There are many
solutions in the market, which claim to be a single
integrated solution, but fail to meet all requirements
if the components are considered individually. Most
of the solution systems focus only on the back-end data
storage and querying capabilities.
Shetty of HDFC Bank also feels
that they need tools that can analyze the logs, find
correlation with other logs and give an enterprise view
of what is going on.
On doing an assessment of user companies we find that
Security for many enterprises means merely deploying
firewalls and anti-virus solutions. But the solutions
requirement is purely business related. So if firewalls
and anti-virus suffice, one does not feel the need to
invest in other advanced security solutions.
The criticality of the information,
the value of lost information, and its relevance to
the continuity of the business, influences security
decisions. There is security awareness and the desire
to use advanced security solutionsbut these are
restrained by the business dependence on IT, and the
budgets allocated for it.
Minu Sirsalewala can be reached