Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
Issue of April 2003 
 Home > Cover Story
 Print Friendly Page ||  Email this story

Cover Story: Enterprise Security
Security in Indian Enterprises

The need for security is directly influenced by business dependence on IT and the budgets allocated for it. Therefore security solutions used are specific to the different verticals. by Minu Sirsalewala

Enterprises from various industry verticals have diverse security needs based on the nature of their business. After interacting with IT Heads from industry verticals like Banking and Finance, Manufacturing, IT-enabled services and others, we found that the need for security is directly influenced by IT dependence of the business and the budgets allocated for it. Indeed, there is much more to enterprise security than firewalls and anti-virus solutions.

In an enterprise, IT security requirements are generally specific to the business type, or the vertical the enterprise belongs to.

The manufacturing industry for instance may have high investments in IT to automate its processes, but may not require advanced security solutions as they are still at the closed user group networks level. So their security solutions are still limited to anti-virus and firewall solutions.

Security at manufacturing units
Pratap S. Gharge, General Manager-IT, Bajaj Electricals Ltd. said, "Indian enterprises, particularly the likes of manufacturing companies, are not yet ready with Internet-based applications, which is why security needs are still looked at as anti-virus and firewalls. If the need is not felt, then organizations need not open unnecessary ports on the servers and other devices."

In the Indian enterprise investment in security formulates a negligible part of the IT budget. Though there are advanced technologies available in the market, these technologies cannot be optimized in the Indian enterprise yet.

Enterprises that have opened themselves to the online world to reach out to their customers and partners are the ones who have gone beyond firewalls and anti-virus.

Arun Gupta, Senior Director-Business Technology, Pfizer Ltd. says, "Large companies and MNCs do think beyond firewalls and anti-virus solutions due to the cascading of security policies to all countries connected to the global networks."

Indian companies have been giving significant focus to security in the recent past, but fall short on implementation beyond the basic firewall and anti-virus solutions. Though the awareness levels are high, the budget allocations are not in line with expectations.

There are some manufacturing companies like Honda Siel Cars that do have a little more than the basic security requirements like network security, data security—backup solutions, access level security, content filtering, firewall and security from viruses.
They use security solutions to secure/consolidate and for data backup on different platforms, as well as for individual backup and consolidation.

Honda Siel Cars uses the following security solutions:

  • Anti-virus solutions to protect from viruses.
  • Solutions for mail scanning and distribution.
  • Firewalls for protecting the network from outsiders through WAN.
  • First level security at the WAN port itself.

Hilal Isar Khan, Head-IT, Honda Siel Cars says that security needs are not traditional but purely business driven. He feels that on the basis of cost-benefit analysis, more importance should be given to real risk rather than perceived risk. In enterprise security, risk to business continuity and disaster recovery is far more important than the perceived threats related to hacking etc.
Hilal adds, "A system is there and so is the need to protect the risk arising out of it." Internet, storage consolidation, server consolidation, application consolidation have all eased enterprise life on one hand and created security level threats on the other hand. Thus it becomes mandatory to have a business continuity, security and disaster recovery plan in place.

Security at financial institutions
Most financial institutions have anti-virus and firewalls in place. Depending on the nature of their business and IT implementations, they further make use of IDS solutions, PKI, VPNs and other tools. Many enterprises have policies and procedures in place to protect their intangible assets like product information, IPR (intellectual property rights), their practices, people, etc.

The level of security implementations is primarily influenced by the nature of the business. For example, Banking and Finance, and firms in the services business, where information is a valuable asset, have higher levels of security.

Harish Shetty, Asst. Vice President-IT, HDFC Bank says, "We have a security policy in place as per the expected guidelines of the RBI and also to build our customers' and partners' confidence in us. Security for us is to identify the risk, carry out a risk assessment and then take the necessary steps to minimize the risk to our assets—whether internal/external or tangible/non-tangible. So we use the required tools and procedures to proactively monitor and take the necessary steps to avert any damage to our assets or leak of information.

Offering some words of wisdom, Shetty says security is not limited to just averting the risk, but also towards having minimum downtime, and being able to recover and restore operations to normalcy after any attack.

HDFC Bank uses IDS solutions, PKI, VPNs along with firewall and anti-virus solutions to secure its assets. It has a team that monitors and evaluates risk in introduction of new products in its business, and which suggests steps to minimize the risk.

"With a high growth in services being offered to clients and partners, it is important to have high security standards in order to provide optimum service," says Shetty. "Though the current solutions do fulfill the security requirements, we still need some advanced tools that are automated, in terms of applying patches, monitoring logs, reporting alerts etc."

Information security becomes more crucial in the Banking and Finance sector since business information and data translate to money.

Shetty feels security is too IT driven, and businesses need to be educated about the risk and its impact. He says people need to be cautious about how they keep their password, what information they exchange and where. "Information security is more about creating awareness of security and how easily it can be breached by using social engineering," he says.

Security for service providers
NSE.IT also believes that information security is of prime importance to earn client trust. NSE.IT a subsidiary of NSE (National Stock Exchange) has implemented all the conventional security solutions for NSE to safeguard its business, and is looking forward to include more advanced security solutions.

C. Kajwadkar, Vice President, NSE.IT said, "We do not consider security policy as part of IT. For us our business user is a designated security supervisor for the organization." The purpose is best understood by the business, since at times the IT people may get into the product and its evaluation, and miss out on the real purpose—but the business user knows what security is important."

The trading exchange plans to evaluate digital signatures with some kind of authentication server as they feel PKI-based digital certification will be of higher value.

The use of security solutions is business driven—at NSE they believe that any new technology should be embraced for the purpose of its relevance to the business, and not just because it is available.

There is a large community out there who still limit security to firewalls and anti-virus solutions. "There is awareness, there is desire but for most organizations the dependence on IT is not high. Therefore the budget, the visibility, and the focus that goes into an IT department isn't so high."

But for organizations like NSE where business will stop if IT stops, security is of prime concern to keep the business running. Thus the nature of security solutions is related to dependence on IT.

Lakshman Krishnamoorthi, Sr. Manager-Security at Sify Ltd. says, "Security for such companies is process based—moving the corporate security requirement from an isolated independent perspective to one which would be part of everyday activity."
Sify uses extensive security solutions to protect itself from attacks.

It uses the following security solutions:

  • Firewalls to offer basic security protection.
  • Network IDS to take reactive steps at the earliest, and also to analyze the emerging trends in the attack patterns.
  • Anti-virus to provide protection for individual servers from known viruses and worms.
  • Secured channel communications to offer end-to-end secured and encrypted data paths between various systems deployed for security requirements.
  • Centralized syslog server to collate system logs across the various segments.
  • Vulnerability assessment and system update tools to assess the known/reported vulnerabilities across the segments and provide for a centralized update mechanism.
  • Network and system audit tools to periodically audit the network segments and the systems connected.

Though enterprises have deployed extensive solutions, there is a need for some integrated solutions.

Lakshman opines, "The systems do meet the expected security demands, however the management or the maintenance of the systems often result in time and hardware resource bottlenecks."

He added, "There are many solutions in the market, which claim to be a single integrated solution, but fail to meet all requirements if the components are considered individually. Most of the solution systems focus only on the back-end data storage and querying capabilities.

Shetty of HDFC Bank also feels that they need tools that can analyze the logs, find correlation with other logs and give an enterprise view of what is going on.

On doing an assessment of user companies we find that Security for many enterprises means merely deploying firewalls and anti-virus solutions. But the solutions requirement is purely business related. So if firewalls and anti-virus suffice, one does not feel the need to invest in other advanced security solutions.

The criticality of the information, the value of lost information, and its relevance to the continuity of the business, influences security decisions. There is security awareness and the desire to use advanced security solutions—but these are restrained by the business dependence on IT, and the budgets allocated for it.

Minu Sirsalewala can be reached at

- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.