Cover Story: Enterprise Security
A call to arms
The seriousness of threats and the number of incidents are
increasing each day. So it's time Indian enterprises scrutinize its security
systems and set up stronger defenses. by Anil Patrick R
When it comes to Information Security, Indian enterprises
have traditionally remained in reactive modesprucing up security systems
only after it is attacked. But with the severity of security threats increasing
everyday, it has realized that it can no longer remain complacent. Even though
India Inc has begun moving towards security in a big way, there is still a long
way to go.
Earlier, not too many Indian organizations had their
networks connected to the Internet. The nature of their businesses did not necessitate
connectivity to that level. Another reason for the complacent nature was the
fact that not too many Indian companies put their core systems on the Internet.
That's why there were very few incidents of attacks earlier.
The scenario has changed today as more companies are
putting core systems on the Internet. However, it is interesting to note that
in spite of the increased risks, organizations are still very laid back.
Dr Sourav Dutta, DGM (Systems), Videsh Sanchar Nigam
Limited confirms this. "There is a very lackadaisical approach to information
security in India. It's not due to the fact that people aren't fully aware.
People are aware of the risks since technology came in at a much later stage
in India. However, since most threats usually affect only websites and e-mail,
not the business scenario, people tend to take it less seriously."
|Fig 1: Frequency of security policy review
|Source: Network Magazine's Infrastructure Strategies
The picture has completely changed now, with many businesses
using the Internet and e-mail for online transactions and communication with
partners and customers. Many organizations are also using internal networks
and the Internet for telephony, with VoIP technologies.
While all this has streamlined business processes at
much higher levels, security risks have also increased. Viruses are becoming
deadlier each day. Software vulnerabilities allow black hat hackers (crackers)
to play havoc with corporate networks. And then there's Spam that chokes bandwidth
and also brings in new virus threats. Industrial espionage cannot be ruled out
So the big question is how secure are Indian enterprises
today? While many organizations do have state-of-the-art security set-ups (especially
the banking segment), the overall picture is not very good.
According to Ernst & Young's Global Information
Security Survey 2003: India Country report, more than 35 percent of Indian corporates
rate themselves as less than adequate in their ability to determine whether
their systems are currently under attack. The same survey discovered that only
28 percent of organizations claimed to be compliant with applicable security
Figures like these don't bode too well for the Indian
enterprise. It is time to look at the problems or mistakes that many organizations
make in terms of security. We'll also examine four organizations that have their
security fundamentals right.
Combating the fortress syndrome
The typical security set-up in an Indian organization
is like this. There's a firewall in place along with an Intrusion Detection
System (IDS). The anti-virus solution has been set up quite sometime back. All
the right patches are in place. But does this make the enterprise's security
infrastructure complete and adequate?
The truth is that only the technological aspect of
security is complete. This is one of the biggest mistakes that many organizations
tend to make. Security does not end with deploying technology. With this kind
of a set-up, the enterprise is very similar to that of a fortress. There are
huge walls and sentries on the perimeter, but it's virtually defenseless on
the inside. Imagine what might happen once an intruder gets in. Or worse than
that, a disgruntled employee unleashing his frustration by causing damage to
network resources. How do you cope with such threats?
This is where measures like security policies are required.
A properly drafted security policy helps ensure that your organization's security
does not resemble the coconut modelhard layers outside, soft layers inside.
The biggest problem impeding proper security implementation
is the lack of proper information security policies. A security policy basically
helps an organization identify the rules and procedures regarding the use of
IT to ensure confidentiality, integrity, and availability of data and resources.
Not many Indian organizations have a security policy.
Ernst & Young's Global Information Security Survey shows that 40 percent
of Indian organizations lack formal security management processes or written
policies. This basically means that a large number of enterprises don't have
proper and documented methods to manage their organization's security. It is
high time Indian organizations get serious about this foundation of IT security.
A security policy has to be periodically reviewed and
modified according to changing situations. Network Magazine's Infrastructure
Strategies 2003 Survey shows that 29 percent of Indian organizations do not
have a fixed frequency for security policy reviews, while 14 percent do it just
once a year. Ideally, these reviews should be done at least once in six months
to avoid the policies getting outdated. Fig 1 shows a detailed view of the findings
on this front.
A security policy has to be developed with active involvement
of the business. Security is a business issue and it is imperative that the
senior management is involved if the security policy's objectives have to be
met. Another important point to note is that user training, security audits,
and strict policy enforcement checks need to be done at regular intervals. Without
this, it is just a matter of time before the security policy is forgotten.
The financial sector is again a leading example to
illustrate proper use of security policies.
"Financial institutions lead the field when it
comes to security policies. They are top of the class and can be compared to
any of the international organizations," said Dr Sourav Dutta (VSNL).
But other organizations have a long way to go. Let
us now look at some Secure Organizations in India, which are among the best
in terms of best practices and technology implementation.
|"A major part of the job is non-IT. This involves
conducting periodic workshops across the country, educating users about
the importance of IT security, telling them how threats arise and how users
themselves play an important role in preventing attacks" — Mani B Mulki,
GM (Information Systems), Godrej Industries
Secure Organization 1: Godrej Industries
Godrej Industries believes that just having security
systems is not enough, if the objective is a really secure organization. This
goal can be achieved only with secure security policies and its rigorous enforcement.
For this, it is necessary that IT policies are treated
as any other policy, like an HR policy or an audit policy. Like any other business
policy, Godrej's security policy has the synchronization and alignment of the
top management before it is released. Their signoffs are obtained on the elements
of the security policy and the punitive measures.
Mani B Mulki, General Manager (Information Systems),
Godrej Industries Ltd. said, "The policy has to come from the business.
It is very important since a system attack could have major business implications.
For example, an attack might give a person access to sensitive e-mail."
Godrej's security policy is aligned with the company's
top management, and it also involves continuing education and rigorous follow-upsevery
three months throughout the country for new users as well as for existing users.
On the e-mail front, Godrej's security policy is clear about how e-mail should
be usedtype, content and size. Godrej also has policies like those for
Net surfingmore specifically, the sites that can be accessed and downloading
Having a security policy is not enough. It is more
important to efficiently administer it. This happens only if security policy
audits are done. The organization has a separate team that checks whether employees
are following the policy.
"In consultation with business and HR, we administer
punitive measures for errant employees. Unless this is done, participation of
employees cannot be solicited," said Mulki.
The organization believes in ongoing user education
to ensure that security of the organization is not compromised. "A major
part of the job is non-IT. This involves conducting periodic workshops across
the country, educating users about the importance of IT security, telling them
how threats arise and how users themselves play an important role in preventing
attacks," added Mulki.
Godrej has a full fledged IT security team dedicated
to securing the IT system. They also have a consultant specializing in network
security on a full time basis. The team checks password strengths on a regular
basis. Employees are then alerted if their passwords are weak. An external security
consultant has also been employed to check security and system patches on an
almost daily basis.
On the security solutions front, anti-virus at the desktop,
on the gateway, server and exchange level are used. Unless an organization is
protected at these levels, it's not possible to have a comprehensive anti-virus
protection. Anti-virus solutions from different vendors have been deployed to
ensure better availability and protection levels.
A content filtering system with its own anti-virus
is used to scan contents of all incoming and outgoing e-mails. What is noticeable
here is that most companies deploy content filtering only at the gateway level,
bypassing internal mails. Godrej's system is configured in such a manner that
any e-mail, internal or external has to pass through the content filter. E-mails
not adhering to the policy are filtered out. This process also keeps a check
on Spam and viruses.
A firewall and IDS solution is used in the internal
network. Another dedicated firewall has been deployed to protect Godrej's servers
hosted on the Internet. Full time IDS monitoring is done to detect suspicious
Godrej Industries claims it hasn't had too many security
problems. "A couple of years back, our e-mail server was used as a relay
server. It was intruded and that caused a breakdown for over 48 hours. We could
stop it immediately, but the moment it was intruded, it got blacklisted and
it took us 48 hours to get it unlisted. During that time, mails going from the
server bounced back. Apart from that, we haven't had any major problems,"
|"The security policy describes dos and don'ts clearly.
When a user is given Internet access, there are additional rules that have
to be signed. From an administrative perspective we have defined the HR
and security policies, and taken sign-offs from different people" — Sanjay
Sharma, Head-Information Technology, IDBI Bank
Secure Organization 2: IDBI Bank
For IDBI Bank, security implies more than just compliance
to RBI mandates or putting systems in place. The bank treats security as more
of a business issue than a technical issue.
Sanjay Sharma, Head-Information Technology, IDBI Bank
said, "We are mandated by RBI to have an information security officer.
His role is to take care of the security perspective of the complete infrastructure.
However, security cannot be driven by one individual, it has to be driven by
the top management."
At IDBI Bank, this has been achieved by the formation
of an information security steering committee that includes the CEO and other
top management officials. The committee reviews and deals with issues right
from making a security policy for the bank to enforcement and making changes.
The policy is updated at regular intervals.
"The security policy describes dos and don'ts
clearly. When someone is given Internet access, there are additional rules that
have to be signed. From an administrative perspective we have defined the HR
and security policies, and taken sign-offs from different people," said
IDBI Bank believes that it is only a proper combination
of technology and HR policies, that really works during security policy enforcement.
It has clear-cut HR policies on this front, with punitive measures. For example,
if a user is viewing a site he is not supposed to, it comes into the log. The
list of such errant employees is presented to the steering committee. The bank
has appropriate HR policies that allows the organization to take action against
The next factor that the bank focuses on is security
awareness. This is where education and training plays a major role. The organization
conducts security campaigns, and quizzes among users over its intranet, complete
with prizes for winners. These are incentive-driven programs that increase user
awareness. The bank also has an internal IT magazine.
On the technical side, IDBI Bank has a dedicated team
for security. They also make use of external agencies for periodic security
checks and auditing. The biggest advantage that the bank has is its centralized
architecture. The entire network is managed by a single data center. This tightly
controlled environment eases issues like patch management and anti-virus management.
Any application hosted on the Internet is tested thoroughly
for functionality as well as from the security viewpoint. Based on the specific
application needs, only the required services and ports are enabled. Routine
intrusion detection tests are also conducted before hosting it on the DMZ.
Anti-virus solutions and scanners are used to scan
network traffic and e-mail. The organization has complete restrictions on things
like forwarded e-mails, downloading files, and attachment size. If software
has to be downloaded, it has to be first tested by the IT team before it can
be installed on the users PC. Blocking is done at the gateway. Since all
branches use browser based core applications, the main anti-virus server is
at the central site. This also keeps track of the update status on the PCs across
the network. Local PCs have anti-virus agents, which makes central monitoring
and updating of desktops possible.
IDS logs are checked using tools, as well as trend
analysis. "We have seen that a combination of both really works,"
|"A code of conduct is in place for employees, which
covers any misuse of office facilities. We are also in the process of finalizing
the security policy approval which will help us take prompt action against
errant users" — R P Singh, Executive Director (Integrated Information Systems),
Secure Organization 3: BPCL
In addition to being a leading Indian manufacturing
company, Bharat Petroleum Corporation Limited also has an extremely secure IT
setup. According to BPCL, this is necessary to mitigate security threats to
boost business efficiency.
"Loss of productivity can occur from different
security threats like viruses, hacking attempts, spam, errant users, etc. We
have a code of conduct for employees, which covers any misuse of office facilities.
We are also in the process of finalizing the security policy approval which
will help us take prompt action against errant users," said R P Singh,
Executive Director (Integrated Information Systems), Bharat Petroleum Corporation
Limited. BPCL believes that the best way to do this is by bringing about a sense
of responsibility among the users. The latest technology is of no use unless
the entire organization participates in promoting IT security. This participation
is ensured through user training programs.
Another aspect of security enforcement is to ensure
that users know they are monitored. "This is done through means like our
website filtering tool. Users get alert messages if they try to access unwanted
sites. This helps a lot in enforcing policies," said R P Singh. Measures
like these reduce the chances of users misusing IT resources.
On the technical front, BPCL secures its systems by
reducing the area of exposure, number of open ports, and the servers open to
the Internet. Standard mechanisms like firewalls, IDS, and patching are also
used to prevent security breaches. IBM Tivoli's Software Distribution module
is used by BPCL for applying system patches.
Anti-virus systems have been deployed in the BPCL network
at multiple levels. Anti-virus solutions at the gateway, desktop, and the browsing
interface help prevent virus attacks. BPCL's anti-virus solution has its own
centralized signature distribution through redistribution servers across the
LAN and WAN. Content filters installed in the network ensure that spam does
not get into the network.
User level access is done at BPCL through SAP, which
has tight control on this front. Exchange public folders are used to share information
in a controlled manner.
Anil Patrick R can be reached at firstname.lastname@example.org