Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of November 2003 
-

  -  
 
 Home > Cover
 Print Friendly Page ||  Email this story

Cover Story: Enterprise Security

A call to arms

The seriousness of threats and the number of incidents are increasing each day. So it's time Indian enterprises scrutinize its security systems and set up stronger defenses. by Anil Patrick R

When it comes to Information Security, Indian enterprises have traditionally remained in reactive mode—sprucing up security systems only after it is attacked. But with the severity of security threats increasing everyday, it has realized that it can no longer remain complacent. Even though India Inc has begun moving towards security in a big way, there is still a long way to go.

Earlier, not too many Indian organizations had their networks connected to the Internet. The nature of their businesses did not necessitate connectivity to that level. Another reason for the complacent nature was the fact that not too many Indian companies put their core systems on the Internet. That's why there were very few incidents of attacks earlier.

The scenario has changed today as more companies are putting core systems on the Internet. However, it is interesting to note that in spite of the increased risks, organizations are still very laid back.

Dr Sourav Dutta, DGM (Systems), Videsh Sanchar Nigam Limited confirms this. "There is a very lackadaisical approach to information security in India. It's not due to the fact that people aren't fully aware. People are aware of the risks since technology came in at a much later stage in India. However, since most threats usually affect only websites and e-mail, not the business scenario, people tend to take it less seriously."

Fig 1: Frequency of security policy review
Source: Network Magazine's Infrastructure Strategies 2003 Survey

Indian scenario

The picture has completely changed now, with many businesses using the Internet and e-mail for online transactions and communication with partners and customers. Many organizations are also using internal networks and the Internet for telephony, with VoIP technologies.

While all this has streamlined business processes at much higher levels, security risks have also increased. Viruses are becoming deadlier each day. Software vulnerabilities allow black hat hackers (crackers) to play havoc with corporate networks. And then there's Spam that chokes bandwidth and also brings in new virus threats. Industrial espionage cannot be ruled out either.

So the big question is how secure are Indian enterprises today? While many organizations do have state-of-the-art security set-ups (especially the banking segment), the overall picture is not very good.

According to Ernst & Young's Global Information Security Survey 2003: India Country report, more than 35 percent of Indian corporates rate themselves as less than adequate in their ability to determine whether their systems are currently under attack. The same survey discovered that only 28 percent of organizations claimed to be compliant with applicable security driven regulations.

Figures like these don't bode too well for the Indian enterprise. It is time to look at the problems or mistakes that many organizations make in terms of security. We'll also examine four organizations that have their security fundamentals right.

Combating the fortress syndrome

The typical security set-up in an Indian organization is like this. There's a firewall in place along with an Intrusion Detection System (IDS). The anti-virus solution has been set up quite sometime back. All the right patches are in place. But does this make the enterprise's security infrastructure complete and adequate?

The truth is that only the technological aspect of security is complete. This is one of the biggest mistakes that many organizations tend to make. Security does not end with deploying technology. With this kind of a set-up, the enterprise is very similar to that of a fortress. There are huge walls and sentries on the perimeter, but it's virtually defenseless on the inside. Imagine what might happen once an intruder gets in. Or worse than that, a disgruntled employee unleashing his frustration by causing damage to network resources. How do you cope with such threats?

This is where measures like security policies are required. A properly drafted security policy helps ensure that your organization's security does not resemble the coconut model—hard layers outside, soft layers inside.

'Policy'ing security

The biggest problem impeding proper security implementation is the lack of proper information security policies. A security policy basically helps an organization identify the rules and procedures regarding the use of IT to ensure confidentiality, integrity, and availability of data and resources.

Not many Indian organizations have a security policy. Ernst & Young's Global Information Security Survey shows that 40 percent of Indian organizations lack formal security management processes or written policies. This basically means that a large number of enterprises don't have proper and documented methods to manage their organization's security. It is high time Indian organizations get serious about this foundation of IT security.

A security policy has to be periodically reviewed and modified according to changing situations. Network Magazine's Infrastructure Strategies 2003 Survey shows that 29 percent of Indian organizations do not have a fixed frequency for security policy reviews, while 14 percent do it just once a year. Ideally, these reviews should be done at least once in six months to avoid the policies getting outdated. Fig 1 shows a detailed view of the findings on this front.

A security policy has to be developed with active involvement of the business. Security is a business issue and it is imperative that the senior management is involved if the security policy's objectives have to be met. Another important point to note is that user training, security audits, and strict policy enforcement checks need to be done at regular intervals. Without this, it is just a matter of time before the security policy is forgotten.

The financial sector is again a leading example to illustrate proper use of security policies.

"Financial institutions lead the field when it comes to security policies. They are top of the class and can be compared to any of the international organizations," said Dr Sourav Dutta (VSNL).

But other organizations have a long way to go. Let us now look at some Secure Organizations in India, which are among the best in terms of best practices and technology implementation.

"A major part of the job is non-IT. This involves conducting periodic workshops across the country, educating users about the importance of IT security, telling them how threats arise and how users themselves play an important role in preventing attacks" Mani B Mulki, GM (Information Systems), Godrej Industries

Secure Organization 1: Godrej Industries

Godrej Industries believes that just having security systems is not enough, if the objective is a really secure organization. This goal can be achieved only with secure security policies and its rigorous enforcement.

For this, it is necessary that IT policies are treated as any other policy, like an HR policy or an audit policy. Like any other business policy, Godrej's security policy has the synchronization and alignment of the top management before it is released. Their signoffs are obtained on the elements of the security policy and the punitive measures.

Mani B Mulki, General Manager (Information Systems), Godrej Industries Ltd. said, "The policy has to come from the business. It is very important since a system attack could have major business implications. For example, an attack might give a person access to sensitive e-mail."

Godrej's security policy is aligned with the company's top management, and it also involves continuing education and rigorous follow-ups—every three months throughout the country for new users as well as for existing users. On the e-mail front, Godrej's security policy is clear about how e-mail should be used—type, content and size. Godrej also has policies like those for Net surfing—more specifically, the sites that can be accessed and downloading of files.

Having a security policy is not enough. It is more important to efficiently administer it. This happens only if security policy audits are done. The organization has a separate team that checks whether employees are following the policy.

"In consultation with business and HR, we administer punitive measures for errant employees. Unless this is done, participation of employees cannot be solicited," said Mulki.

The organization believes in ongoing user education to ensure that security of the organization is not compromised. "A major part of the job is non-IT. This involves conducting periodic workshops across the country, educating users about the importance of IT security, telling them how threats arise and how users themselves play an important role in preventing attacks," added Mulki.

Godrej has a full fledged IT security team dedicated to securing the IT system. They also have a consultant specializing in network security on a full time basis. The team checks password strengths on a regular basis. Employees are then alerted if their passwords are weak. An external security consultant has also been employed to check security and system patches on an almost daily basis.

On the security solutions front, anti-virus at the desktop, on the gateway, server and exchange level are used. Unless an organization is protected at these levels, it's not possible to have a comprehensive anti-virus protection. Anti-virus solutions from different vendors have been deployed to ensure better availability and protection levels.

A content filtering system with its own anti-virus is used to scan contents of all incoming and outgoing e-mails. What is noticeable here is that most companies deploy content filtering only at the gateway level, bypassing internal mails. Godrej's system is configured in such a manner that any e-mail, internal or external has to pass through the content filter. E-mails not adhering to the policy are filtered out. This process also keeps a check on Spam and viruses.

A firewall and IDS solution is used in the internal network. Another dedicated firewall has been deployed to protect Godrej's servers hosted on the Internet. Full time IDS monitoring is done to detect suspicious activity.

Godrej Industries claims it hasn't had too many security problems. "A couple of years back, our e-mail server was used as a relay server. It was intruded and that caused a breakdown for over 48 hours. We could stop it immediately, but the moment it was intruded, it got blacklisted and it took us 48 hours to get it unlisted. During that time, mails going from the server bounced back. Apart from that, we haven't had any major problems," said Mulki.

"The security policy describes dos and don'ts clearly. When a user is given Internet access, there are additional rules that have to be signed. From an administrative perspective we have defined the HR and security policies, and taken sign-offs from different people" Sanjay Sharma, Head-Information Technology, IDBI Bank

Secure Organization 2: IDBI Bank

For IDBI Bank, security implies more than just compliance to RBI mandates or putting systems in place. The bank treats security as more of a business issue than a technical issue.

Sanjay Sharma, Head-Information Technology, IDBI Bank said, "We are mandated by RBI to have an information security officer. His role is to take care of the security perspective of the complete infrastructure. However, security cannot be driven by one individual, it has to be driven by the top management."

At IDBI Bank, this has been achieved by the formation of an information security steering committee that includes the CEO and other top management officials. The committee reviews and deals with issues right from making a security policy for the bank to enforcement and making changes. The policy is updated at regular intervals.

"The security policy describes dos and don'ts clearly. When someone is given Internet access, there are additional rules that have to be signed. From an administrative perspective we have defined the HR and security policies, and taken sign-offs from different people," said Sharma.

IDBI Bank believes that it is only a proper combination of technology and HR policies, that really works during security policy enforcement. It has clear-cut HR policies on this front, with punitive measures. For example, if a user is viewing a site he is not supposed to, it comes into the log. The list of such errant employees is presented to the steering committee. The bank has appropriate HR policies that allows the organization to take action against such users.

The next factor that the bank focuses on is security awareness. This is where education and training plays a major role. The organization conducts security campaigns, and quizzes among users over its intranet, complete with prizes for winners. These are incentive-driven programs that increase user awareness. The bank also has an internal IT magazine.

On the technical side, IDBI Bank has a dedicated team for security. They also make use of external agencies for periodic security checks and auditing. The biggest advantage that the bank has is its centralized architecture. The entire network is managed by a single data center. This tightly controlled environment eases issues like patch management and anti-virus management.

Any application hosted on the Internet is tested thoroughly for functionality as well as from the security viewpoint. Based on the specific application needs, only the required services and ports are enabled. Routine intrusion detection tests are also conducted before hosting it on the DMZ.

Anti-virus solutions and scanners are used to scan network traffic and e-mail. The organization has complete restrictions on things like forwarded e-mails, downloading files, and attachment size. If software has to be downloaded, it has to be first tested by the IT team before it can be installed on the user’s PC. Blocking is done at the gateway. Since all branches use browser based core applications, the main anti-virus server is at the central site. This also keeps track of the update status on the PCs across the network. Local PCs have anti-virus agents, which makes central monitoring and updating of desktops possible.

IDS logs are checked using tools, as well as trend analysis. "We have seen that a combination of both really works," said Sharma.

"A code of conduct is in place for employees, which covers any misuse of office facilities. We are also in the process of finalizing the security policy approval which will help us take prompt action against errant users" R P Singh, Executive Director (Integrated Information Systems), BPCL

Secure Organization 3: BPCL

In addition to being a leading Indian manufacturing company, Bharat Petroleum Corporation Limited also has an extremely secure IT setup. According to BPCL, this is necessary to mitigate security threats to boost business efficiency.

"Loss of productivity can occur from different security threats like viruses, hacking attempts, spam, errant users, etc. We have a code of conduct for employees, which covers any misuse of office facilities. We are also in the process of finalizing the security policy approval which will help us take prompt action against errant users," said R P Singh, Executive Director (Integrated Information Systems), Bharat Petroleum Corporation Limited. BPCL believes that the best way to do this is by bringing about a sense of responsibility among the users. The latest technology is of no use unless the entire organization participates in promoting IT security. This participation is ensured through user training programs.

Another aspect of security enforcement is to ensure that users know they are monitored. "This is done through means like our website filtering tool. Users get alert messages if they try to access unwanted sites. This helps a lot in enforcing policies," said R P Singh. Measures like these reduce the chances of users misusing IT resources.

On the technical front, BPCL secures its systems by reducing the area of exposure, number of open ports, and the servers open to the Internet. Standard mechanisms like firewalls, IDS, and patching are also used to prevent security breaches. IBM Tivoli's Software Distribution module is used by BPCL for applying system patches.

Anti-virus systems have been deployed in the BPCL network at multiple levels. Anti-virus solutions at the gateway, desktop, and the browsing interface help prevent virus attacks. BPCL's anti-virus solution has its own centralized signature distribution through redistribution servers across the LAN and WAN. Content filters installed in the network ensure that spam does not get into the network.

User level access is done at BPCL through SAP, which has tight control on this front. Exchange public folders are used to share information in a controlled manner.

Anil Patrick R can be reached at anilpatrick@networkmagazineindia.com

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.