Cover Story: Security
Towards a secure tomorrow
Over the years, IT security in the Indian enterprise has
progressed from being a non-entity to an integral factor that cannot be ignored.
Although there is much more to be desired on this front, these changes are indicators
that the Indian corporate is becoming aware of the need to be secure.
India may not be right up there with the best globally in terms of being secure.
But, the time when that happens is not that far away. While we may not exactly
achieve this in 2004, the year will certainly see significant steps being made.
One of the significant indicators in this direction is the increasing number
of organizations trying to get certifications like BS7799.
Stumbling blocks to security
The Indian enterprise generally lacks awareness and conviction, which results
in failure of security initiatives. Awareness is more important than the technology
"The shift from IT security being a vendor-driven initiative to a user-driven
initiative will happen only when the entire organization is aware of IT security,"
said Mani B Mulki, CIO, Godrej Industries.
"A major challenge in implementing proper security is lack of conviction.
This results in efforts limited to superficial security measures," said
C Kajwadkar, Vice President, NSE.IT. With such a perspective, security tends
to be more of a superficial nature than really achieve its objectives. This
is one of the important reasons why the Indian information security market is
still more vendor-driven in nature than a user-driven market.
There are financial and implementation issues in the way of security measures
as well. "On the other hand, the comprehensive perspective of 'enterprise
as a whole' also poses budget and implementation issues," Kajwadkar commented.
IT security is undergoing a major paradigm shift from being just an 'IT prerogative'
to a business sustenance need. Security policies are now being made with active
involvement of the top-level management.
The Indian corporate has seen an increased leverage of the Internet to connect
to partners and customers post the dot-com boom. Top management is becoming
more aware of disruptive factors like viruses and security breaches, as major
business risks. This has been the prime factor behind the increase in security
User education will be a very visible trend in 2004, than just emphasis on security
policies. This is the best way to ensure that security policies do not end up
as some more documents gathering dust. "There needs to be better awareness
at the lowest level on an ongoing basis since the problem always begins there
and not at the top. So more end-user education is the trend we will see,"
said Rajiv Gerela, AVP-Technology, Wipro Spectramind.
Outsourcing of IT security is another area which is going to show major increase.
Management of major e-commerce application servers is likely to be outsourced
to the datacenter hosting them. Or companies may outsource the function of monitoring
the organization's IDS logs to detect breaches.
"Outsourcing of security is going to happen in a major
manner this year. While you can't completely outsource your entire security
setup, it is necessary to have fully dedicated people to evaluate, and implement
it. One thing to note out here is not to give complete hand-over of security
control which could mean being taken for a ride," said Murali G, Head -
IT, SBI Life Insurance.
The reason behind this trend is that IT security requires highly specialized
and dedicated teams. This may not be a core priority for many companies who
may prefer to concentrate more on their core business. So it makes more sense
for such companies to outsource security. The level of security outsourcing
will depend on the company's comfort levels and are bound to vary in each organization.
Periodical IT audits is another aspect of security that will be outsourced.
These audits are of great use in evaluating the strength of an organization's
Dedicated security professionals
Security requires independent treatmentseparate from IT. This realization
has led to many organizations going in for a team of dedicated security professionals
focusing full time on IT security.
"A new thing that the top management in fairly large
organizations have to prepare themselves for, is the need to set up a separate
IT security team. This team has to be separate from the actual IT team,"
said Mani B Mulki. A Chief Security Officer (CSO) is yet another IT security
trend that many Indian organizations will adopt in 2004. The CSO will be responsible
for handling the security infrastructure of an organization. As usual, the BFSI
segment is the forerunner on this front with many financial institutions already
Most organizations have started fighting spam due to clogging up of networks
and productivity loss. Although spam cannot be completely avoided, many spam
blocking solutions will be available in 2004 to control this menace. See Box:
Just in to see some of the other technology trends that will start
making their presence felt in 2004. j
Anil Patrick R can be reached at firstname.lastname@example.org
|A recent trend is to have a single point of control
for all the security solutions in the organization. In terms of convenience
of management, these solutions offer many advantages.
"Written policies and procedures apart, more proactive
monitoring functions and products which can track alarms across different
systems/LANs/IDSs, are going to be in demand by IT managers," said
Rajiv Gerela. These solutions are bound to find good rates of adoption
by the Indian enterprise in 2004.
An interesting trend in security is 'integrated security'.
"With focus on e-governance, the integrated security needs have gone
further beyond e-commerce. And with the concept of integrated security,
it is obvious that the adoption of devices/mechanisms including digital
certificates is inevitable," Kajwadkar opined.
Emergence of encrypting measures is another trend that
is catching up. "Due to the large and increasing number of transactions
taking place over the Internet, encryption products is an area likely
to grow this year," said Mani B Mulki.
|Here's what a few vendors and service providers have
to say about security in the Indian enterprise in 2004.
K.N.Prasad, Head- Marketing & Alliances,
Apara Enterprise Solutions
Customers will start looking at security holistically instead of looking
at packaged solutions in 2004. Large enterprises will adopt the BS 7799
information security framework with MNCs and ITES companies leading the
pack in implementation and certification. Companies will start addressing
content security concerns, which directly affect user experience and hogs
organizational resources. Spam prevention solutions and services look
promising. Customers are also concerned about storage security. Providing
security to data at rest and in flight will be a challenge."
Naresh Wadhwa, Vice President, Cisco Systems,
(India & SAARC)
"Security is an integral part of any network infrastructure today
and enterprises are taking proactive steps to secure their networks. They
are increasingly investing in a comprehensive security suite as against
point products/solutions. Network Security for Indian enterprises is fast
becoming a key differentiator rather than an afterthought."
Venkata Subramanian, Project Manager, Computer
"Companies are undergoing a process of improving information
security ensuring confidentiality, integrity and availability of mission
critical systems and data resources. These efforts are often managed at
the business unit level with a focus on the information availability required
in today's integrated real time business world."
Joyjit Chatterji, Vice President, Comsat Max
"In 2004, it's expected that enterprises will invest in bigger
numbers to create a strategy to have defined recovery in a period of time
from disasters. The solution will be selected by balancing the cost of
such a solution with criticality of IT infrastructure in the business
process. Service providers offering end-to-end solutions will find favor
and vendors will either develop the expertise or tie up with other vendors
to complete the solution."
Kalyan Kumar, Technical Marketing Manager, Converged
Networks Business Unit, HCL Comnet
"Properly designed networks aimed at high availability, recoverability
and data integrity will provide enterprises with a reliable and secure
e-network infrastructure for conducting business in 2004. Moreover, companies
are increasingly going into security processes like BS7799, which are
Soundararajan S, Head - IT Infrastructure &
Security Consulting, Infosys
"Chief Information Security Officers (CISOs) will become a necessity
and will be as invaluable as the CEO. Security will evolve from being
a reactive technology to more proactive technology. As is the case with
enterprise security, top management involvement in the business continuity
roadmap will become a must."
Sharad Sanghi, Managing Director, Netmagic Solutions
"2004 will definitely see a growth spurt in the DR segment. SEBI
guidelines for the Banking and Finance Industry, which mandate that financial
Institutions like Banks and Mutual Funds need to have DR measures in place.
BPOs and call centers also need to have their DR, security, and BCP well-established
to lure offshore clients, and conform to standards like COPC, BS7799,
and HIPAA. Add to this mix of factors is a resurgent global economy, which
allows enterprises to bolster their IT budgets, network security, DR,
Kartik Shahani, Country Manager - India, Network
"The Real Time Enterprise of 2004 will see network decision makers
focus on 'Proactive' security solutions. Another trend enterprises will
benefit from through 2004 is the adoption of a multi-phased/layered defense
that would protect the corporate's IT infrastructure from both known and
unknown attacks. 2004 will see the CTO evolve and demand more from his
security providers: an expert security service that can identify, assess
and protect his key assets."
Rahul Swarup, President, Enterprise Solutions,
Evolution of enterprises from deploying stand-alone products for security
as opposed to a holistic security readiness scenario, driven by business
exigencies will be seen in 2004. While enterprises may look at deploying
and managing their security infrastructure internally, the complexity
and the drain away from core business will trigger outsourcing of security
infrastructure as has been witnessed in the networks/datacenter spheres.
Enterprises will no longer need to shop with multiple vendors as there
is an evident rise in players providing end-to-end security solutions
ranging from products to consulting.
Joy Ghosh, Enterprise Sales Director, ASEAN and
The security conscious like banks will be the front-runners in 2004
in the move towards the integration of multiple security technologies,
as opposed to the current best-of-breed approach. This will be done both
at the product and management level, to make security more holistic and
easier to manage.