Information security

At the network level

Java Girdhar, Country Manager - India and SAARC, Juniper Networks, tells Soutiman Das Gupta which aspects of information security will gain importance—and why it's important to first secure the network.

How important is information security for Indian companies today and in future?

As long as companies need to protect their information from competitors and other parties, information security will be an essential element of business. Traditionally, security was viewed as a protector of critical assets and resources from the untrusted or outside world.

This is no longer the case. Security has assumed more importance today. Networks are no longer segmented on the basis of trust and distrust. For today's enterprise, security is not about restricting access to business-critical resources and applications. Information security provides enterprises strategic value to address some of the most critical challenges such as improving competitiveness, reducing operational risks and allowing ubiquitous access to various services without compromising on security or performance.

Many organisations have to follow stringent statutory requirements. Sufficient and properly administered network security is important to meet these guidelines. With the increasing adoption of the Internet for business use, connectivity is available anywhere. The challenge is to use this medium securely and allow access to all business users including vendors, suppliers and business partners.

What aspects of information security are set to gain centre stage in India over the next few months?

Integrating networks and applications with the Internet and simultaneously safeguarding them from virus attacks will be the main aspect of security. It is becoming increasingly critical to open up networks and make them accessible from external locations as well. The opening up of networks has facilitated the use of the Internet as a necessary evil against which networks need to be secured.

Demands for virtual private networking, and especially SSL-based VPN technology, have been growing at an impressive rate. The APAC market for SSL VPNs has grown by 37 percent in just one quarter, from Q2 04 to Q3 04 (Frost & Sullivan). My company leads this market, with 31 percent marketshare (APAC Q3 04) and we have experienced significant demand for this element in a secure and assured network environment.

Why is it necessary to deploy information security solutions at the network first?

The network carries all the sensitive information that a business uses. Network security is undergoing a paradigm shift. It is imperative to deploy security solutions from the ground up level so that the information, which the receiver will get, is not hampered. These networks are the carriers of most critical data, which makes them the most essential level where security solutions need to be deployed.

It is important that an organisation views its network as a single 'untrusted' network and then deploys appropriate checks and controls based on the resources and applications being accessed, when, from where and by whom.

If network security comes first, what are the other steps and levels?

There is no silver bullet to security. Companies can evolve and use a layered security approach to protect their remote users and sites, regional offices, the network perimeter and the network data centre/core.

It is a generally accepted fact that intrusions and attacks are inevitable and that a layered security strategy comprised multiple layers of complementary security technologies-all working together help minimise risk by presenting multiple barriers to attackers. A layered approach can also provide network administrators more time to react, allowing them to modify the security posture of the network infrastructure to prevent further damage at all levels.

Do the current security solutions address information security at the network level? Why do you feel that this requires special importance today?

Information security is an ongoing process. As the technology advances, there will be more viruses and hacking tools that will threaten the networks. It is, therefore, important to upgrade security measures constantly.

Network security approaches change with changes in the business environment. As networks become more robust, it becomes even more important to apply stringent security tools.

Do you believe that point solutions is a better approach or can companies use security Multi-Function Devices (MFDs) that combine the functionalities of a firewall, IDS and anti-virus?

With regards to our company, we have point solutions, but we are also moving to MFDs with our Endpoint Defence Initiative. Beyond this, it is important to look at each threat that is posed to the network independently and then deploy solutions individually to counter the threat.

In your opinion, what are the common mistakes most CIOs make when it comes to information security? How can they rectify these mistakes?

Products by themselves cannot provide complete security. CIOs must always advocate a holistic 'big picture' approach to network planning. Most businesses today have deployed one or more security products in their network.

However, the core issue is to build information security guidelines first in accordance with their business needs. Once guidelines are formulated, they should be translated into a framework of policies and processes. The network security architecture can then be developed in accordance with these. The architecture must be based on open standards and be flexible and scalable. It should also allow integration of new security technologies that the organisation might want to leverage to gain business advantage.

What are the three essential points of advice that you'd give CIOs who would like to deploy a reliable information security architecture for their organisation?

The CIO must ensure that the enterprise uses layered security architecture to maintain security at every point. Security guidelines must be aligned with the implementation of the layered architecture. Further, security audits should be done periodically to keep security measures up-to-date.

Soutiman Das Gupta can be reached at soutimand@networkmagazineindia.com