For a Safer Tomorrow

The last 12 months have seen a great increase in the importance of enterprise

security. Seminars and road shows on the topic have become a common feature with

vendors and experts pitching their expertise at these forums. Spurred by this

awareness, an increasing number of enterprises have gone in for enhanced

security solutions.

Perimeter solutions



Enterprises seem to be going in for greater IT security deployment. This is

also reflected in the robust growth of the security market. A Gartner Dataquest

survey estimates the worldwide market for security solutions to grow up to $4.3

billion this year up 18% from $3.6 billion in calendar 2001. The Indian market

for information security is currently estimated to be between Rs 150-175 crore (Nasscom-IDC

estimates) and is expected to grow at 25-30% annually.

The security market in India however, is still in its nascent stages and is

largely restricted to the purchase of anti-virus software and firewalls. But

this will change as the market matures with organizations becoming aware of the

need to have an integrated security policy that would address all areas of

concerns and not just perimeter security.

Most SMEs are in the first phase of the security cycle. Corporates, mainly in

the financial sector would generally be a step ahead and will step in to secure

directory architecture and cross platform user administration.

The last year has also seen a perceptible shift in the service offerings of

the larger system integrators- right from building security practices (audit,

consulting, policy matters) as well as offering high value services to

customers. Most of the large system integrators and resellers have already set

up a dedicated division solely to address Internet security.

According to the latest PwC-CII (Pricewaterhouse Coopers-Confederation of

Indian Industry) survey on IT security, virus attacks account for a majority of

security breaches with more than 75% of respondents indicating the same. About

9% of respondents reported a denial of service attack. Coming to the method of

attack, exploiting operating system vulnerabilities seems to have become the

most common mode of attack. This was followed by basic level security lapses

such as poor access controls and human error. Vaidyanathan Iyer, national

manager, security solutions, Computer Associates points out that organizations

have gradually realized the need to have a security solution that addresses all

areas of an organization’s e-business defense.

Goh Chee Hoh, regional sales director, Trend Micro talks about the noticeable

trend among large corporates of investing in perimeter security solutions.

Stress on finance and telecom



Given the nature of their business, banking organizations, especially the

private banks and insurance companies have invested heavily in security

solutions. Says Cisco India’s vice president systems engineering, S V Ramana,

"Even today, most corporates neglect the security aspect while designing

their networks".

All businesses which are connected to the net for all practical purposes, are

at risk. Of these, the segments that run mission-critical data have been most

proactive and can be classified among the early adopters. At the same time,

public sector banks would still be in the process of completing their networking

exercise and hence demand greater security measures. Banks and financial

institutions would be most susceptible to security attacks. A vulnerability

index developed by US based Computer Economics puts banks and financial

institutions at the top of this list. The PwC-CII survey indicates that over 75%

of financial institutions reported having suffered a security breach in the

previous year.

While segments such as power and manufacturing have usually stressed on ERP

and SCM, security has not been their key priority. The government sector is also

catching up in a big way, though the existence of legacy systems is a hindrance.

Off-the-shelf approach



A comprehensive approach towards addressing security would mean more than

just deploying products off the shelf. But as Rajeev Wadhwa, COO, Esecure says,

"Setting up of best practices would be critical for organizations to ensure

security."

There needs to be greater realization of information security as crucial to

an organization’s business planning process, as opposed to being treated as an

IT problem within these segments. The biggest challenge for any organization

would be to avoid a security breach which would damage their reputation, cause

them to lose customers, open them up to law suits, or causes regulators to step

in.

This in turn, would entail formulation of an adequate security policy. The

next step would be to go in for the deployment of the best tools in areas such

as authentication, encryption, access control, intrusion detection etc.

Unlike other categories in the infotech industry, technologies used in

various security fields are totally different and usually not related.

Success in one field does not represent success in another. Therefore, it is

very important to choose the best solution in each field to maximize protection

for the company. The third step would involve the scalability of the security

solution and vision of the solution provider. A good security solution needs to

be scalable so that the company can preserve investment on security solutions

and still meet its security needs during growth.

According to CA’s Iyer, " The lack of a well-defined security policy

is perhaps one of the main reasons why most Indian organizations do not practice

a holistic and focused approach to security. Though these studies reflect

practices in large enterprises, it is indicative of the attitude towards

security across businesses. Nevertheless, the bright spot is that the

organizations have woken up to the danger and are serious about Internet

security today. A secure environment is a pre requisite to successful

e-business."

Goh Chee Hoh of Trend Micro adds, "We see a lot of companies in Asia

experience security breaches because of an inappropriate security policy. For

example, some companies tend to use desktop based anti-virus packages on their

LAN, leaving the anti-virus jobs to the helpdesk in the IS department. They

experience repeated virus infections, and spend a lot of human resources to

handle virus infections. Some of them even experienced huge losses in major

virus outbreaks like ILOVEYOU and Melissa." Surendra Singh, country

manager, RSA Security says, "There is an increasing awareness among

enterprises that security products implemented do not ensure comprehensive

security for the enterprise. Hence ensuring security through the redesigning of

network and access methodology is gaining popularity." DMZ design

(Demilitarized zone design), Honeypots, and layered security approaches are

among the new architectures that are gaining popularity.  

Among other trends, managed service providers are expected to gain popularity

in the near future. Globally, there is a trend towards outsourcing Internet

Security Services. Corporates globally are attracted to outsourcing security

because outsourcing can provide an aggregation of expertise and experience that

is something that would be impossible to replicate in-house.

Security Service Providers (SSPs) are definitely gaining popularity in the

west. But does the same apply to India? Rajeev Wadhwa of Global Esecure opines,

"SSPs in India are still at a nascent stage of evolution and would thus

need to strengthen their delivery mechanism as well as the QoS to ensure

confidence among corporates of their abilities."

The increased awareness of IT security among corporates is indeed a welcome

development. But this is clearly not enough and the next phase should involve an

integrated approach for securing the network better.

Amit Sarkar in New Delhi