The last 12 months have seen a great increase in the importance of enterprise
security. Seminars and road shows on the topic have become a common feature with
vendors and experts pitching their expertise at these forums. Spurred by this
awareness, an increasing number of enterprises have gone in for enhanced
security solutions.
Perimeter solutions
Enterprises seem to be going in for greater IT security deployment. This is
also reflected in the robust growth of the security market. A Gartner Dataquest
survey estimates the worldwide market for security solutions to grow up to $4.3
billion this year up 18% from $3.6 billion in calendar 2001. The Indian market
for information security is currently estimated to be between Rs 150-175 crore (Nasscom-IDC
estimates) and is expected to grow at 25-30% annually.
The security market in India however, is still in its nascent stages and is
largely restricted to the purchase of anti-virus software and firewalls. But
this will change as the market matures with organizations becoming aware of the
need to have an integrated security policy that would address all areas of
concerns and not just perimeter security.
Most SMEs are in the first phase of the security cycle. Corporates, mainly in
the financial sector would generally be a step ahead and will step in to secure
directory architecture and cross platform user administration.
The last year has also seen a perceptible shift in the service offerings of
the larger system integrators- right from building security practices (audit,
consulting, policy matters) as well as offering high value services to
customers. Most of the large system integrators and resellers have already set
up a dedicated division solely to address Internet security.
According to the latest PwC-CII (Pricewaterhouse Coopers-Confederation of
Indian Industry) survey on IT security, virus attacks account for a majority of
security breaches with more than 75% of respondents indicating the same. About
9% of respondents reported a denial of service attack. Coming to the method of
attack, exploiting operating system vulnerabilities seems to have become the
most common mode of attack. This was followed by basic level security lapses
such as poor access controls and human error. Vaidyanathan Iyer, national
manager, security solutions, Computer Associates points out that organizations
have gradually realized the need to have a security solution that addresses all
areas of an organization’s e-business defense.
Goh Chee Hoh, regional sales director, Trend Micro talks about the noticeable
trend among large corporates of investing in perimeter security solutions.
Stress on finance and telecom
Given the nature of their business, banking organizations, especially the
private banks and insurance companies have invested heavily in security
solutions. Says Cisco India’s vice president systems engineering, S V Ramana,
"Even today, most corporates neglect the security aspect while designing
their networks".
All businesses which are connected to the net for all practical purposes, are
at risk. Of these, the segments that run mission-critical data have been most
proactive and can be classified among the early adopters. At the same time,
public sector banks would still be in the process of completing their networking
exercise and hence demand greater security measures. Banks and financial
institutions would be most susceptible to security attacks. A vulnerability
index developed by US based Computer Economics puts banks and financial
institutions at the top of this list. The PwC-CII survey indicates that over 75%
of financial institutions reported having suffered a security breach in the
previous year.
While segments such as power and manufacturing have usually stressed on ERP
and SCM, security has not been their key priority. The government sector is also
catching up in a big way, though the existence of legacy systems is a hindrance.
Off-the-shelf approach
A comprehensive approach towards addressing security would mean more than
just deploying products off the shelf. But as Rajeev Wadhwa, COO, Esecure says,
"Setting up of best practices would be critical for organizations to ensure
security."
|
There needs to be greater realization of information security as crucial to
an organization’s business planning process, as opposed to being treated as an
IT problem within these segments. The biggest challenge for any organization
would be to avoid a security breach which would damage their reputation, cause
them to lose customers, open them up to law suits, or causes regulators to step
in.
This in turn, would entail formulation of an adequate security policy. The
next step would be to go in for the deployment of the best tools in areas such
as authentication, encryption, access control, intrusion detection etc.
Unlike other categories in the infotech industry, technologies used in
various security fields are totally different and usually not related.
Success in one field does not represent success in another. Therefore, it is
very important to choose the best solution in each field to maximize protection
for the company. The third step would involve the scalability of the security
solution and vision of the solution provider. A good security solution needs to
be scalable so that the company can preserve investment on security solutions
and still meet its security needs during growth.
According to CA’s Iyer, " The lack of a well-defined security policy
is perhaps one of the main reasons why most Indian organizations do not practice
a holistic and focused approach to security. Though these studies reflect
practices in large enterprises, it is indicative of the attitude towards
security across businesses. Nevertheless, the bright spot is that the
organizations have woken up to the danger and are serious about Internet
security today. A secure environment is a pre requisite to successful
e-business."
Sector Vulnerability |
|
Banking and finance organizations are among the most susceptible to privacy management issues |
|
Relative Vulnerability |
Industry Segment |
100 | Banking and Finance |
97 | Transportation |
85 | Wholesale |
83 | Retail |
76 | Discrete Manufacturing |
71 | Professional Services |
66 | Trade Services |
66 | Utilities |
64 | Process Manufacturing |
61 | State and Local Govt |
59 | Healthcare |
51 | Insurance |
46 | Federal Government |
Source: Computer Economics |
Goh Chee Hoh of Trend Micro adds, "We see a lot of companies in Asia
experience security breaches because of an inappropriate security policy. For
example, some companies tend to use desktop based anti-virus packages on their
LAN, leaving the anti-virus jobs to the helpdesk in the IS department. They
experience repeated virus infections, and spend a lot of human resources to
handle virus infections. Some of them even experienced huge losses in major
virus outbreaks like ILOVEYOU and Melissa." Surendra Singh, country
manager, RSA Security says, "There is an increasing awareness among
enterprises that security products implemented do not ensure comprehensive
security for the enterprise. Hence ensuring security through the redesigning of
network and access methodology is gaining popularity." DMZ design
(Demilitarized zone design), Honeypots, and layered security approaches are
among the new architectures that are gaining popularity.
Among other trends, managed service providers are expected to gain popularity
in the near future. Globally, there is a trend towards outsourcing Internet
Security Services. Corporates globally are attracted to outsourcing security
because outsourcing can provide an aggregation of expertise and experience that
is something that would be impossible to replicate in-house.
Security Service Providers (SSPs) are definitely gaining popularity in the
west. But does the same apply to India? Rajeev Wadhwa of Global Esecure opines,
"SSPs in India are still at a nascent stage of evolution and would thus
need to strengthen their delivery mechanism as well as the QoS to ensure
confidence among corporates of their abilities."
The increased awareness of IT security among corporates is indeed a welcome
development. But this is clearly not enough and the next phase should involve an
integrated approach for securing the network better.
Amit Sarkar in New Delhi