/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThe benefits of managed security services are much higher than that of
traditional security architecture. They offer customized, processed and
real-time security infrastructure, wherein the client headache is minimal and
protection is maximum. In a nutshell, managed security services (MSS) are
nothing but the outsourcing of security infrastructure and management.
However, most of the CIOs believe that total outsourcing of security
management is not a healthy proposition, as by doing so one has to give away
axis to sensitive data to an outsider that can be dangerous. Also, there might
be lack of transparency on the vendors part in case any problem arises within
the infrastructure. To play it safe, they advice to embrace a policy to get the
best of both the worldsto outsource the hardware management aspect, while
keeping the policy-making and infrastructure control in-house.
Have a Controlled Approach
Vikas Guru, deputy GM, IT, MTNL
With the growing demand for telecom services in the country, service
providers are going all out in providing improved and effective connectivity
services to the customers. And with the advent of mobile and broadband
technologies, telecom services have become vast and more complicated. Further,
with increased value added services (VAS) offered by the telecom vendors,
security has become a vital area to be addressed.
With a wide range of services offered by MTNL through its landline, mobile
and broadband services, and a vast customer base, the organization has to
implement a robust security infrastructure and constantly upgrade the same.
Unlike before, when MTNL had mainly a well-defined password management and other
basic security management systems in place, today it has to install an advanced
security architecture complying with the various security regulations.
/dq/media/post_attachments/5abd623af21f9370c30de2b288b2d69a61548775c3558f896d5bfe2ca7bb581d.jpg)
To meet the present day demand, MTNL has recently modified and consolidated
its security policies. As part of the development, MTNL has included third-party
audit system under its current security framework. We will be soon implementing
the same. Keeping in place the current scenario, it is very crucial to undergo
third-party audits as well as take expert consultation on latest threats and
security solutions to counteract them, explains Vikas Guru, deputy GM, IT, MTNL.
However, total outsourcing of security services is yet to be considered. MSS
has its own advantages and we have our plans to consider it in near future. We
are evaluating the probabilities keeping in mind all the security norms that we
have to follow, he says.
According to Guru, outsourcing security management services is important as
the entire process is handled by experts and hence, it eases out the job of
internal IT team who can focus more into strategic works to enhance the core
business competencies by deploying improved and cost efficient IT
infrastructure. However, as far as the policies and strategic management of the
security system is concerned, the control should be kept in-house.
Mix n Match
Srinivasan Iyengar, head, IT and change management, Aegon Religare
There are critical security issues that an insurance company CIO has to deal
with. And these issues only assume more magnitude if your insurance business is
as young as a year and unlike a majority of businesses, has two data centers up
and running.
/dq/media/post_attachments/8cba72278984202929d2c83e368106eb0c19f4dddb083a208b161357fd378d9f.jpg)
And this is what has become a major challenge for Iyengar, who classifies
security into four basic areas: hardware infrastructure security, data center
support, user id related security, and customer security. Given so many crucial
security management points, Iyengar has adopted a mix and match approach.
While his primary data center is completely outsourced, his secondary data
center is hosted by his team in the head office and is managed by a third-party.
The same mix applies to the user id domain. While its creation is managed by a
third-party, the controls and management lies with Iyengars team only. When
asked the obvious question of why not go for a completely outsourced or in-house
model, Iyengar crisply gives a few pointers. Firstly, some activities are
routine for which resources/services are easily provided by outsourced vendor,
and more importantly, for all other checks and controls we would like our team
to personally monitor/review the work and hence full outsourcing is not
appropriate.
When it comes to the customers security, Iyengar has no taste for mix and
match. We automatically generate passwords including the ability of our
customers to create their ids based on real-time authentication, secured access
and certified websites. Besides, we dont store any financial details of the
customers. We direct all payments to the gateway site which makes the process
most secure, he says.
His take on managed security services is, It is something that every CIO
should look into, but with a lot of caution. A very strong governance and
evaluation process is required if you go the managed services way. But most
importantly, you should never lose control over any part of your organizations
security, he says.
Not a Childs Play
Amit Gupta, VP, IT, Fidelity Business Services
With increased sophistication of threats and growing enterprise networks,
security management has become a bigger challenge. The concern is higher when it
comes to dealing with critical customer data (financial). Although outsourcing
security services at enterprise level is gaining momentum in India, for Fidelity
Business Services, things work in a different manner.
Our core business area revolves around managing peoples money. Maintaining
security is the key concern in our business and cannot afford to play with
that, says Amit Gupta, VP, IT, Fidelity Business Services. Managing
securityboth data and investmentis of utmost importance for us. One breach
anywhere and our market credibility will be lost, not mentioning about the
financial loss and legal hassles that we have to undergo, he adds. To prevent
that, Fidelity has opted to continue with its in-house security management
system rather than going for managed security services.
/dq/media/post_attachments/12b1148f674643912f38aa604e95c4d24ce58758c43892de52174cca614984f5.jpg)
Keeping various security regulatory compliances in mind, Gupta has
implemented required security system based on latest available technologies and
has hired experts to manage it. Its a big challenge for us since the
responsibility is huge. Hiring and retaining the best of breed techies and train
them to keep updated with the latest threats and solutions is tough, admits
Gupta. But he has been doing so with great success.
Therefore, outsourcing security management services is being kept at bay now.
MSS has its own advantages as well as disadvantages. As of now we have taken
only consultation services and third-party audits to revise our security
infrastructure, informs Gupta. Agreeing upon the benefits associated with MSS,
like cost-effectiveness and less headache, as well as the domain knowledge and
professional services offered by MSS providers, Gupta pointed out the key
drawbacks for which his company has refrained from total outsource of its
security system, Any third-party service provider offers its services to 100 of
clients. Despite having required skills and expertise, we feel nervous as in the
process we will give away axis to sensitive data to outsiders that might harm us
and our customers. Therefore, for Gupta, the best way is to go for a hybrid
model that should be a mix of both.
Partial Outsourcing, Full Control
Arun Gupta, CTO, Shoppers Stop
When it comes to managed security services, Arun Gupta, CTO, Shoppers Stop
is quite clear about having the processes as well as the policies under his
supervision. As a result, there are certain organizational tools, that are
completely in-house, while some like servers, data centers, applications,
networks, and customer services are outsourced.
Shoppers Stop has seen an evolution in its outsourcing and managed services
modules during the last couple of years. This is only set to advance in the
coming twelve to eighteen months. Says Gupta Although we plan to outsource
more and more, strategy is something that we would keep in-house.
/dq/media/post_attachments/a0486e4fe032eac85df7819bfb25bad40daa44a15263380bd8023fef2eb79db1.jpg)
For online security, the entire software and hardware is on a SaaS model.
Also Gupta says, that he made sure that his vendor was PCI DSS compliant, which
is the highest level of security. Gupta is clear about the point that there can
be absolutely no compromise on the customer data. Thus, as a policy Shoppers
Stop has decided not to store credit card data and direct payments to a bank
site. Besides this, its own site is certified using Verisign.
Virtualization is the key when it comes to storage of crucial data. All the
storage of the organization is done in a highly virtualized environment, a
process that was initiated almost three years back. Says Gupta, Rather than
storage, data security is a matter of policy and access. He has, therefore,
taken over himself to extensively define the rules of access at different layers
of the organization.
His advice for CIOs looking at the managed services way is to take
outsourcing as an evolution, and not as a big bang. His mantra is to start
exploring, because in-house, according to him, wont be possible forever. You
wont be able to retain the talent that can handle multiple threats that come
your way all the time. So, its wise to start exploring the outsourcing path,
because you shall certainly see value in the long-run.
Piyali Guha & Mehak Chawla
piyalig@cybermedia.co.in,
mehakc@cybermedia.co.in