‘Mobile devices are increasingly becoming the target of attacks’

A seasoned entrepreneur with over 2 decades of experience in the security domain, Ken Xie has pioneered many new concepts and technologies to combat

the ever-increasing security threats. In 2000, after recognizing that firewalls and

VPNs alone could not stop content and application network attacks such as viruses, intrusions, spam, and malicious web content, Ken founded Fortinet and introduced the concept of Unified Threat Management (UTM) that worked well with enterprises. In an interview with Dataquest, Xie speaks about the challenges in the security market and how enterprises can deal with some of the threats that are emerging. Excerpts

 

With enterprises becoming more and more connected, the need for network security seems to be increasing. What has been Fortinet's approach to manage security?

Yes, threats can enter the organization's network from common applications like email and web browsers as well as the latest social networking tools. Today's threats require complete content protection, which is more than simply identifying applications and allowing or denying the traffic. It is the application control coupled with identity based policy enforcement ofall content. Fortinet's unified threat management solutions provide the visibility which corporations need to detect hidden threats within legitimate content, even from trusted sources and authorized applications.

This means they can allow new applications into their network, but automatically block any malicious content or behavior.

There is a constant debate between unified threat management and best-of-breed approach. Do you see either side coming out the winner in the near term?

Traditionally, organizations use a point solution to protect themselves against each type of threat. Such standalone or ‘best-of-breed', security strategy often consumes huge amounts of money, resource, and management time. Disparate security devices and operating systems come with multiple maintenance and support contracts, multiple upgrade and replacement schedules, multiple licensing obligations, multiple training programs, and management resources. All of these add to the cost and complexity of an organization's security infrastructure and can have serious negative impact on up-time, availability, and performance.

More firms are realizing these disadvantages and are migrating to consolidated security platforms or UTM devices to reduce network complexity, switch Capex to Opex, and increase the efficiency of their security operations. The fact that the various security functionalities within a UTM appliance are produced

by one vendor typically also means better integration between these technologies.

Can IT play a role in turning the situation around considering that IT is now often the guiding force behind economic decisions?

IT can definitely make a difference in a challenging economic climate. By employing ICT strategies that are well aligned to the business, underpinned by the right technologies, companies can become radically more efficient and perhaps even revolutionize their business model. Security companies like ours can be trusted advisors to enterprises, counselling them not just on security strategies, but on how security could be leveraged to grow and enhance their business.

 

What is your perception of the change in enterprise customers' spending behaviour in this era of slowdown and constraints?

Security remains critical to the survival of businesses, so we are seeing continued spending in this area. However enterprises have become more discerning in their choice of vendor partner. Increasingly, to win a deal, vendors need to demonstrate not only their products' performance, but their ability to provide strategic value and boost RoI.

Strong customer references are also needed and enterprises need to be convinced of a vendor's long-termcommitment to the industry and their technology.

How is your organization dealing with the current economic situation?

While economic conditions are challenging, Fortinet has continued to perform above market growth rates in many countries around the world. In the last 3 years, we have diversified from our core UTM solutions to related products so that we can become an end-to-end IT security vendor, offering enterprises security that extends from the client, to databases, to web applications, to the overall network. This broad based solution portfolio is serving us well and we expect to continue to benefit from it globally across all sectors. We are also expanding into new markets in APAC and EMEA (eg, Indochina and parts of Africa) as well as moving beyond the tier-1 cities to tier-2 and tier-3 cities in existing markets. In India, our recent partnership with Redington, one of the country's largest IT distributors, is a good example of this strategy.

What is your view on the security challenges posed by the BYOD phenomenon?

BYOD provides a variety of advantages to organizations, ranging from improved productivity to increased RoI for IT departments which make the migration. However a BYOD environment also lacks many of the traditional security controls that organizations have relied on to secure their data, leaving gaps in their data, and device protection strategy.

There are a number of BYOD related pitfalls which the organizations are facing today. For example, many employees have found that mobile devices often do not have the same strict policy enforcement capabilities as desktop devices. This policy gap enables many employees to use.their mobile devices to access video streaming and other applications that are denied by standard corporate policy. With devices operating outside the confines of the traditional brick and mortar enterprises, the potential for data loss also increases significantly. Mobile devices themselves are increasingly becoming the target of attack.

What steps do you suggest to deal with such challenges?

In order to strike a balance between usability and security, organizations are taking a variety of steps. While some draconian approaches (such as denying all personal devices on the corporate network) might be warranted for extremely secure organizations, most organizations want to adopt a BYOD policy that offers some flexibility for users while enforcing corporate policies and adopting best practices.

The organization has to determine what devices

they will allow on the network and generate policies stating appropriate devices and acceptable behaviors.

 

What are your views on the increasing adoption of cloud based solutions? How does it affect the security needs of organizations?

Organizations of all sizes are both excited by the opportunities that cloud provides and concerned about the challenges posed by moving data and applications to the cloud. In spite of the potential for increased RoI and lower TCO, securing data in the cloud is often cited as the foremost concern by IT professionals looking to take advantage of cloud based services.

There are a variety of security challenges related to both private and public cloud computing. Two commonly cited ones are the exposure of sensitive data to unauthorized personnel and data loss. It is imperative that organizations look carefully at how its data will be prprotected as it enters, travels through, and leaves the cloud.

Is it true that customers today are more aware and cautious with respect to security management?

What has been your experience in dealing with customers over the years?

Yes, customers worldwide have become more savvy and discerning in terms of both their overall security management strategy, and the technologies they deploy. They demand higher RoI, more rigorous proof of vendors' claims, and a sound and long-term technology roadmap.

A solid portfolio of customer references is indispensible. Fortinet, through our consolidated security business model, comprehensive solution suite, and global customer successes is well placed to thrive in such an environment.

How do you see the Indian market? Tell us about your immediate plans and strategies for India.

The network security market in India is vibrant. In fact, networksecurity has been one of the top agendas to be handled by CIOs in the last 2 years, mainly due to the need to comply to government regulations.

The Department of Telecom has mandated that Indian telcos will be responsible for security of their own networks. They also should have organizational policy

on security and security management of their networks.

Likewise, the Reserve Bank of India's (RBI) mandate is also forcing banks to follow the guidelines laid down by it on information security. Following on these guidelines, banks have been drafting and implementing their IT security policies, and thus have been investing in network security solutions to curb their vulnerabilities against cybercrime and fraud.

Your thoughts on some of the emerging trends...

A trend we are seeing is the proliferation of mobile devices like tablets and smartphones that have allowed employees to access the corporate network from anywhere.

As these devices go beyond the security firewall of the organization, is it becoming a major task to secure these devices and monitor them. The larger enterprises have always been at the forefront for implementing security solutions, but in recent times, SMEs have started investing towards IT security. With more vendors and service providers providing security as a subscription based service, the market space for network security vendors in India has widened. In FY12, Fortinet India focused on 2 strong vertical practices ‘telecom and government' following the adoption of a vertical sales strategy approach. We will pursue the efforts initiated last year in expanding our channel ecosystem across India