Awareness on security requirements reached a new high
among Indian enterprises during the year. Not only did it reflect the growing
maturity of Indian organizations, it also led to increased adoption of security
measures across enterprises. This translated into a burgeoning Indian security
market in FY 2004-05: the security product revenues reached Rs 203 crore,
registering a 35% growth over the FY 2003-04 figure of Rs 150 crore. On the
other hand, the security services grew by a whopping 74% to reach Rs 157 crore
from a turnover of Rs 90 crore a year earlier. Overall, the Indian security
market was pegged at Rs 360 crore in 2004-05 registering a healthy 50% growth
over the previous year, making it one of the highest growing sectors for the
concerned period.
Security Products Get a Boost
Within the security product market, it was secure content management that
led the way with a 43% share at Rs 88 crore, followed by Security 3A software
(authorization, authentication, access) with 26% at Rs 52 crore. Firewall/VPN
software with a 17% share at Rs 35 crore and intrusion detection software with
12% at Rs 24 crore were the other major segments in the products category.
Cisco, Symantec, Checkpoint, McAfee, Trend Micro, Juniper Networks, ISS, RSA
Security, BindView, CA and Safenet were some of the leading vendors to have
profited from this burgeoning security market.
|
Secure content management covered three specific product
areas: anti-virus software, Internet access control and employee Internet
management (IAC/EIM), and email scanning. Some of the leading vendors operating
in this space were Symantec, Trend Micro, McAfee, Cisco, CA and Bindview amongst
others. The Security 3A software market covered authentication software (digital
encryption and PKI), authorization software and administration software and
included vendors like RSA Security, Bindview, Verisign, NetScaler (now acquired
by Citrix) and Cisco amongst others. The sudden spurt seen in this market was
owing to almost every security vendor as well as other enterprise application
players like Sun, IBM, HP and Novell coming to market with their identity
management solutions. Checkpoint, Cisco, Juniper, Fortinet and Safenet were some
of the leading vendors in the firewall/VPN category, while ISS, McAfee, Cisco
and Symantec led the pecking order in IDS/IPS and the vulnerability assessment
software category.
Anti-virus software remained ever perennial: this was because
2004-05 again turned out to be another big year for viruses, worms and malicious
codes. These threats were combined with content such as spam and phishing
throughout the year. Bots and mass mailers remained the predominant method by
which virus writers impacted enterprises, whereas exploits and adware accounted
for over 60% of the malicious threats tracked, significantly impacting consumers
and home users.
The Integrated Appliance
With anti-virus gradually becoming a commodity, it grew faster than even the
PC market. One significant trend observed last year in the security market was
the emergence of integrated security appliances combining the capabilities of
firewall, VPN, IDS and anti-virus coupled with anti-spam. Organizations went for
an integrated appliance at both the client and gateway levels. India Inc
invested generously in security appliances on account of the ease of
manageability that these appliances offered. Appliances were easy to configure,
and deployment was smooth too. Besides, these boxes could be efficiently
monitored from a central location. Another bonus was that using appliances
permitted organizations to do away with licensing fees that would otherwise have
to be incurred on software-based security solutions.
Security appliances were well-suited to the needs of
organizations with more than 500 users. No wonder, vendors too were bullish
about its prospects. While it accounted for more than 70% of WatchGuard's
business, Fortinet also bagged large orders from Air-India, Ramco, Biocon and
Lason. Ahmedabad-based Elitecore's Cyberoam appliance had over 500 deployments
at companies such as Chambal Fertiliser & Chemical, Government of Gujarat,
BSNL, Indian Institute of Management-Bangalore, National Dairy Development
Board, Indian Institute of Remote Sensing and Bharat Heavy Electricals. There
was a strong push for security appliances from the government and education
segments, who wanted content and URL filtering at the gateway level to stop
users from accessing unwanted Web sites. In addition to integrated appliances,
the year also saw brisk sales of content filtering/spam control tools, while
forensics too made its entry into the Indian market.
The speed of emergence of these blended threats necessitated
the need for anti-virus solutions and applications to be patched regularly. But
patching regularly turned out to be not so simple-first there were too many
patches to track and secondly, CIOs are still not sure on the order in which
patches have to be installed and whether the patches have been properly applied.
Result: the security vendors themselves spotted an opportunity and launched
specialized products to handle management and application of patches. Anti-virus
products, therefore, increasingly turned out to be a hybrid solution offering
various other functionalities like spam control, vulnerability management and
policy compliance.
The VPN War
Last year there was considerable debate about which VPN technology would
dominate-SSL or IPSec, with both having multiple takers. While the traditional
IPSec VPN market was pegged at Rs 58 crore, SSL VPN too made its entry with
market size totaling around Rs 6 crore. At least 20% of this overall VPN market
was accounted for by VPN security software. Cisco was the leader in the Indian
market for IPSec VPN. In the SSL VPN space, Juniper Networks, Aventail, Nortel
and NetScaler emerged as the market leaders.
The SSL VPN market showed promise of growing since the TCO of
installing and maintaining an SSL VPN network was lower than that of IPSec VPN.
Additionally, the overheads associated with the latter technology such as
installing IPSec-VPN clients on each desktop were avoided in the case of SSL VPN.
IPSec VPN was traditionally meant for office-to-office connectivity, but SSL VPN
was best suited for remote connectivity as it facilitated the same level of
secure access to an employee on the move as he would have working onsite.
Therefore, large organizations with mobile workforces needing remote
connectivity-banks, ISPs, e-businesses, BPOs and e-traders-looked at
deploying SSL VPN. Even Indian mobile operators looking at rolling out new
platforms to deploy mobile data applications looked at SSL VPN with interest.
IDS Gets Proactive
While the robust growth of IDS could be attributed to customers who had
already invested in VPN and firewall adding one more layer of security, 2004-05
saw the debut of Intrusion Prevention Systems (IPS) that aimed at taking a
proactive approach to network security by attacking the root cause of the
problem rather than detecting a problem and then fixing it. The Indian IDS
sub-segment grew by 65% to rank among the fastest growing in the Asia-Pacific
region. McAfee pioneered the concept of IPS-it launched McAfee IntruShield
2.1, based on IPS that offered network-based encrypted threat protection with an
integrated firewall. The product provided for decryption and inspection of SSL-encrypted
traffic, while maintaining the integrity of encrypted data and encryption keys.
Another product, McAfee Entercept 5.0, a host IPS solution that acted as an
added layer between the system and the network offered protection against
zero-day attacks.
IDS and IPS products were integrated better with
vulnerability assessment products during the year to determine the risk of an
attack based on the assessment of a system or network. SecurityFusion module
from ISS came with this feature by correlating events against known
vulnerabilities and assets to prioritize events. Cisco's Threat Response
technology performed "just-in-time" event validation to remove
spurious alerts. Interestingly, one competitive component of the IDS/IPS and
vulnerability market was the use of open source or freeware products like NESSUS
that was included in many products as a baseline vulnerability scanner.
Security Gets an Identity
Identity management emerged as a key segment within the security space. Not
only the pure security vendors, even enterprise application players like IBM,
HP, Sun, BEA Systems and Oracle came up with their identity management solutions
during the year. It gradually became a core component of Web services, dealing
with the problem of authenticating and authorizing machine-to-machine in
addition to people-to-people and people-to-machine interactions and
transactions. There was the influx of more and more hardware in the identity
management area. Tokens, smart cards, and biometrics, to a lesser extent,
gradually started becoming part of comprehensive identity management solutions.
Identity management solutions from vendors like RSA, Secure Computing and
SafeNet, as well as other hardware authentication vendors, saw significant
benefits from the reduction of password reset requests and an increase in
security, especially for remote users on VPN connections.
|
With theft of information and stalking becoming a nuisance
for Internet users, a search for an effective deterrent led the software experts
to explore encryption as a method to safeguard the data they stored or
transmitted through their computers. Based on the same technique, a computer
software named 'WonderCrypt' was developed to secure not only e-mail
contents and instant messages exchanged on the Internet, but also the files,
folders and documents stored in the computer hardware. The software, developed
by Wonder Software Technologies, was used to encrypt files meant for individuals
and also for multiple recipients. Proving to be effective in almost all the
fields, the software was installed by several multinational banks and vital
government agencies, including the Indian Parliament.
The market for public key infrastructure (PKI) certificate
authorities and certificates did not live up to the hype heaped on it. However,
the market remained of interest and had a number of vendors. PKI remained a
market in the doldrums for a number of factors, primary being the confusion on
how to measure return on the PKI investment.
Security's Legal Tangle
Legal compliance has played a crucial role in the framing of security
policies by India Inc. Both private enterprises as well as the government have
been proactive in taking appropriate steps to tackle security concerns. Most of
the software/BPO companies as well as MNCs from other sectors opted for
international security standards like ISO 17799, BS7799, COBIT and ITSM. In
addition, the security policies of some of these companies were framed complying
with the requirements of different standards like HIPPA, SAS70, Graham Leach
Bliley and the Sarbanes Oxley Act. Quite obviously captive firms of
international companies were relatively more mature in adopting these standards
driven by the parent's international practices.
Issues of standards and legal compliance also spawned the
growth of a serious training industry specifically focused on security, probably
for the first time. With certification compliance becoming mandatory in many
organizations, there is a growing increase in the number of certified security
professionals. And several consultants and integrators like KPMG and Wipro have
utilized this opportunity and jumped into the bandwagon where they are helping
organizations to walk through the entire certification process. Others like
SecureSynergy started offering training services for security professionals.
|
To meet this growing requirement of security professionals,
the Government of India undertook certain initiatives during the year. These
included the Standardization, Testing and Quality Certification (STQC)
Directorate responsible for certification process and training personnel, the
Indian Computer Emergency Response Team (CERT) to protect India's IT assets
against security threats and lastly the Information Security Technology
Development Council (ISTDC) to respond to security incidents, threats and
attacks at the national level.
Services Come of Age
If the 35% growth in security products was still not good enough, services
clocked a sensational 74% growth figure to reach Rs 157 crore maintaining the
momentum of the maturity the market showed the previous year. For one, this was
driven by the growing tendency amongst enterprises to outsource their security
requirements to third-party service providers. However, the real momentum came
from security consultancy-not only the service providers like Wipro, HCL or
Datacraft, even security vendors themselves helped enterprises in implementing
security measures, as well as providing consultancy in terms of formulating
security policies. No wonder, that vendors like Symantec, McAFee, Cisco or Trend
Micro too registered significant contribution from services.
On the consultancy front, keeping company to global majors
like Ernst & Young, Deloitte, PricewaterhouseCoopers and KPMG were infotech
companies like GTL's Global eSecure, Datacraft, Wipro Infotech and HCL Comnet,
old economy companies like Miel e-Security of the Mukand group and L&T
Infotech as well as the Mahindra Special Services Group and quality
certification agencies like Norwegian firm DNV. Also getting into the act were
boutique companies of all sizes like SecureSynergy, Network Security Systems,
iSec Services and Coral e-Secure. While certification companies verified
compliance with and implementation of standards by companies, the consultants
checked the vulnerability of networks and advised companies on how the standards
were to be implemented. A typical information security audit involved risk and
vulnerability assessments of networks, checking the implementation of security
policies and procedures as well as the effectiveness of procedures through
ethical hacking and other tests, identifying gaps and suggesting solutions.
|
The three factors that were driving the growth of the
security services industry in FY 2004-05 were regulatory requirements in the
West, especially in the banking and financial sectors; demands made by offshore
development customers on their service providers; and an increase in general
awareness about the need for information security. But the biggest growth
propeller was undoubtedly the boom in the offshore development and the BPO
sectors. These firms accounted for the bulk of the clientele of security
auditors, though other industries like the financial sector, telecom and
pharmaceuticals also provide a big chunk of business. With several high-profile
BPO fraud cases sending tremors amongst the Western outsourcing crowd, security
service providers had a field day as BPOs of every hue and size ran to put a
minimum-security framework in place.