What Enterprise Security means in the SMAC era

By Charu Murgai & Ruchika Goel

We are only half way through the year, but cybercrime incidents in 2015 have already surpassed the total number of cybercrimes in 2014. In fact, going by the findings of a report by Assocham, India may touch a walloping figure of 300,000 attacks in 2015, almost double from 2014.

The massive increase in cybercrime incidents can be attributed to the rising popularity of social media, growing usage of mobile technology in the enterprise, increased emphasis on analytics and big data, and the continuing move to cloud services. Together known as SMAC (social media, analytics, mobility, and cloud), increased use of these technologies has resulted in the confidential corporate data moving out from earlier controlled, in-house environment. Today, corporate data is distributed across cloud, mobile and social platforms, where enterprise IT
neither has any visibility nor any control.

Surely, the proliferation of SMAC has changed the security landscape in the last few years. The number of exposure points have increased, thus, increasing the security controls to be implemented. “SMAC has added multifold value to the business but its adoption has resulted in security leaders going to the drawing board again to draw an updated framework for addressing the security challenges,” says Sachin Jain, CIO, Evalueserve.

WHY SMAC REQUIRES A CHANGE IN SECURITY STRATEGY
As information today is prevalent across multiple devices and platforms, traditional approach of building a secure digital fortress to shield on-premise IT infrastructure will not suffice. Thus, security leaders need to devise fresh strategies to ensure security of corporate data.

SMAC has added multifold value to the business, but its adoption has resulted in security leaders going to the drawing board again to draw an updated framework for addressing the security challenges - Sachin Jain, CIO, Evalueserve

Let’s take the example of threats posed by social media platforms, which are increasingly being used by enterprises to build their brand and engage with customers. Sometimes employees share confidential data unknowingly on social networking platforms, which pose a danger of targeted attacks to organizations. Also, there is no clarity on how information shared on channels like WhatsApp, Viber, etc, is getting stored and is being used.

“The links and the other URLs shared on social platforms are the biggest security issues. And any wrong post can create a severe impact on personal as well as corporate reputation. Moreover, there is still a question mark on how the personal information shared on various social platforms is being used,” says Jayjit Biswas, Divisional Manager- Information Security & Compliance, Tata Motors.

Further, if an employee clicks on a malicious link on a social networking site, his credentials may get compromised, making the entire network vulnerable to exploits. The danger posed by social media is corroborated by a report by Symantec, which says that India is the second most targeted country in the world for social media scams with over 80% of these being carried out through manual sharing.

We are working on the demonstration of a security initiative called Information Rights Management, which works for all unstructured data - Somak Shome, Chief Information Security & Compliance Officer, SREI Infrastructure Finance

In this scenario, password-based protection system is not good enough anymore. Organizations need to focus on designing a next-generation security architecture with deep network integration. Similarly, mobile devices bring in significant security risks. For instance, a report by Check Point Software says that 47% of organizations have experienced a security breach as a result of compromised mobile device.

The biggest security challenge associated with mobile devices is that company data flows into a wide variety of mobile devices and applications, many of which are not even built to meet enterprise standards.

The growing popularity of cloud has also transformed the traditional enterprise security landscape. Major security threat from cloud computing arises when an employee uploads sensitive company data on a cloud-based file sharing service. Clearly, SMAC usage needs to be supported with appropriate policies, as they are highly vulnerable entry points for cyber criminals to exploit the enterprise IT environment.

Organizations need to adopt identity and access management-based solutions. Based on the place where the individual is accessing, the solution should be able to identify risks and also identify specific protection requirement that the person needs to go through -  Sivarama Krishnan, Partner, PwC India

MANAGING SMAC SECURITY CHALLENGES
There is no doubt about the fact that the usage of SMAC brings a number of advantages to the enterprise. In fact, organizations  cannot afford to ignore this trend, as this could only mean losing out in today’s competitive marketplace. Given this scenario, organizations are gearing up their enterprise security architecture to accommodate SMAC.

For instance, to accrue several benefits offered by the cloud model, while addressing security threats, Reliance Big Entertainment and Reliance Entertainment – Digital have built a robust security policy.

“We have adopted a hybrid model where we have created a private cloud for apps and websites which require the highest form of security. We have used Unified Threat Management (UTM) and Web Application Firewall (WAF) kind of application layer security apart from firewall and secured line of businesses for data flow management,” informs Sayed Peerzade, Vice President - Technology at Reliance Big Entertainment & Reliance Entertainment – Digital.

The company has also adopted proper encryption tools like SDM for video content as well as captured analytical data which flows across to be in central storage. Considering growing security risks, organizations are realizing that traditional enterprise security approach needs to undergo significant changes and are evaluating and implementing solutions that offer holistic security.

We have planned to implement SIEM with the goal of introducing greater intelligence and automation into the collection, correlation, and analysis of log and alert data, which in turn, allows security analysts to focus on what is most important - Makesh Chandramohan, Head–Information Security & Business Continuity, Birla Sun Life Insurance

A case in point is Birla Sun Life Insurance, which is using Security Information and Event Management (SIEM) technology to ensure robust security. Makesh Chandramohan, Head–Information Security & Business Continuity of Birla Sun Life Insurance informs, “We have planned to implement SIEM with the goal of introducing greater intelligence and automation into the collection, correlation, and analysis of log and alert data, which in turn, allows security analysts to focus on what is most important.” He believes that contextual security, like monitoring actions of an employee after resignation, change in behavior patterns, increased access to the corporate assets on odd time, etc, is very important.

Similarly, global analytics company, CRISIL, has adopted a number of security measures. Nadir Bhalwani, Director Technology Operations and Information security, CRISIL updates, “From user environment perspective, we have implemented end-point protection which also includes virus and spyware protection, proactive threat protection, network threat protection, and network access controls. And for remote access, we have implemented an SSL VPN with end-point controls features and Citrix XenApp is implemented through SSL VPN.”

He further informs that CRISIL has also implemented a DLP solution on end-point and integrated it with web proxy and mail gateway, as well as implemented an SIEM solution to proactively monitor and correlate security incidents and events from different devices and systems. In addition, the company is also in the process of deploying a Privileged Identity Management solution to monitor and control privileged users across the infrastructure.

Sharing details about the security measures at Evalueserve, Jain says, “We deployed a governance, risk and compliance solution last year. And this year, we are moving further on the maturity curve and adding more processes to automation. Improved DR for global locations is another key initiative.”

Bharti AXA General Insurance is another company that has increased its focus on security and devised a multilayered
security policy to ensure protection against advanced threats.

Parag Deodhar, Chief Risk Officer, Bharti AXA General Insurance adds, “We are using multiple tools and solutions
required to protect against various security risks followed by risk assessment, and then decide on the tools required to mitigate the risks. We follow a multi-layered security policy in which solutions are not just technology tools but include changes in processes and preventive and detective controls as well.”

Similarly, to ensure security of the corporate data, SREI Infrastructure Finance is looking at implementing Information
Rights Management (IRM) within the enterprise. “We are working on the demonstration of a security initiative called IRM, which works for all unstructured data. It helps employees in defining which report will go to whom, for how long the information can stay, who can print the report, and after what duration the report will be deleted automatically. This technology may really help in securing unstructured data,” says Somak Shome, Chief Information Security & Compliance Officer, SREI Infrastructure Finance.

These examples clearly show that as threats have evolved, information security too has evolved from just being firewall, proxy, anti-virus management to risk management for all business units and enablers. However, organizations need to go beyond just deploying security tools. “More than tools, strategy of adoption plays an important aspect for new technologies like cloud and analytics,” asserts Peerzade.

Going forward, SMAC adoption is slated to grow further and it would be impossible for enterprises to resist these disruptive trends. To thwart new threats that will emerge with these trends, it is imperative for organizations to design a security framework that can handle the dynamic nature of data sources and possible threats associated with it.