Welcome Guest | |
Follow Us:
    
Newsletter Signup:
Navigating the security Labyrinth
The security landscape is seeing changes in moving from the end-point to the cloud, to being delivered as a service By Jamsheed Gandhi, NWC, October 01, 2008

Latin: securus: safe, secure, free from care, unworried, unconcerned

The security landscape has transformed from just protecting computers from viruses to include functions such as evidence collection & seizure and forensic analysis and reporting. Threats, both internal and external are emerging at a rampant pace. Corporate espionage, once restricted to large multinationals is now quite common across most verticals and companies of all sizes.


Systems are getting infected, spammed and phished. Probably the biggest security threat that exists today is the people factor which plays the most important role in making an organization secure. It is clear, that a mere implementation of technology, is no longer a solution to prevent information theft. This has brought about a rise in the current adoption of security solutions, as compared to a few years ago.


“The security market in the country is the fastest growing market in the Asia pacific region, with it recording a 30 to 40% y-o-y growth,” informs Mahesh Gupta, Business Development Manager–Network Security, Cisco India & SAARC, “As per Frost & Sullivan, the market is supposed to touch US$ 213 million in 2008.” He adds, “2007 was marked by sophisticated security attacks especially with reference to hackers. However, according to Gartner, 70% of enterprises will have been infected with malware by the end of 2008. Research has shown that over 50 to 80% of threats originate from within the enterprise.”


“Security basically translates into controlling access to the item being secured i.e. allow access to those who should have it and deny access to everyone else. This ranges from physical controls such as security guards, access cards, biometrics; to having proper policies in place and ensuring that they are always followed; to using various devices and tools to detect and prevent malicious activities such as CCTVs, firewalls, etc. With regards to data and information it also means having backups and fallback plans in place for even worst case scenarios,” informs Naveen Surya, MD, ItzCash.


Turning around on its head the entire motive for why people would want to hack and crack information is ex-armed forces and current CEO of Mahindra Special Services Group, Raghu Raman. He adds, “The measure of security in any society is when there are few resources or assets and the people are more. Since ages, it has been the thumbprint that has acted as the element of trust. Although there was no way to validate whether a thumbprint belong to an individual, it was a matter of pride and honesty that acted as the physical trust factor. This has been nullified online. While technologically, security solutions have developed tremendously, one can draw parallels to the age old processes that have been in place. e.g. the thumbprint is now an authentication token.”


IT infrastructure is now expected to detect and protect against unauthorized access while providing timely access to legitimate users. Simply denying access in the face of an attack is no longer acceptable. The infrastructure must be able to respond to attacks in ways that maintain availability and reliability while letting business function seamlessly.


Carrot and Stick
While interacting with most companies, it came across quite clearly that although stringent security measures have been initiated due to the need for corporate governance, once put in place, they have been accepted whole heartedly by companies.


Points out Microland’s AGM for Security Services, Syed Mohammed, “In a Forrester study conducted in 2007, compliance has been stated as the most critical security issue. Regulations such as HIPAA, SOX, FISMA, PCI-DSS, Basel II, are driving organizations to focus on policy compliance procedures and tools. Risk assessment and prioritization, classification of data, increasing security awareness, defining critical measures are some of the critical focus areas which are being looked into.”


ItzCash’s Surya drives home a point namely, while security is an investment, in both money and time, it has little or no tangible benefits in case of projects having a tight schedule or budget. Hence is one of the first victims to the "will be implemented once things settle" syndrome.


Compliance ensures that business cannot take place without the basic level of security being in place. This also gives rise to the need for periodic audits. However, organizations should always proactively implement security at least a level above what is required for compliance. At the same time, compliance usually means getting your security implementation tested and certified. Hence, the agency hired to do this should be competent and do its job thoroughly.


Best Practices
 “We might deploy the best-in-class toolsets and hardware for security implementation, but all these would be futile unless a business discipline is driven amongst the individual employees,” shares Kannan, principal consultant, Maveric Systems. He feels that the human element intervention is the strongest and the weakest link in the chain of security perimeter that can be drawn in any institution. Access vulnerability and penetration threats are very common at the enterprise wide level and various level compromises are possible depending on the complexity and the usage of the technology components within the enterprise. Any new or existing security solution would always have a minimal level of threat and risk attached to the solution.


He adds that if anybody would even suggest a security solution that talks of a nil threat, it should be considered as the biggest threat as it shows that there is no awareness of the risk involved. So, threats and risks would be a necessary evil to any security solution.


“Best practices differ as per the level of security needed. One should keep in mind that the more security that you add, the more cumbersome it becomes to do a particular task. There's an example of an organization which decided to implement strong passwords which the server would force them to change every 15 days to all employees. While all employees were made to follow this strictly, what happened was that the employees ended up writing the password on "post it" notes and sticking it on their monitors because they could not remember their passwords. This, of course, defeated the purpose of having the password policy in the first place.” adds ItzCash’s Surya.


Security as a Service
Keeping in line with the shift of applications being ported on the pay-per-use model, so too are security solutions being delivered out from the capital expenditure account into the operational expenditure. Once a purview of IT departments, with strong service level agreements in place, CIO’s are finding it easier to outsource the security function as well.

P J Nath, Executive President, Enterprise Solutions, Sify Technologies points out that as investments in managed security services by the Medium Enterprises is growing at a much faster pace than traditional security solutions, it’s the Banks and financial institutions that have accepted the remote MSS delivery model with ease.

He also feels the government’s initiative to move away from paper work to having the information available centrally by automating all manual activity has resulted in a huge centralized IT infrastructure and application setup. In which security becomes an integral part as critical information transaction takes place. It’s increasingly seen that government organizations are outsourcing their IT services with MSS being part of it, though it is still early days in this segment.


This is in keeping with the trend that has been set by local Telco’s, who were the first off the block to outsourcing their entire IT infrastructure so that they could be more focused on their service delivery business.

Cisco’s Gupta feels that in the case of SMBs, the trend shifts towards outsourcing security management. A Pricewaterhouse Coopers 2007 report says that the SMB segment would increasingly look at use of outsourced security management of their first line of defense including firewall, IDS and incident reporting services. Additionally, a recent survey by Forrester estimates that 30% of SMBs outsource their enterprise applications and 59% of those are concerned about the security of their data. In India, outsourcing of security is still a tough decision for network managers.


Conclusion
Concludes Surya, “As long as technology keeps evolving new threats will always arise. Key loggers are now very common and usually spread through spyware and viruses. Some are known to be even customized to only capture information when accessing financial sites, etc. Some financial sites have implemented virtual keyboards, but as it is entered slowly, this makes it easy for someone sitting next to the person entering the password to see it and even memorize it.”


The road ahead is murky with security solutions requireing to evolve constantly for the current threats at hand and anticipating ones that will be created in the future.



blog comments powered by Disqus
Featured Videos


 
    
 
Future Strategist Award
Who's next in line for the CIO position?
As a CIO you mentor someone in your organization for the future IT leadership role. InformationWeek would like to acknowledge and felicitate that special person at an awards ceremony at Interop
Top Stories
Interview
CIOs must leverage social media to increase their presence in the boardroom
Arun Sundararajan, NEC Faculty Fellow and Associate Professor at New York University’s Stern School of Business, discusses with InformationWeek the relevance of social media to the overall business, and how CIOs must handle social media
BankTech India - IT News for BFSI Segment
We're on Google+
InformationWeek India on Facebook