By Pupul Dutta
The year 2012 witnessed some very interesting transitions in enterprise technology. More and more companies embraced the cloud and intelligent networks seamlessly connected our professional and personal lives.
According to media reports, enterprises began to adopt many more smarter devices like tablets and smartphones in an attempt to create a more productive, mobile workforce and empower their employees with more choices.
With so much happening on the IT forefront, the task of security experts in enterprises is expected to become more complicated than ever, especially because organizations are restricting their investments in security solutions (which is usually 8-10% of the total IT budget). Interestingly, a few enterprises are using solutions they probably do not even need while others are ignoring products they must have to protect sensitive or critical data for lack of budget or high cost of solutions.
Asheesh Raina, Principal Research Analyst, Gartner India, says, “Security per se is needed to secure the environment where you are working, simply because it has a lot of confidential data which can be under massive threat. Hence, it is important to take a holistic approach for security in organizations, given the increasing trend of mobility, BYOD, cloud, etc. So, starting from securing the organization to securing people who are the hoarders of confidential, important information, companies need to take a 360-degree approach.”
He further explains the need for people centric safety measures, including checking how the information is maneuvered outside the organization. “Also, an important tool that is emerging is digital enterprise rights management (DERM) wherein you can map the information with respect to the user who will use it. Give restricted access, basically,” he adds.
The security market
The security market is categorized into three major segments: IT security, infrastructure security and surveillance. IT security in turn is broken down into anti-virus market, endpoint security, firewall, web security, etc.
According to a recent report by IDC, it is estimated that the total security market in India is expected to be about $234 million for the year 2013. Frost & Sullivan, on the other hand, has predicted India’s security market to reach $494 million by 2014, and this includes the SSL-VPN market worth $34.8 million.
As trends like mobile computing, big data, virtualization, cloud services, and social networking continue, new kinds of attacks are also emerging on the threat scnario. While IT users continue to increase the time spent online, new conduits for cyber security threats have been introduced. These threats are not only sophisticated but also targeted, causing irreparable damage to digital devices and to the information stored on them, as well as on the networks.
It is foreseen that amplified adoption of cloud-based computing will impact the way security solutions are consumed. According to experts, the overall scenario will lead to more managed security service providers through cloud delivery. More is expected on the way, such as data-loss prevention, encryption and authentication as technologies that are aimed at supporting cloud computing.
However, an important transformation that has happened over time is that now companies are prepared to handle threats or targeted attacks. They know that attacks will happen no matter what and they are ready to take on them. Explaining the very fact, Sundar Ram, Vice President, Technology Sales Consulting, Asia Pacific, Oracle Corporation says, “Initially, the (security) market was driven by large amounts of money involved. Securing the information was very critical, especially in companies where multiple vendors were bidding for a particular large contract. Given the sensitivity of data, people were only looking at securing their databases. However, the situation has changed enormously as people have realized that security is needed not only in situations where large amounts of money is involved, but also in securing one’s brand. Even though it may not be a direct financial loss to anybody, it is a huge embarrassment for any company to go public and seek apology on how they were hacked and their identity was stolen. Hence, companies are now more equipped to deal with thefts or attacks that they know will happen at some point in time.”
The enterprise challenges
As the cloud and mobility connects people, it also brings its own set of issues, which is where new technologies have to work in a new framework that is much different to what it used to be. The challenge is in the speed of this shift, which the new world of security needs to adjust to, while also in ensuring that it is done with minimal intrusion and is seamless. The systems have to talk to each other; it’s about strong integration and real time security.
One needs to understand that the biggest challenge today is the “insider threat”; from the enterprise’s internal users who have access to data. If such information is made available on mobile devices with no mechanism to track usage, enterprises stand the risk of sensitive information leak on a massive scale. “After establishing access controls and ensuring that users have access to only that part of information that they absolutely need for their job, they also need both proactive and reactive controls on the information flow to track user behavior, location and frequency of use etc,” explains Rajesh Ganesan, Director – Product Management, ManageEngine.
According to Ganesan, there can be controls on what information can be consumed on personal devices compared to company provided devices and that intelligence should be built into the applications and not passed on to the users.
Another growing threat to enterprises is BYOD (Bring Your Own Device) which is being driven by simple, accessible, and pervasive technologies that allows people to work anytime, anywhere. BYOD is an alternative strategy that enables employees, business partners and other users to use a personally selected and purchased client device to execute enterprise applications and access data. “Here comes the biggest challenge – defining the thin line of control. Also, once these new devices are in the mix, employees will be bringing their own applications, collaboration systems and even social networks into business,” notes Kaushik Thakkar, Co-Founder and Head of Corporate Development, Nevales Networks.
CG Prasad, Director – Information Systems, Premier Inn, opines that for most CIOs the most challenging issues today are cloud and BYOD. “There is no binding legislation available in India specifically for cloud. No one knows what will happen to their service if something goes wrong in the cloud. Due to this, people put non-critical services onto cloud and the critical ones still stay on the premises.”
He further says, “Secondly, if somebody is using cloud services from a country other than their own, its still unclear which law one needs to abide by in the event of disputes. Similarly, another trend which CIOs are very skeptical about is BYOD. This increasing trend of bringing your own device puts a lot of pressure on the corporates to ensure that no official data has been transferred or stolen knowingly or unknowingly by the employee through the device. One needs to ensure that in the event of an employee’s exit from the organization or, if the device gets stolen, the data should be removed safely from the device so that it is not misused by any miscreant.”
The solutions
With emerging technologies and evolving risks, creating layers of security appears to be the best solution for strengthening the security framework for network and data. It is commonly believed that safety comes by layering, be it at the edge or at the endpoint. Each layer adds a guard, and each guard adds peace of mind for CIOs.
Atul Khatavkar, VP – IT Governance Risk Compliance, AGC Networks says, “It is very important for enterprises to have layers of security but for that, one first needs to identify where all does critical information lie in the organization and then work accordingly to secure the same.”
Besides layering, enterprises also need to develop and enforce IT policies. They should automate compliance processes, protect data proactively by taking an information-centric approach, and authenticate identities so that only authorized personnel manage critical systems.
Anand Naik, MD – Sales, India and SAARC, Symantec, explains the point further: “By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow; they can not only identify threats but can check incidents as they occur or anticipate them before they happen.”
Authentication also enables organizations to protect public-facing assets by ensuring the true identity of a device, system or application. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorized devices to the infrastructure.
Creating complex infrastructure is however, is not desirable for the company as well as its employees. Opines Prasad of Premier Inn, “Creating a complex infrastructure will make life difficult rather than improving the security of the environment. Our security policies are user-friendly for the employees to do their day to day business. But we have not allowed them to do whatever they want with the devices or environment and make it vulnerable to threats and attacks.”
Moreover, models that focus on traditional security network perimeter controls do not work in the new IT environment.
Security experts worldwide have suggested the use of the right combination of technology and processes to protect an organization’s assets. “Two factor authentication is especially recommended to protect against identity fraud which is becoming prominent in recent years. Leveraging strong authentication mechanisms is also recommended by various compliance/certifications like PCI-DSS, HIPAA, SAS 70, ISO 27001 and others,” asserts Pavan Thatha, Co-Founder and CEO at ArrayShield.
On the other hand, Thakkar of Nevales Networks argues that an easy approach to securing the infrastructure is to opt for managed security services. “Outsourcing the network security to a reliable service provider can help organizations in confronting the security challenges diligently,” says Thakkar.
Getting the policy right
T.G. Dhandapani, Group CIO, TVS Motor Company, believes that IT should drive the growth of a company rather than be a hindrance. “Enterprises have to secure their IP, but in that process they should not hinder the company’s growth. There are a few areas/segments like the R&D section which is critical for any manufacturing enterprise as it is also the competitive advantage of a company, that requires maximum fortification. Hence, compartmentalizing based on the importance of a department is the key to achieving water-tight security,” he explains.
Basically, an ideal security framework and policy should ensure that the enterprise meets the regulatory requirements of region/country it operates from and the obligations toward privacy and safety of its customers’ data. The policy should also take into consideration, the mission of the organization, the critical assets that require protection, the threats posed and mitigating risks against known vulnerabilities. It should start with defining the scope and the policy should be written in a manner that it can be embraced by other areas of the organization easily. Lastly, depending on the industry, there may be regulatory requirements or cross-cutting laws. The policy should address the requirements to ensure compliance.
Beyond traditional anti-virus
Basic security solutions such as anti-virus and firewalls are well accepted and deployed in Indian enterprises. However, the battle is only half won as most users do not understand that these point solutions are not good enough to protect or block them from the latest malware attacks. Today, there is a paradigm shift in endpoint security which has transcended beyond anti-virus on account of the new-age hybrid and sophisticated threats that slip through the cracks of traditional anti-virus software. Over the last decade, the increased usage of internet has led to a spurt in cyber crimes, which have turned from an act of personal challenge and notoriety, to a targeted and lucrative enterprise.
“Consumerization of IT has enabled employees to bring their own technology to workplace. The nature of business requires employees to be connected 24×7, underlining the need for heightened security. These have been the key growth drivers for the security industry. As a natural corollary, the industry is steadily witnessing a shift in enterprise security adoption from a traditional anti-virus approach to a connected security solutions approach comprising elements of anti-spyware, anti-malware, firewall, host-based intrusion prevention, encryption and data loss prevention,” says Jagdish Mahapatra, Managing Director, McAfee India & SAARC.
Public Key Infrastructure (PKI), an emerging tool in the security business, is now the foundation of high-level, certificate-based security. It safeguards business applications that demand the highest level of security, enabling web services based business process automation, digital form signing, enterprise instant messaging, and electronic commerce. In addition, it protects firewalls, virtual private networks (VPNs), directories, and enterprise applications.
“Protection against threats must go beyond the usual counter-measures of firewalls, anti-virus and intrusion detection/prevention and must include programs that can instantly relay information that an attack is happening, where it is happening, and how it is happening. In addition, true resiliency against such an attack can only be attained by having information
backed up and stored in advance, with an information management program in place that has cataloged, organized, and prioritized it to quickly recover any information that has been lost or exposed,” says Naik of Symantec.
An effective way of testing one’s security infrastructure is to have security audits by third party or ethical hackers from time to time. Third party audit is necessary to ascertain that the enterprise is using industry standard practices and more importantly if they are enforced and producing results. The frequency of audit depends on the technology, systems and people changes in the enterprise. More the changes and churn, higher should be the frequency. Again, a layered strategy works well here, like the enterprise data center operations could be audited every 3 – 6 months but the IT end user support could be audited at longer intervals. PCI DSS Standard recommends the frequency of audit based on the number of online transactions done and that is a good model for enterprises to follow.
Dhandapani of TVS Motors adds that encryption is a process based tool, hence whenever there is public interception, encryption becomes a necessity. He further adds, “TVS uses most of the security tools, including encryption, for back-up since it is stored outside our premises. We also use BlackBerry Messenger for most of our internal conversations.”
Single versus multiple vendors
No one vendor or one company can ever provide an enterprise with the security lifecycle of alert, protect, respond and manage. According to experts, it’s always going to be a multi-vendor world.
Raina of Gartner asserts, “Getting multiple vendors involved gives companies more choice and this kind of set-up always works.”
Agrees Dhandapani, “Locking up with only one vendor is very risky. Hence, one should ensure that there are at least a couple of vendors managing the security of the company.” Talking about managing multiple SLAs and ensuring quality, he says, “Managing too many SLAs is not a problem. Mostly, we have people taking care of various accounts and it’s not a very huge task to deal with all of them.”
Prasad of Premier Inn has a slightly different take on this: “It will be better to have one vendor manage the security and have a long-term relationship with them. At the same time each implementation should be audited or verified by a third party. Security is not something which can be procured or implemented from anyone.”
Today, enterprises around the world are realizing that information and communication technologies are a key horizontal component of the critical infrastructure. Enterprises, therefore, are learning to deal with sophisticated attacks and have accepted the fact that advanced security intelligence solutions are required.
As a natural corollary, CISOs and other senior-level security professionals must be able to plan not only for threats that exist now, but also for those that may emerge in as many as three years’ time.
Also, enterprises need to dedicate more funds to security out of their overall IT budget. “Currently, large enterprises spend about 8-10% of their total IT budget on security while small and medium ones spend a meager 3-4%,” says Surendra Singh, Regional Director, India & SAARC, Websense.