Convergence Plus Logo


www Convergence Plus
 
Sections Online
Convergence India 2005
Broadband
Broadcasting
Datacomm
Expert View
Security
Storage

Security

January 6, 2005
Trends in information security practices

Geetanjali Wadhwa & Pradeep Chakraborty

BANGALORE AND NEW DELHI -- As per the Frost & Sullivan's 2004 Network Security Market Report, India was currently the second fastest growing market in the Asia Pacific region. The market size was estimated at US $29.9 million in 2003 and was likely to reach US $1.42 billion by 2010 at a CAGR of 25 percent. The end-user expenditure on security products/solutions was US $4.5 billion globally in 2003 and was likely to grow 78 percent till 2007, according to Infonetics Research.

Arun Rawtani, country technology solution group manager, EMC India, noted that the size of the Indian security market for 2003-04 was estimated at Rs. 240 crore by PwC, of which products accounted for Rs. 150 crore and Rs. 90 crore came from services, a fact also highlighted by A. Vijayrajan, managing director, Cyrca India. The industry has been estimated to grow to nearly Rs. 480 crore by 2008, making India the second fastest growing security market in the Asia Pacific, a point highlighted earlier.

However, India's spending on security, as part of the IT budget, was currently a mere 1 percent. Vijayrajan further added there had been a definite movement toward higher spending on security. In an IDC report, the size of the global security market was estimated at US $42 billion in 2003 going up to US $116 billion by 2007. As a percentage of the IT budgets, security spending was set to double or triple by 2006. Impressive and revealing figures!

IT raised India's bar globally due to its unmatched value proposition, in terms of skill sets and higher productivity, coupled with quality and scalability. Sunil Mehta, vice president, NASSCOM, says, a 'secure and reliable' environment - defined by strong copyright, IT and cyber laws - is an imperative for the growth and future success of the ITeS/BPO segment.

NASSCOM has been pro-active in pushing this cause and ensuring that the Indian information security environment benchmarks with the best globally. Indian ITeS/BPO firms are taking as many precautions as possible to ensure that data and personal information of their customers are protected. That means, following international best practices, getting procedures audited by independent parties and making sure that these procedures are up-to-date and being closely followed.

According to NASSCOM India has robust security practices. These are:

  • Indian firms have robust security practices comparable to those followed by western firms. Indian firms comply with BS 7799 - a global standard that covers all domains of security.
  • Companies sign service-level agreements (SLAs), which have very strict confidentiality and security clauses built into them at the network and data level. Such SLAs cover all relevant laws that companies want its offshore providers to comply with and the actions that can be taken in case of breaches.
  • Spending on security ranges from 5 percent to 15 percent of the IT budget.
  • Laws such as IT Act 2000, Indian Copyright Act, Indian Penal Code Act and the Indian Contract Act, 1972, provide adequate safeguards to companies offshoring work to the US and the UK.
  • Most BPO companies providing services to the UK clients ensure compliance with UK Data Protection Act 1998 (DPA) through contractual agreements.
  • Companies dealing with the US clients require compliance depending upon the industry served. For example, healthcare requires compliance with HIPAA; financial services require compliance with GLBA. To ensure compliance with such laws, Indian vendors follow security practices as specified by clients such as security awareness, protection of information, non-disclosure agreements (NDAs), screening of employees, etc. Further, clients conduct periodic audits to ensure compliance.
  • Many companies in India are undergoing/have undergone SAS 70 Audit. SAS-70 assignments help service companies operating from India to implement and improve internal controls, ensure minimal disruptions to business from clients' auditors, and is potent marketing tool in the face of increasing competition.
  • Insurance premiums paid by Indian BPOs for insuring themselves for security breaches have been declining since the past two years - a telling indicator of robust security practices being followed by Indian companies.

Best practices in information security
Let us examine how much India is really in line with the best practices in information security today. For one, NASSCOM has been working closely with ITeS/BPO firms to create an information security culture within these segments. It has also been interacting with the Indian government on the issue of creating a relevant regulatory environment that will further strengthen information security initiatives being rolled out within ITeS/BPO organizations.

Indian companies are said to have raised their quality standards in recent years to meet the international demands. NASSCOM, with the Indian government, laid the foundation for the required legal framework as well. The IT Act of 2000 included laws and policies concerning data security and cyber crimes. The Indian Copyright Act of 1972 deals with copyright issues in computer programs. NASSCOM is strengthening the IT Act 2000 and proposed some changes. It has undertaken other initiatives toward building a robust information security environment within the ITeS/BPO segments, such as "Trusted Sourcing" (see box: NASSCOM's Trusted Sourcing Initiative).

S. Venkatesh, country manager, Internet Security Systems (ISS), India and Sri Lanka, listed the current international best practices (see Internet Security Systems: International best practices in information security management). According to him, India was only into ISO17799 and BS 7799 security practices as of now. However, it is moving toward other practices as well. According to Rajendra Dhavale, director, consulting, Computer Associates (CA), today's security considerations were different. These include, protecting against attacks coming from the Internet and the intranet, enabling trust and privacy protection for etransactions, controlling access to systems and performing security management.

Three key components of security management - identity and access management, threat management, and security information management - helped achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risk and ensure continuous business operations. "CA is in the best position to talk about the need for a holistic approach to security management of an organization's e-business infrastructure," he said. A number of Indian companies realised the need for security. Some of CA's customers include, CRPF, AAI, KRIBHCO, UTI, IDRBT, Ballarpur Industries, Escorts Heart Institute and Research Center, and Data Access.

Vijayrajan said that globally, information security was beyond technology to encompass policy, procedure and people. "Information security is seen as a business risk and hence, is managed by business managers, CEOs and the CFOs. However, it is mostly managed by the IT heads in India," he added. Rawtani noted that information loss could result from many factors, including fire, power outages, employee theft, viruses and hackers, and modern tragedies that could leave companies without access to buildings and important information. "Preparation is the key. Those who are prepared have a better chance of overcoming losses with minimal damage," he said.

Information security policies and practices underlined the security and well being of information resources as they were the foundation and bottom line of information security within an organization. Some of the best practices organizations should incorporate into their operations improve information security are:

  • Top management intervention: CEOs should have an annual information security evaluation conducted, review the results with staff, and report on performance to the board of directors.
  • Risk management: Organizations should conduct periodic risk assessments of information assets as part of a risk management program.
  • Policy: Organizations should implement policies and procedures based on risk assessments to secure information assets.
  • Authority and accountability: Organizations should establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.
  • User issues: Organizations should provide information security awareness, training and education for accountability among all users, including partners, suppliers and vendors. Ensure that there is sufficient expertise, whether in-house or outsourced, for all technologies and the security of those technologies
  • Authentication and authorization: implement mechanisms for user authentication and authorization when accessing your organization's network. Set up controls and access restrictions for remote users, contractors and service providers.
  • Evaluation: Organizations should conduct periodic testing and evaluation to determine the effectiveness of information security policies and procedures.
  • Physical security: control physical access to information assets and information technology.
  • Continuity planning and disaster recovery: Develop business continuity and recovery plans. Test them regularly.

"A number of organizations in India, especially in the telecom, financial services and manufacturing space have implemented these best practices and are on par with global organizations. However, many Indian organizations still see these best practices as 'nice to have' rather than 'need to have'," Ratwani added.

Kapil Sood, director, telecom, Sun Microsystems, noted that security needed to be integrated. In the past, organizations and software vendors typically (but not universally) took a bandage approach to security - something to place on top of their systems. This approach is destined for failure! Achieving a level of confidence in security requires it be integrated from the ground up in systems organizations deploy.

He added: "Sun never accepted security as an afterthought, and our customers must be pro-active in making security part of their networks. We don't just make security products - we build security into everything we make. Sun's security solutions are easy enough for ecommerce and secure enough for homeland security. Security cannot be simply viewed as a network or application issue. Recognizing that the weakest link of the architecture places the other components at risk, we recommend that security be applied throughout the architecture at the physical, platform, network, middleware and application levels."

According to a NASSCOM study, 75 percent of Indian companies agreed that sophisticated information security offerings and practices offered a competitive advantage. Good IT security practice required more than anti-virus and firewall systems. Computer assets are more vulnerable to debilitating attacks that are not stopped by traditional firewall and anti-virus products. IT managers must now be continuously aware of the security implications of their IT system configurations and policies, and be able to remedy their vulnerabilities in order to be secure from attacks.

Sood added: "We have seen an increasing trend, across businesses in India, to view information security as a key ingredient, which contributes significantly to the success of the business. This led to a growing awareness across businesses that information security is more effective, less complex and less expensive when applied in a pro-active manner as opposed to a reactive manner."

Jagdish Mahapatra, business development manager, Cisco Systems, India and SAARC, said that security threats for enterprises had grown in prominence over the years. Initially, hackers used to target individual computers in the eighties, individual networks in the nineties, and are currently targeting the global infrastructure. "The advent of globalization and the rise of mobility extended individual enterprise networks into a larger global network offering seamless connectivity/mobility. This threat and impact on business increased the importance of security among enterprises and the complexity of security solutions as well. As networks have grown in complexity, so has the need for comprehensive security products/solutions," he said.

Cisco identified and invested in security as a billion-dollar-market opportunity. This includes strategic acquisitions to reduce time-to-market, which was critical and creating a network admission control (NAC) program in partnership with leading anti-virus software companies, including Network Associates, Symantec and Trend Micro. These alliances are symbiotic and a win-win situation for the partners.

Cisco's self-defending network (SDN) strategy describes its vision for security systems. In the past, threats from internal and external sources were relatively slow moving and easy to defend. In today's environment, where the Internet worms spread globally in a matter of minutes, security systems and the network itself must react instantaneously. The SDN initiative is based on three pillars -- integrated security, industry collaborations and system-level solution.

There are three elements to Cisco's integrated security strategy -- secure connectivity solution includes solutions for site-to-site VPNs, remote access VPNs, voice security, wireless security, and solution management and monitoring. Cisco's threat defense system solution includes solutions for endpoint security, integrated firewall, network intrusion protection, content security, intelligent networking and security services embedded in routers and switches. Its trust and identity management solution includes solutions for identity management; integrated-based networking services and NAC.

Managing disparate monitoring systems
Systems in many organisations are managed by disparate monitoring systems. In that case, are potential threats being overlooked by their own operational network infrastructure? Vijayrajan said that security was managed today by disparate point solutions. While they provided the required security, they also generated a considerable amount of log information. The analysis of the log would provide information on potential threats. One had to focus on reviewing those log information to get a better understanding of the threats.

Venkatesh at ISS agreed that organizations were overlooking potential threats. "There are many disparate monitoring systems and the problem is that none of them are co-related, even though the tools are available to co-relate, like Security Fusion. In many cases, the ownership and responsibilities are with varied teams within the organization. The MIS teams, who are not directly responsible for security, do the assets and vulnerability patching," he added.

An example could be a worm getting propagated in the network, due to an unpatched vulnerable system getting affected by the worm and the network going down due to high traffic generation from the machine. Security team members merely give directions on the patching as to the levels of patch required, as they did not want to be held responsible for the application problems during and after the patching.

Dhavale said businesses often found themselves burdened by multiple and disparate security monitoring systems, which could be further complicated by cumbersome processes. He added: "Disparate monitoring systems used in an organization are potential threats to its IT infrastructure. Different monitoring solutions placed in an organization bring with them different open doors to malicious activity. Expertise needed to attend to each monitoring systems increases with each system that is being put in place. Each platform or each solution has to be attended independently, as they would have proprietary ways of communicating with managed devices."

With different systems in place for different units within an organization, it left multiple doors open. Such a setup would need individual security policies for each solution and thus create non-uniformity in policies, even within an organization. This was a serious concern when an organization tried to achieve compliance with various security operational best practices such as BS 7799 or regulatory compliances like SOX, etc.

Ratwani said the IT infrastructures in most organizations needed to set the balance between implementing the best-of-breed technologies and systems, and the resulting complexity of disparate systems. The key to this balance however, was the effectiveness of system interoperability. As long as the monitoring systems were able to do what they were supposed to do better than a homogenous system, there would be a market for such monitoring systems. He added that EMC had invested over US $3 billion into ensuring system interoperability at its E-Labs near EMC's corporate headquarter in Hopkinton. "That is where we test our systems with almost every type of hardware and software to ensure interoperability in the network and storage infrastructure. This ensures that potential threats are resolved before our customers install the equipment," he said.

Sood at Sun commented that having disparate monitoring systems was not in itself an obstacle to creating a secure environment. Disparate or uniform, technology, though a key component, was, in itself, insufficient to build a secure environment. Effective information security was a function of various parameters like a well-defined and communicated organizational security policy, documented and automated processes, centralized services and repositories, and well-defined and enforced change control, etc. Lastly, it was very essential to realise and remember that without organizational discipline and commitment, security could never be effective.

Cisco's Mahapatra added that although enterprises were increasingly putting security policies in place, more discipline was needed to ensure that these policies were updated on a regular basis based on the company's need the current environment and threats. "There is no one-size-fits-all security policy. Every organization needs to define its policy based on the challenges faced by the organization, the immediate and long-term focus - scalability, applicability, etc.," he noted.

As networks grew in complexity and as each industry vertical looked for vertical specific solutions, enterprises were looking at solutions that would allow them to integrate security in every aspect of their network to create an end-to-end integrated security system. Technology would enable these networks to identify threats, react appropriately based on risk level, isolate infected endpoints, and reconfigure the network resources in response to an attack.

Key drivers for security
Having examined the best practices in information as well as the threats posed by disparate monitoring systems, let us now look at what are the global drivers for security, and especially those that have made India the second fastest growing market in the Asia Pacific.

Sood said the key drivers for security were the government regulations and compliance norms. Companies also realised that financial losses were virtually certain if there were failing security standards. Moreover, businesses and organisations were very aware of the fact that security was a critical factor with respect to the overall quality. Increasingly, security failures were being viewed as akin to defects in a product or processes, and businesses were considering not only the costs associated with remediation of the effects of security failures, but also effects on customer satisfaction, trust and loyalty.

He added: "Businesses are fast growing aware of the fact that in addition to providing a degree of insurance against some future unwanted event, information security can also be an enabler that allows you to extend business opportunities, reach new markets and integrate more effectively with suppliers and consumers. This is proving to be one of the biggest drivers for security both globally and in India."

Dhavale's said that as corporates became more open to new IT initiatives, identity and access management markets [security solutions that address internal threats] were likely to grow. This would be supplemented by improvement in technologies and customer awareness. The threat management domain would see technology convergence and an appliance-based approach. India would see new emergence in security investment, and security-related spending would claim a good percentage of the IT spending.

He added: "CA foresees more medium and large organizations adopting a holistic approach for security management. Having said that, security software policies are not factored in as a part of the IT policy in numerous organizations in India. Hence, every decision on investments in security software is prolonged and has a number of operational hurdles to surmount before getting cleared. This challenge would continue for some more time. However, with regulations such as SOX, HIPAA, Basel II, etc., coming in, security would cease to be an afterthought." Cyrca's Vijayrajan noted that business protection and compliance to the regulatory requirements were the key drivers of security globally. Although the issues were similar in India, compliance had not yet mandated as much as in North America and Europe.

Venkatesh agreed that the key drivers for security globally were compliance to standards, technology upgradation and loss of credibility/reputation. Drivers were identical in India, with additions of customers of companies [especially, IT/ITeS, BFSI] requiring better data protection. The factor of peer pressure also played an important role as the key driver in India. He said: "Today, with lot of outsourcing contracts, the IT/ITeS companies have to prove to their customers that they can do secure business. This includes sharing network diagrams for outsourced networks, security technologies being used, and security processes, including incident handling, and response and reporting formats."

Mahapatra noted that two key trends were visible in the security market last year. One was the gradual acceptance by most enterprises that security was now mainstreaming, besides adopting a more pro-active approach toward embracing security measures. The other trend was 'integrated focus'. Many enterprises tended to go for an integrated security appliance that combined a host of functions like anti-virus, firewall, VPN, content filtering, IDS/IPS, etc., besides providing network monitoring tools. This started the trend of networking equipment vendors bundling security functions into their products. During 2003-04, corporates moved toward maintaining a centralized solution in a single console where updates were easier to be done. With a wide array of security point-solutions being deployed, the need was felt for a security command center that would enable enterprises to integrate security operations under a common point of control.

Ratwani added that many factors affected the global enterprise, and increased the demands and challenges within IT security. These were an explosive growth in the number of online users, the amount of distributed processing power and dramatic improvements in available bandwidth that shaped the global online environment. New external mandates, such as regulatory compliance initiatives, combined with internal risk management directives, increased demand for wireless networking, remote access, business continuity and disaster recovery were requiring enterprises to significantly improve security postures. These business drivers raised the security visibility to senior management - and in the process created new demands for accountability. Such a climate on one hand was conducive to business opportunity and great growth. On the other hand, it could also open up new levels of risk and threats, if not managed properly. "Many executives are wondering how to protect the enterprise as it grows online," he said.

The security consequence hit hard. IT security breaches can cost the enterprise in a number of ways:

  • Measurable economic losses due to theft of data assets or computing resource.
  • "Softer" losses to reputation, responsiveness, and image should a company's site be compromised.
  • Throughput losses (in the demanding world of ebusiness, security breaches, especially those that create a denial-of-service situation or delete data, can render a corporation closed for business).

For these reasons above, IT security spending had increased, along with growth in Internet-based business initiatives. IDC estimated that global spending on IT security software, hardware, and services would grow over 20 percent annually from 2001 to 2004, reaching over US $35 billion by 2004.

More BPOs going for regulatory compliance
Given that the drivers for information security are identical globally, and in India, it is important to examine whether the Indian firms, especially the BPOs, were sufficiently complying with what is legally mandated. CA's Dhavale said that Indian firms, especially the BPO/ITeS were beginning to mature. A consolidation phase was ongoing in the industry and the focus was currently on the way the customer information was treated and their internal processes were managed. "More and more companies are going for regulatory compliance, starting with information security as a first step to achieve regulatory compliance with the international standards," he added.

In a bid to achieve regulatory compliance with international standards for processes, a majority of the BPO/ITeS companies identified BS 7799 as their first step to information security. The bigger firms had already achieved compliance and smaller ones were following suite. Since many regulatory compliances were either a pre-requisite or an advantage in getting clients, it has become a necessity. However, since the more grown and mature sectors have faced teething problems during their growth, they understand the benefits of having standard policies and procedures in place and were more than willing to have a secure infrastructure in place, and have policies and procedures in place to sustain that security and standard.

Sood said that ITeS/ BPOs, though a relatively nascent industry in the Indian industrial landscape, assigned a lot of importance to information security. The organization's reputation was of utmost importance and security breaches could be fatal. Therefore, most Indian ITeS/BPO firms tended to follow the policy of zero tolerance. Indian BPOs were realizing the importance of designing and implementing information security policies and procedures to protect the privacy of customer-related information. To meet these requirements, specific laws and certifications, such as the Indian IT Act 2000, Data Protection Act, UK and European Union, Safe Harbour, etc., were being put into place.

Cisco's Mahapatra noted that although enterprises/BPOs were increasingly putting security policies in place, more discipline was needed to ensure that these were are updated regularly, based on the company's needs, current environment and threats. Cyrca's Vijayrajan pointed out that BPOs had SLAs as part of their business contracts, which they complied to and were legally mandated. "BPOs are bound by the SLAs and hence, use various point solutions to meet the requirements of the contracts. BPO companies need to look at the security more holistically," he added.

Venkatesh agreed that most companies had gone for the BS 7799 certification or were in the process of getting it. Companies had now started discussing DPA (Data Privacy Act) and Sarbanes-Oxley Act Compliance as well. US and European companies were working closely on Safe Harbour policies. India could also consider Safe Harbour policies as a faster alternative to DPA. Companies were also becoming increasingly aware of HIPAA and California Senate Bill No.1386.

EMC's Ratwani noted that information security and data protection were the biggest challenges faced by the BPOs. Much of the backlash against outsourcing in the western countries revolved around security. Therefore, information security was a totally different game in BPO industry. BPOs were holding wealth on behalf of its clients abroad, and if a BPO company was not able to demonstrate to its clients that it was taking adequate precautions to protect the data of their clients, then it was not feasible for it to do business. The growing area of concern in information security was the legal liability and the emergence of new laws governing information security practices. Be it the Data Protection Act or the Sarbanes-Oxley ruling, the adherence to laws and global best practices (which at times have contradictory demands) was proving to be a major challenge.

Ensuring data security, data protection and confidentiality was must. The good news was that most BPO outfits had adopted robust security practices in terms of policies, procedures and technologies, to provide adequate security to clients. He added: "Walk into any BPO delivery center in India, and you'll find fancy access control systems for physical security, segregated LANs, firewalls and intrusion detection systems for network security. These stringent security systems are being beefed up. Indian BPOs have certifications such as BS 7799 and SAS 70, and undergo third-party audits at fairly regular intervals."

However, simply having a certification was not enough, as security was an ongoing process. "We have to make sure that there is significant awareness about confidentiality. The easiest part of these certifications is the technology. The difficult part is everyday awareness, to make sure people are conscious, and it has to be part of the organizational culture," he said. According to NASSCOM, companies are currently spending only 3-5 percent of revenue on security, but this was increasing at a whopping 35-40 percent per year. This included physical security, employee security, and information security. The Indian BPO industry is likely to spend around Rs. 9 billion (US $200 million) on various data protection measures in the current fiscal.

Rise in security spending imminent in India
Taking the cue from EMC, let us further examine whether security spending in India is heading northward. Cyrca's Vijayrajan agreed that globally, there had been a definite movement toward higher spending on security. Sood noted a definite rise in security spending over the last few years. The recently released Information Systems Security Survey, a report by CII-PwC, that surveyed about 600 organizations, found security was a high priority area among corporates.

Mahapatra pointed to the Frost & Sullivan's report, and added that the CII-PwC survey, conducted during 2003, found that 41 percent of Indian enterprises had a comprehensive security policy in place. This was a sharp increase compared to only 17 percent from the survey in 2002. Similarly, about 74 percent of Indian enterprises increased their security budgets, as compared to 46 percent during 2002. These figures were important as they pointed toward two broad trends that emerged during 2003-04 - one, security was now mainstream, and two, need for adopting a pro-active approach.

Venkatesh said that though there had been an increase in security spending in some specific sectors, it was due to customer requirements/pressures, especially, in the IT/ITeS segment. Many BFSIs had also invested in security technologies. However, security management needed to be process-oriented and responsive with enough domain knowledge and product expertise. Unless the administrators were well versed with latest security trends and technologies, security spending would continue to remain lackluster. Definitely, the security spending should be more strategic in terms of really protecting the organizations, rather than for mere compliance.

Dhavale added the Indian security software market received heightened attention during 2002 as companies realized the importance of having established security systems. India's market size for security software in 2002 was estimated at US $13 million and was likely to increase at a CAGR of 27 percent, reaching US $43 million by 2007. He added: "The growth of ebusiness opens the door to millions of end users exposing Web sites, valuable corporate information, mission-crtical business applications and consumers' private information to more risks. This calls for adequate security within all levels of the enterprise. The value of digital assets dictates security policies. Precisely for this reason we see a surge in security spending."

Security management became important as more systems were introduced. It was currently driven primarily by the desire to do more with the same - manage more systems, create, manage, delete more users, review audit logs to check for unusual activity, etc. Mergers, acquisitions, IT budget cutting, etc., all initiated the need for better security management. Multiple user credentials had to be managed as well. Administrators needed to ensure that a common policy existed and was controlled by automated processes.

Ratwani indicated that the Indian security market would grow to about Rs. 480 crore by 2008. However, India's spending on security, as part of the IT budget, was 1 percent. He said: "This growth is primarily triggered by the banking and financial services vertical. Others verticals like business services, healthcare, power and energy, media and entertainment, nonprofit organizations, ecommerce, manufacturing, high-tech industries, and telcos, are also increasing their security investments." Legal compliance played a crucial role in the framing of security policies by India Inc. Both, private enterprises as well as the government, had been pro-active in taking appropriate steps to tackle security concerns.

Intersection of storage, security emerging
The intersection of storage and security has been emerging in recent times. This is not a surprise, as storage and security go hand in hand. A recent example of such an intersection is of Veritas, a storage company, acquiring Symantec, a security solutions company.

Cyrca's Vijayrajan said: "We are witnessing a movement toward the intersection of storage and security. In spite of substantial investments in security (perimeter) and technological advancements, we continue to see successful attacks on digital assets growing at an alarming rate. All these attacks are targeted at sensitive data, and those are from both external and internal sources. The solution is to protect the core - the data at rest. This leads us to look at the storage (where the data is stored) more closely."

Sun's Sood added that earlier, security, as related to storage, was somewhat a neglected area. However, more and more storage was connected over networks today. With the emergence of SANs, wherein storage controllers were attached to numerous servers through switches, it was mandatory for access control to restrict one server from trampling on another server's data. Access control was particularly critical when Windows and Unix shared the same storage controller. Traditionally, access control had been accomplished by LUN (logical unit number) masking and zoning. Besides, new-age compliance norms such as Sarbanes-Oxley, etc., placed a special emphasis on storage and security of information, and were further driving the trend of integration between storage and security.

ISS's Venkatesh felt we were not seeing an intersection of storage and security at this point in time. Storage systems needed to be adequately protected using security technologies. "Looking into the future, storage and security together would play more important roles in application deployment and management. The prime drivers are application deployment (like CRM, ERP), consolidation and management," he added.

CA's Dhavale noted that with devices becoming increasingly more reliable in protecting against device and component failures, valuable data was now getting exposed to even higher risks as a result of destructive worms, viruses and spam, as the wave of global hackers and terrorists gained momentum. Recovery from an intrusion was difficult and the impact of an intrusion was destructive, as permanent data loss frequently resulted, unless special procedures were implemented. He said storage security was becoming essential for the survival of most businesses.

Dhavale cited some revealing statistics: It is estimated that 70 percent of all companies go out of business after a major data loss; about 20 percent of all businesses experience a major disaster every five years; and approximately 35 percent of disaster recovery plans work when tested. The looming threat to delivering high data availability was now the 'intrusion factor,' and storage security had become the newest storage-management discipline. These threats could be either internal or external in origin.

"Today, data storage does not mean storing information and retrieving it when needed. Storage of critical information is of no use if the storage device is accessed by all and sundry. In today's world, when we talk about storage, it is not only about storing the information, but storing it securely. Even when information is passed from the source to storage networks, the information can be hijacked and this is a serious concern.

Information storage joins hands with security right from the point when the information transfer starts - from the source to storage network, and carries on till the information is retrieved. High availability of information is of no sense if the information is not stored and retrieved securely. Hence, storage and security go hand in hand," he said.

EMC's Ratwani said networked storage helped enterprises speed access to data and reduced administrative overhead, but could leave critical data vulnerable. Without the physical separation provided by traditional direct-attached storage (DAS), data assets co-mingled in both NAS and SAN environments, putting them at much greater risks for unauthorized access, theft or misuse. Technologies like firewalls and intrusion-prevention systems sought to secure enterprise assets by protecting the network perimeter. However, these approaches left data at the storage core dangerously open to both internal and external attacks.

Data managed in the SAN was highly sensitive and must be controlled to properly ensure confidentiality, integrity, and availability. This was no different than other IT infrastructures. "You can simply augment your current corporate security policy to include SAN-specific security items. It is important to take pro-active steps in securing your SAN to prevent misuse or abuse," he said. According to him, a comprehensive security policy should include zoning - that allows users to automatically or dynamically arrange fabric-connected devices into logical groups (zones) across the physical configuration of the fabric. These zones could include selected storage, servers, and workstations within a fabric; and secure fabric operating systems - a complementary feature to zoning. These run on SAN infrastructures and offer policy-based security. These policies allow users to customize security uniquely to their needs.

Cisco's Mahapatra said that as the role of the networks evolved, organizations faced the challenge of the scalability of infrastructure, the need to integrate new technology, and the escalating costs of systems integration. Hence, the need for sophisticated systems and tools that delivered greater capability with less complexity, and hence an integration of applications and features.

Adding key capabilities, or intelligence, to the network, enabled applications and services to operate more effectively. Intelligent networking increased the capability and adaptability of the infrastructure. If the network was aware of the goals and objectives of the applications and services, it could make much more informed decisions regarding the handling and processing of those applications. This intelligence laid a strong foundation on which to implement business process re-engineering and optimization in order to become more agile and responsive. This was the foundation of Cisco's networking vision - an Intelligent Information Network.

Tackling other issues in information security
Having discussed the issues threadbare, what are the other issues associated with information security that need to be addressed as well. Ratwani indicated four points - lack of importance attached to security by the top management, such as CEOs; lack of security awareness among users; employee misconduct involving information systems; and less than half of the respondents provided their employees with ongoing training in security and controls. Venkatesh added that information security in many companies was looked at from a technology perspective only. It has to be looked at from the business perspective as well, and this would help drive investments in security technology, leading to better protection. Vijayrajan said the other issues that need to be looked at by companies were: measuring risk and the RoI and incident response. Companies also needed to ask tough questions of themselves, such as: How secure am I?; Am I better that the past?; How do I compare with my peers?; And, Am I spending the right amount? "One cannot assure 100 percent security so one needs to be prepared to take action when a breach occurs," he added.

Sood added that for any information security measures to be successful, organizations must have a clear understanding of what to expect from their enterprise's information security program. Embracing security as a full part of the business planning process would put an end to perceiving it as a major implementation barrier and started to be seen as a business enabler. He said: "Organizations must be prepared to realize the benefits of the new business environment and must be aware of, and consider, the best ways to offer flexibility to customers and trading partners, yet ensure security of critical information and systems for all its users. In this day, the costs of having too little or too much security can seriously damage a business. The last thing any organization wants is to be held back in its vision because of security concerns."

Dhavale noted that today's security considerations were different. It included protecting against attacks coming from the Internet and the intranet, enabling trust and privacy protection for etransactions, controlling access to systems, and performing security management. Indian organizations were slowly absorbing this realization, helped in a large part due to the vicious attacks that have taken place in the recent past. "To illustrate this point, most of the recent virus attacks have wrecked a great deal of damage running to millions of dollars. The productivity loss is in addition to this. Effective data retrieval results from an established security procedure involving well-defined policy, backed up with proper product deployment. Organizations with this structure in place have recovered faster. This has resulted in enterprises realizing the need to have their digital assets protected," he said.

Security information overload can be just as dangerous as not having enough security information. The problem today is that there were too many point solutions that captured too much of irrelevant data within the network (events). This caused huge amounts of noise levels within the network and made it impossible for a network administrator to determine which was the real threat. That was a dangerous situation to be in. Organizations that have implemented most of today's conventional security toolkits were sitting on that danger. CA is pioneering a different approach by launching the eTrust Security Command Center (eSCC). By intelligently prioritizing security events based on their potential impact to business operations, eSCC made it possible for organizations to pinpoint and respond to critical security incidents in real-time.

Mahapatra said that the biggest challenge players like Cisco faced was about educating the industry on the need and relevance of an integrated approach to security, such that it becomes an inherent component of the network as illustrated under Cisco's 'Self-Defending' security strategy. The advantages a comprehensive, end-to-end security solution can offer as against points solutions was not only in cost effectiveness but in ease of manageability, scalability, etc. Such a solution integrated various functions like IDS, VPN, anti-virus and authentication into one single device that was far more efficient and cost effective.

Addressing NG-OSS security threats
The new-generation operations support system (NG-OSS) development program to support NGNs is by far the most complex and sophisticated suite of software components being promoted by the telecom industry under the aegis of the Tele Management Forum (TMF). NG-OSS is likely to enable a range of services for every user of the ICT infrastructure, with the Internet as the principal vehicle. However, the exposure of the NG-OSS to the Internet could bring unprecedented security threats and vulnerabilities.

Dhavale at Computer Associates said: "The NG-OSS is a multi-faceted program designed to produce an implementable OSS/BSS framework. The major elements of NG-OSS are: business process model; systems framework; platform architecture; shared data model; and compliance program. NG-OSS elements map to one another to form an end-to-end framework for the OSS. As far as security threats and vulnerabilities related to the NG-OSS are concerned, the three key components of security management - identity and access management, threat management and security information management - would help achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risk and ensure continuous business operations."

Sun Microsystems' Sood added that the exposure of NG-OSS to the Internet would bring in security threats and vulnerabilities, which needed to be addressed as a part of design and implementation of the NG-OSS program. However, information security was a systemic quality and should form a part of all technology, architecture and solution considerations. Viewed this way, newer technologies need not necessarily expose businesses to threats.

ISS's Venkatesh said that the implementation of an NG-OSS system would require the setup and operation of one or more security mechanisms and policies in order to operate the NG-OSS securely. NG-OSS should use the security provisions defined by the ISO 17799 Information Security Management standards. This provided a framework to manage and operate an NG-OSS system to meet the security objectives of an operating company. The common criteria could also be used as an additional security reference framework.

Cisco's Mahapatra opined that a major challenge in today's broadband networking and communications industry was to build operational and business systems that supported the increasing speed, quality, and differentiation customers demanded of IP-based services. To address this issue, the industry had come together under the TeleManagement Forum (TM Forum) and developed new a solution that allowed service providers to pro-actively manage IP VPNs services over shared infrastructures.

He said: "This has allowed service providers to bring predictability, flexibility, and automation to the management of their VPN services. Besides increasing the operational efficiencies and quality of service (QoS), it simultaneously providing an architecture that enabled the overall cost reduction in network management operations and addressed issues of security and scalability."














Sunil Mehta, Vice President, NASSCOM


Kapil Sood, Director, Telecom, Sun Microsystems


Arun Rawtani, Country Technology Solution Group Manager, EMC India


Jagdish Mahapatra, Business Development Manager, Cisco Systems, India and SAARC


S. Venkatesh, Country Manager, Internet Security Systems (ISS) India and Sri Lanka


Rajendra Dhavale, Director, Consulting, Computer Associates


A. Vijayarajan, MD, Cyrca India
Disclaimer: No content may be used from this site without the written permission of the authors, Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd. The views expressed on this site are solely those of the authors and do not reflect those of Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd.