Special Feature

January 25, 2006
Network security needs standards, training and best practices

Ujjwal K Dey

NEW DELHI -- Information has always been important to us. In warfare, who ever gets crucial information first has the highest probability to win the war. This holds true in the field of information technology as well. But it is only in the past year that the issue of protecting information stored in data centers, on storage networks, or other means of long-term archival information has come to the forefront. As companies seek ways to enhance their disaster recovery plans, while maintaining efficient access to applications, protecting the information stored to run these applications becomes critical. In addition, healthcare providers, telecom companies and banks have realised that to be globally competitive, they must look at how to protect stored records in a robust manner.

When a security breach occurs, the damage is both direct and indirect - in the case of a bank; it is not only the money but also the credibility of the brand and the customer confidence that is at stake. A BPO may lose a client on account of a security breach. In any organisation, security breaches can happen from all sides - inside and outside - often rendering the hardware used inadequate for network security. Therefore, a software-based security solution becomes necessary.

The growing number of data scams in the Indian ITES industry has shaken the stability of the sector, and has become a matter of concern to business providers. As these issues surface, organisations in India are realising the threat, which could kill the golden outsourcing goose. Though these incidences have been alarming, they have resulted in a greater awareness towards the adoption of better security solutions by the industry. This is the first step to a secure India.

During mergers and acquisitions, the systems used by the two companies may not always be compatible with each other. With ever-increasing importance now on information security, identity management (IdM) is all set to witness implementation across industries and sizes, helping them run more secure and in an optimised way. IDC predicts the Indian identity and access management (IAM) market to grow at 29.2 percent CAGR to about US $23.8 million by 2009.

Shaping trends in information security

Commenting on the trends in information security, Binod Singh, founder and chief executive officer of ILANTUS Technologies, suggested selecting short and long-term forces, to shape the trends to secure information and primarily drive it. The short-term force includes the need for Web services infrastructure, heterogeneous environment and technologies, need for secure transactions, federated identity standards, regulatory compliance and defining the space. The long-term includes, enterprise IT focus on RoI, cost and complexity.

Sugata Sanyal, senior director, content and managed security, SonicWALL pointed out the recent trends in information security such as VoIP, content security and wireless access. And on the technology front he pointed out SSL VPN. It is a new approach to connecting any user from anywhere to any resource reliably, conveniently and with the granular levels of security that exists today. Until recently, however, SSL VPN solutions have been designed for large enterprises with a feature set and price that exceeded small business (SMB) needs and means. This situation is changing with new SSL VPN product offerings specifically designed to meet the needs of SMBs at prices that are not budget busters.

Ajay Kumar, country manager, Aventail India said remote access and IdM are some of their latest product offerings. Hari Venkatacharya, president and chief executive officer at Cyrca, feels that more and more companies are looking at security as part of a holistic environment within the organisation, as opposed to simply deploying point solutions. He said, “Today, there are issues surrounding the security of stored records, e-mail and mobile devices such as USB memory sticks, laptops and cell phones that must be addressed. In addition, as VoIP technology becomes more widely used, security concerns will also have to be addressed.”

Ramesh S. Krishnan, director, India Operations, VeriSign, Inc. said, “The worldwide market for information security services is expected to surpass US $14 billion in 2005. Current information security solutions in the market are based on a reactive and response approach. The communications services providers (CSP) and enterprises will enhance their current environment with more proactive and intelligent security solutions. The future calls for the use of advanced algorithms for data mining and modeling based on behaviors as opposed to signatures that are currently in vogue.”

He also added that strong authentication is getting faster acceptance worldwide and will see tremendous surge in deployment. Federated identity management is fast gaining recognition as a good compliment to have along with a strong authentication solution. This will be particularly useful in verifying individual identity through a federated system that limits identity theft, making it extremely difficult for anyone other than the issuing authority to replicate or abuse identity (Passports are a good example of federated identity).

Finding opportunities and facing challenges

Singh feels that the opportunities and the challenges ahead in the field of information security essentially encompasses preventing unauthorised persons from accessing/modifying privileged data; and protection from virus attacks that can delete/corrupt data.

Sanyal on opportunities and challenges commented that most people are aware of the need to secure the perimeter of the network, so the focus is shifting towards securing the internal LAN from problems associated not only with digital threats but also productivity, employee work habits, and department-to-department security. Then there’s the issue of protecting the data that you back up. 

“The usage of IT in business is only growing and the non-business usage of IT is also on the rise. As this IT dependent population grows, threats will also grow and security will accordingly evolve. The challenge is speed of response and is sometimes reactive and some times proactive to perceived threats. The speed of response to threats is the challenge,” commented Kumar.

Commenting on the training aspect, Venkatacharya pointed out, “As infrastructure and compliance regulations become more complex, the understanding of where security gaps are and how they can be addressed becomes more critical. We also believe that companies in India that provide outsourced services to global clients must have regular quarterly audits performed to ensure that their infrastructure is secure, by international standards.”

Krishnan feels, “Security is of greater importance when we add VoIP to the mix. The greatest challenge we face in India is a lack of standards when it comes to protecting privacy and confidentiality. While information and communications security was an after-thought (sometimes never-thought), it is quickly attaining the status of paramount importance. As a result, we expect to see a rise in adherence to a disciplined approach for the deployment of secure networks and environments that will focus on technology as well as behavioral factors.”

Contribution towards one cause: security

On the security issue Singh stated, “IdM forms a critical part in the information security field. He continued, “The sector has evolved tremendously in the US markets, and in India the market is on the verge of blowing to its full potential.”

Sanyal commented, “We are seen as a very innovative company in the information security field. SonicWALL is also involved with VoIP security alliance (VoIPSA) — an association involved in helping make VoIP communication risk free.”

Cyrca has a very unique perspective, and looks at the protection of records when they are stored throughout the lifecycle, ensuring that companies implement training and technology to rectify serious security and compliance issues. This inside out approach, we believe, will allow companies, especially those in the SME sector to efficiently deal with mandatory regulations regarding compliance explained Venkatacharya.

Saving critical applications

While commenting on the measures being taken to save critical applications, Sanyal said, “SonicWALL’s approach is to provide feature-rich products that provide the best possible protection and best possible value for money, in an easily used and easily managed format. This is an approach that both end users and the channel appreciate – as opposed to complex and costly solutions that need full-time management.”

Speaking on the critical applications of enterprises, Kumar feels that being a security appliance with best of breed partnership, and also a secure remote-access of all applications, Aventail’s appliance has the capability to deny access from machines that are infested with malware, worms, Trojans, viruses and machines that do not have the latest anti virus signatures.

Venkatacharya explained, “By evaluating security policies, procedures and technologies with a perspective of protecting the core of the corporation, we believe that traditional issues surrounding the protection of the perimeter become secondary. By taking this approach, we are able to ensure strict adherence to compliance regulations, while being very cost effective.”

India through a global telescope

The West has recognised the need for robust IdM and several enterprises have already started its implementation. In India, the IdM market is at a nascent stage as compared to markets in Europe and the USA, it is expected to grow from 30 to 40 percent CAGR to about US $2 billion by 2006.

Sanyal recalled, “In the recent past India has more or less caught up with international awareness levels on information security. Anyone who has an Internet connection is prone to security threats. The problems faced by Indians are similar to those faced by the rest of the world.”

Jagdish Mahapatra, business development manager, India and SAARCCisco Systems, , said, “From the point of view of adoption of security, the IT budget in India is much lower as compared to the global security budget. Indian companies are going to spend more as they try to catch up with the global standards.”

Kumar believes India has huge potential. “Market maturity today depends on the technology. For example, the market for firewalls is far more mature than it is for SSLVPN or an IdM solution. But on an average, there is still a long way to go.” Venkatacharya claims that India is rapidly progressing to become a global leader in information security. “Over the last two years, Indian companies have realised the critical nature of their infrastructure from a security perspective, and have also wanted to mitigate any risks that global clients may perceive. However, much practical training is still necessary for India to truly become a country providing secure and compliant BPO and KPO services.”

Krishnan, on the other hand, thinks that India lags behind most developed nations as well as some of the developing countries in this respect. “Awareness of the importance of information security has surged, however, the deployment is still fairly moderate and largely to plug holes versus a more all-encompassing or comprehensive approach. Growth in the adoption of info security protection over the last 12 to 15 months has been witnessed in the wake of various virus attacks, acts of terrorism and natural calamities. We still have a long way to go and need a disciplined approach; the technology is available but the mind set needs to change and embrace security as a critical factor of success rather than be relegated to a mere line-item in a budgeting exercise.”

A stitch in time saves nine

Singh feels it is advisable for each and every organisation to have an IAM solution in place to cater to their IAM requirements. An organisation having a user base of lesser than 500 also faces almost the same issues, technically and business wise, as those having a user base of more than 3000.

Normally, the business demands, costs of user management, complexity of the infrastructure and regulatory demands drive the organisations to look for these solutions. Sanyal believes that “viruses and spyware are the most prevalent threats to information today. Identity theft is also a major problem. Phishing is a typical way of stealing others identity.  Hacking is also a very pressing concern.”

“The most important step,” he continued, “is to have strictly enforced security policies. Networks and ISPs should focus on gateway protection to stop users from downloading spyware in the first place and the opportunity to load malicious spyware and malware on internal computers.”

Kumar believes that most fraud and information threats happen from inside the network by employees rather than outsiders. The best way out is to use inverted networks, wherein all users of an IT resource are treated as outsiders and subjected to stringent access control polices.

Venkatacharya agreed with Kumar, adding, “A strategy of looking at core infrastructures from a security perspective is a step in the right direction. By first protecting the data center, where most valuable information resides, rather than only looking at the perimeter, with the implementation of firewalls and IDS is becoming more in vogue, since the vast majority of security breaches actually occur from within an organisation.”

Krishnan feels that technological advancement is a blessing and a curse. “There will always be a subset of individuals committing online crime and abusing technology for personal gain at the cost of individuals, enterprises, governments and the communities at large. As a result, we have to become smarter and deploy intelligent solutions to thwart any threat that could cripple the infrastructure.”

There are number of areas where organisations can take a lead and make up for lost time. Some of these measures will warrant strong penalties on the offender. The guidelines for such initiatives should apply to every touch point in an organisation so that it is uniform across entry-level workers to the top management officers. These initiatives may include: Password admin policy, e-mail privacy and security policy, strong authentication/authorisation and federated identity management.

Possible threats in different forms and sizes

According to a survey by federal trade commission (FTC), the last year’s identity theft losses to businesses and financial institutions totaled nearly US $48 billion and consumer victims reported US $5 billion in out-of-pocket expenses. The identity theft is the biggest challenge enterprises, technology and solution providers, all over the world deal with when it comes to data security. Identity theft can reflect across the industry in different forms and sizes. The world has seen and experienced identity theft in the credit card industry, and also the BPO industry with employees stealing data. Now the misuse of identities seems to have become a common daily phenomenon, feels Singh.

Sanyal reiterated, “Viruses and spyware are the most prevalent threats today. It is estimated that more than three quarters of the computers connected to the Internet host some kind of spyware. In the worst cases, spyware can turn your computer into a zombie, or host server through illegal applications such as music downloads. Other spyware problems include keystroke loggers, which can record and relay passwords or other sensitive information. Spyware continues to be a problem because it is motivated by profit. He also added that phishing is a typical way of stealing others identity.”

Mahapatra explained that due to the vastness of the information security field, it becomes really difficult to point out the possible threats. “But first and foremost, is that the network perimeter is not defined and telehackers and mobile hackers are present everywhere. As the network ingress point is not defined, it becomes easy to target and spread a virus. The challenges to secure valuable information become more complex because the threats are becoming complex as well. It makes securing the information more competitive. As compared to past, the challenges being posed before the firewall system has also taken a drastic change and we need to do more to cope with these challenges.”

Krishnan said, “CXOs are constantly worried about their core information and IP being compromised. The biggest threat is their very existence and viability as a business/organisation if their IP is hijacked, replicated, abused, minimised, or used for criminal purposes. The number of touch points in an organisation will continue to grow as business grows. Deploying a strong security policy across the organisation so that it covers employees, partners, and customers alike will help alleviate threats.

This has to be complemented with training employees and partners to adopt strong hygiene towards protecting corporate, personal and customer information.”

Securing the unsecured

The ITES sector in India that is seeing a growth over of 40 percent every year has also been caught in frauds and data theft. With large amounts of personal data of consumers being processed by the ITES and BFSI sectors, the possibility of misuse of such data has raised concerns. Hence, today IdM stands as the most important part of security solutions addressing data security issues, said Singh.

Sanyal believes that for every security solution written by a security company, there are probably 10,000 hackers and other criminal elements trying to create computer threats either for fun or profit. Another variable element is human behaviour. So you can’t say that any security solution is completely foolproof. The best solutions are dynamically updated on a continual basis.

Mahapatra feels that there is no silver bullet that would kill all viruses, “but we can take precautions by embedding security solutions in the product. The anti-virus solution should work in tandem with the end point. The system should be self-defending and has to be automated so that the time taken to counter the problem should be less. These solutions are cost effective in nature and being equipped with the security solutions we can save valuable information and data.”

Kumar sees security evolving with time and threats. He adds that there cannot be anything that is foolproof for a long time. “Security is good only till it is breached, then people gear up and improve till another threat strikes. Security solutions, compared to the potential danger they save you from, are very cost effective.”

Venkatacharya is confident when he said, “No security solution is perfect, and usually the HR/training component is lacking. Security is only as good as the weakest link, which is an untrained person. A general rule of thumb is that security will cost about 10 percent in addition to the overall cost of the infrastructure.”

“Human factors are key to the success of a secure environment. In order for anything to be foolproof, we need to ensure the folks touching sensitive data are trustworthy and have the necessary authorisation and authentication to be around such data,” feels Krishnan.

Global standards measuring solutions

On the issue of global standards, Singh said, “The answer is relative due to the fact that standards depend on objectives of the implementation. There are certain certifications, such as federal information processing standard FIPS and ICSA, which provide benchmarks for security. There are many global standards for example the BS7799 that lays down the structure and guideline for better and secured environment. We should also opt for self-defending networks pointed out Mahapatra.

Venkatacharya commented, “What is missing is the methodology to adequately implement the appropriate controls to begin with. Once these controls have been understood and documented, the corporation can gauge their effectiveness by using one of the frameworks mentioned above. As with all standards, it is much more difficult to implement policies and procedures that are most relevant to your company, without simply looking at all policies within the framework, whether or not they are relevant in your particular instance.”

Government - an overall umbrella

Explaining the government’s role, Singh said that the IT Act, as instituted by the government of the country, should be like an overall umbrella under which necessary guidelines pertaining to IT security should be provided. This act needs to be two-fold – general for the industry at large and specific to various businesses.

Sanyal views end-user education, legal deterrents and incentives for improved digital security as some of the ways in which governments can assist. “Non-government organisations such as the VoIP Security Alliance (a body of which SonicWALL is an active board member) can also play a role in advising government bodies about potential threats and the ways in which these can be mitigated through legislation.”

Mahapatra feels that the government’s involvement is very necessary for providing a secure environment and protecting the valuable information. “I think the association and bodies such as CII and NASSCOM play a constructive role in educating their members of the threat to information security. We have been closely working with these bodies and also run the network academic across the industry to spread awareness.”

Kumar believes the government should have a broader IT law, they should be equipped to detect an IT crime and the punishments need to be harsher. This will certainly de-motivate a lot of prospective IT criminals. Venkatacharya agreed, “The government must be vigilant in not only establishing security and privacy legislation, but also in enforcing these laws. Today, it is of utmost importance for governments to appoint Privacy Commissioners, as an independent administrative position, to be able to oversee security and privacy legislation, and ensure compliance.” Krishnan is of the view that policies that foster growth without imposing requirements that cannot be monitored, measured or implemented without huge costs to the general public should be made.

The future roadmap

The growth rate of the Indian information security market vis-à-vis their global counterparts will be relative, but the adoption rate will be very high. Decisions are being made by choice in some cases, while forced on others. Organisations have to choose to keep up with the worldwide standards.

“This is a very exciting phase for the Indian information security market, driven by the fact that the world is turning out to be one market or a global market. The concept of a seamless global marketplace is turning out to be a reality. It is important to realise that factors driving the global marketplace are driving Indian businesses, and therefore the Indian information security market. Compliance standards are becoming global due to the sheer demand of the marketplace, wherein dependability has no barriers. Organisations have to ensure compliance of all aspects of their businesses like partners, suppliers, back offices, branch offices etc, impacting their outsourcing aspects and their business partners alike,” said Singh.

Sanyal feels that the information security market in Indian is still evolving and that as awareness increases, market adoption will increase. “On a macro scale, security appliances will become the key device for implementing security. The SMB market will fuel the growth of managed security service providers in a big way. A lot of security related development and support work is also likely to move here.”

“India is a potential market for many kinds of technology. Working from anywhere will be the norm. Reasons that will drive this are intense competition and the need to be more productive,” added Kumar. “Given the aggressive product development coupled with highly trained professionals in India, the market will grow exponentially over the next five years. I also believe that as Indian companies begin to acquire foreign corporations, the processes and regulations that the foreign companies must adhere to will allow Indian companies to further enhance their security and compliance infrastructure,” said Venkatacharya.

Krishnan believes in first putting information security as a core requirement in an organisation’s day-to-day operations. “There is a tremendous opportunity to enhance the environment here through the use of a disciplined approach and technologies that are available. MSS is an attractive area that could see a lot of growth as the demand for managed firewall services, IPVPN services, and intrusion protection services, increases. The perimeter of every organisation is being pushed to the edge and constantly expanding as a result. This will further drive the demand for enveloping an organisation’s ecosystem with a strong information security wrap, expressed Krishnan.”