EDITOR'S NOTE

Security has remained among the most challenging and perennial concerns of IT managers for the last few years, increasingly so because of the dynamically changing computing and communication paradigms, largely initiated by the Internet and accelerated by a host of newer platforms and devices.

As long as computing was largely desktop-dependent and notebook users were few, information security concerns were limited too, until first the Internet and later the USB drives arrived to give information portability disruptively new meanings. Ever since, security has been a nightmare for IT managers. The surge in notebook adoption and the associated growth of wireless networks has added to the woes of IT managers, while the advent of smart phones has further complicated matters.

And just when IT managers were beginning to arm their enterprises with new security arsenals, the mother of all breaches—the social networking sites and the ilk—surfaced, and then grew at a colossal pace, making all ‘security controls’ go flying in the wild.

That’s right! Security controls don’t seem to work anymore in traditional ways! The answer to the problem lies, to a large extent, in setting up a policy-based security infrastructure.

---

In today’s 2.0 world, how does one protect an organisation’s information assets that are potentially exposed to a cross-continent Facebook user base of 400 million?

A sound stepping stone to the answer, no doubt, will begin with a security policy that is thorough and relevant in today’s context.

But, a ‘security policy’ itself is no new a concept and its importance has not been emphasised any less any time. Yet, a large number of organisations still don’t have the policy in place. In fact, many of them are yet to fully grasp the seriousness and relevance of having such a policy in the first place.

Also, many organisations that do have a policy continue to be plagued with the problem of its ineffectiveness. In this background, let’s look at some of the essential objectives that a security policy must be able to achieve.

Regulatory and legal compliance: The IT (Amendment) Act 2008, which got notified in November 2009, requires that organisations must put due mechanisms in place to ensure information security and privacy. A new entry in the Act in the form of Section 43A reads: “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.”

Effective communication of objectives: For the policy to be effective, it should be able to unambiguously define the security objectives of the organisation and ensure that they are easy to read and understood by all employees.

Moreover, a process has to be put in place to ensure that any changes in policy have not just been mailed to employees but also that the changes have been read and understood by employees with a fair amount of clarity.

Clear statement of responsibilities: The policy should be able to clearly state and define the various information security roles. Roles and responsibilities could range from preparing security policy and making necessary changes, communicating and enforcing those changes, measuring the effectiveness of the communication and the impact of any changes, response mechanism to be employed in case of a security incident, and even the escalation procedure to be used by an employee in case a security incident is not attended to within a stipulated timeframe.

Adherence to security framework: It’s always a good idea to select a generally accepted and acknowledged security framework as a benchmark that is best in sync with your organisation’s and industry’s characteristics.

ISO 27001 provides a standard security framework that has been implemented by a large body of organisations. The Data Security Council of India (DSCI), set up by Nasscom in August 2008, has formed a framework for data security and privacy, listing 16 best practices that are an extension of the ISO 27001 standard.

The DSCI framework aims to address needs of IT BPOs, service providers, banking and financial services, manufacturing, e-Governance, telecom, PSUs and e-commerce organisations, especially those dealing with overseas clients. DSCI is also said to be planning development of an implementation methodology that addresses technical and operational information needs.

Risk assessment and response mechanism: It is an important role of the security policy document to state how risk assessments are to be performed. Realistic risk assessments are key to successful information security implementations, as the right assessment also sets the basis for establishing an effective control point in the security infrastructure.

The policy document should also be able to clearly state the exceptions to be observed and the response process to be followed in case of an incident.

Taking a functional view of security
The manner in which security of information and IT resources is ensured in an organisation should ideally have a direct correlation with the functions that it (security) is expected to perform.

So it’s important to first look at the functional genres of security and what they imply for today’s enterprises. Broadly, these can be classified under umbrella segments:

Identity and access management: IAM systems are important from the point of defining a wide range of information security and privacy controls across the organisation. Typically, an IAM system comprises four key components--authentication, authorisation, user management and central user repository, of which the last one is of paramount importance.

An IAM system enables, for the benefit of the IT manager, IT users’ complete organisational lifecycle mapping in a single view—right from the identity creation to authorisation awarding to the deletion of identity in the event of the user leaving the organisation. Controls such as user ID and password authentication are taken care of by IAM.

IAM also allows implementation of department and role-based access authorisation to enterprise-wide information and database resources and can be used for implementation of more complex controls as well.

An increasingly important role and benefit of IAM is that it takes care of a variety of compliance requirements on the way.

Secure content and threat management (STM): This department of security includes enterprise firewall/VPN products, wired and wireless network intrusion and prevention products, messaging security, and web security, among other such software and appliance products.

There is a growing relevance of STM systems, attributed in large part to the unprecedented rise in Internet traffic and the phenomenal success of Web 2.0 sites, especially in areas of social networking and micro blogging.

A popular solution under the STM category is Unified Threat Management (UTM), offered as an appliance that serves multiple functions such as firewalling, intrusion prevention, antivirus and anti-spam protection at the gateway level.

Security and vulnerability management (SVM): In an enterprise context, SVM can be closely linked with the security policy for maximum effectiveness. Specifically, security incidents as per the definition of the policy document can be recorded and classified under different vulnerability heads. Further, policy-based actions can be taken to mitigate future vulnerabilities.

Over to Implementation
While a robust policy document will provide the necessary guidelines for implementation as well, the actual implementation is a different ball game. And who will know this better than IT managers who, while not averse to an occasional indulgence in 30,000ft views of IT, always have an announced liking for operational details in the regular course!

A number of views to implementation exist and are practiced too, but the most methodical approach to addressing security concerns in today’s dynamic environment will be to view the entire gamut of security from the functional segmentations:

Implementation of IAM, STM and SVM can be carried out using either an appliance, standalone software, or a mix of both. In business environments with complex security requirements, IT managers may be better off roping in an IT integrator.

Another implementation view could be of taking into consideration aspects such as perimeter security, endpoint security and information security. It is important to note here that given the rising regulatory and compliance-related mandates, a forward looking security policy will need to accord highest importance to information security, followed by endpoint security and perimeter security.

---

Editorial Panel

• Jojo Jose, GM—Systems, GTN Group
• Unni Nair, Manager—IT, Aramex
• Balwant Sing, Manager—IT, Indo Asian Fusegear
• V Subramanian, CSO & DGM, IDBI Bank

Editorial coordination: Deepak Kumar