In The refrain that an organisations information or data security can only be as strong as its weakest link, the people has now percolated across the entire IT establishment. Only a while ago the idea of IT security used to be taken for granted by most management, but that has now changed. Today issues related to IT security are hotly debate in corporate boardrooms.
The change in attitude towards IT security is also a result of the instances of information leakage or data loss that have caused widespread losses in the past. Lessons learnt from such incidents have led to a redefining of the IT security policy. The evolution of the recent security policy framework prescribed by the government of India under the IT Rules, 2011, to protect personally identifiable information or PII from being compromised, is a testimony to this effect. This law came into effect from April 11, 2011. IT security landscape is undergoing a metamorphosis in its treatment and understanding. The need for regulatory compliance and the emergence of increasingly sophisticated security threats, both from inside and outside the organisation, make it imperative to have a better security regime in place.
IT Next embarked on a study to seek insights into various trends evolving in the security landscape. The aim was to discover how chief security officers of various organisations are trying to prevent cyber crime? What kind of security practices are being put into place? What new tools and technologies have been deployed as a counter measure?
Some of the insights that we have received come in the form of write-ups that security heads have themselves written to describe their experiences in handling security related matters. We also have case studies to find out how the industry verticals like banking, government, insurance, telecom and retail have evolved their security methods.
Changing Trends
The modern hacker is much more sophisticated and he has many more ways of accessing secret data. Ambarish Deshpande, Director-Sales, McAfee India sees Web 2.0 as a relatively open system in which it is easy to expose or loose data. That is why newer security technologies like web application firewalls, Intrusion prevention systems and web security technologies are important. Mobility factors have led to increased data leakage, because of which security heads have started deploying enterprise mobility management tools, says Deshpande.
According to Ajay Goel, Managing Director, India & SAARC, Symantec, consumerisation of IT has been the key driver to evolving newer security concerns, as 73% of the Indian enterprises witness growth in smart phones, connecting to the network, the primary cause of data leakage.
Mobility aspect is leading to greater security threats, as 10 billion non-PC devices connect to the Internet today and that number is expected to grow to almost 20 billion by 2014. Besides, collaboration in enterprise too is following the consumer route, as enterprises leverage social media for effective communication, informs Goel.
The three major security trends that Kartik Shahani, Country Manager, RSA India & SAARC, observes is security for cloud in a virtualised environment, data loss prevention and evolving threats that will drive advanced security measures. According to him, invisible authentication a fine tuned technology to provide users with secure, simple-to-use internet identities and adaptive authentication tools are in demand for fraud detection that monitors and authenticates customer activity based on risk levels, institutional policies and customer segmentation.
As a trend Clarence Phua, Director, Sales for ASEAN & India, Sophos, finds smartphone security to be the leading concern among IT managers. He remembers the Forrester Research finding based on a survey conducted amongst the IT managers that stated that 75% of the IT managers were concerned about the security risks emerging from mobile devices. Phua goes on to say, About 40% of the IT managers said that they allowed or supported Windows mobile, iPhone and iPads. IDC expects Android Smartphone market share to increase from 16.3% to 24.6% between 2010 and 2014.
While the threats are increasing at a geometrical progression, and are escalating the challenges of the security heads, it is critical to understand if the IT spend are keeping pace.
Security Spend
Gartner opines that the organisational security spend is spiralling, thanks to the proliferation of varied devices and methods used in investigating and neutralising threats. Matthew Cheung, Principal Research Analyst, Gartner, says that every aspect of the infrastructure, be it end-point, network, email, other applications, etc., are prone to security threats and the traditional tools are unable to meet the requirements. There is no comprehensive tool available. However, according to Cheung, the global IT security spend, which stands at $16.5 billion in 2011 is estimated to reach $26 billion by 2015. This will have a cascading effect on Indian markets. Cheung estimates the IT spending amongst the Indian organisations to be in the tune of $167 million, which is forecasted to move up to $307 million by 2015.
About 40% of this market will be enveloping security services related spend. Interestingly, Cheung admits that UTM bags a larger share with 22% in the enterprise security space. End-point solutions will stand at a 10% of the market share. The rest of the spending might get spread across various other solutions, which could be network related, application specifics tools, etc. There is increased deployment of DLP (data loss prevention) solutions by the organisations to address compliance and data privacy concerns, says Cheung.
Arun Kumar Singh, Lead Analyst, IDC, vouches that IT security is a hot market today as they are driven by three factors. The first factor is that as large enterprises adopt social media applications, and also provide mobility features, implementing cloud applications, public and hosting models, they end up having a system in place that might facilitate data leak or loss. The second factor is the increase in threats on a national level, which might result in financial and human loss. The third is related to the financial sector being bound by the compliance and regulatory mandates, informs Singh. According to Singh, market consolidation in the security space, with mergers and acquisitions between hardware and software players is redefining the security road map.
There is traction in web based tools such as content management applications, anti-spam and compliance.
IDCs Singh finds security market growing at a CAGR of 16% standing at $130 million in 2011, with software product market enjoying a 59% market share. The security appliance market is growing at a CAGR of 20%, which would account for $62 million. This is likely to cannibalise the security software market going forward, says Singh. The IT spend as per Singhs analyses is around $292 million and it is more on software solutions deployment. He finds identity and access management gaining momentum with 79% market share. SCTM (security control and threat management) which envelopes ID and access management, vulnerability tools and various other applications is gaining ground, maintains Singh. Further detailing, Singh estimates that end-point solutions are growing at 13%, network security market at 12% growth, UTM growth at over 20%, IPS at around 18% and applications security layer such as email and other web based market is growing at 39%.
Vic Mankotia, Vice President, Solution Sales, CA Technologies, explains that consumerisation of IT is leading to many customers opting for security of Identity, Access, Authentication.
Mankotia finds banking and finance to be the top spenders in security, while healthcare, telecom and power sector trail behind.
About 80% of security heads across various industry segments who participated in the IT Next security survey seem to be spending to ensure business continuity and disaster recovery. Over 60% have inclination towards spending due to internal policy, compliance and for other reasons. Kamal Sharma, Group CIO & Head-operations, Mindlance, finds that his customers might be prone to cyber threats in a big way. Sharma expects government spend on the security tools for its e-governance projects to go up, because there exists a room for data leakage. I see a good jump of 7% in spending by the pharma customers. It is estimated that BFSI stands at a 37% market share in terms of spending in security deployments, informs Sharma.
Solutions at play
Most security chiefs intend to trying new ways to address their specific security needs.
Information security management framework, which centres on information assurance, risk management and information classification, seems to be most popular amongst the CISOs. Besides, risk evaluation tools such as SIEM or other standards have been extensively used. A methodical approach is being taken to address the security concerns with appropriate tools and standards by the security heads.
Sunil Varkey, CIO, Idea Cellular, Aditya Birla Group opines that Security Information and Event Management (SIEM) tool being the core of any security incident response centre helps in identifying the right security solutions for business requirement. Large enterprises which use critical legacy systems and specialized devices, integrating logs from the required data sources to SIEM is a challenge, says Varkey. Availability of the out of box connectors to integrate the logs or the flexibility to develop required connectors is important.
PSU such as BMTC is conscious of the safety of its infrastructure and data. The organisation spends almost Rs 1 crore on the security deployments and the procurement is made by following the procedures laid down by the state government. BMTC is introducing common mobility card to ensure safety of transactions in compliance with international standards, informs Dr K N Ingalagi, Chief Manager-MIS, Bangalore Metropolitan Transport Corporation (BMTC).
According to Bhaskar Bhakthavatsalu, Regional Director-India & SAARC, Check Point, 3D security framework, which re-defines security as a three-dimensional business process combining policies, people and enforcement for stronger protection across all layers of security, is now gaining popularity.
To achieve the level of protection needed in the 21st century, security needs to grow from a collection of disparate technologies to an effective business process. With 3D Security, corporations can implement a blueprint for security that goes beyond technology to ensure the integrity of all information, informs Bhakthavatsalu. Another innovation that Bhakthavatsalu points out from a security platform standpoint is the software blade architecture, which enables organizations to easily and efficiently tailor their network security infrastructure to meet critical and targeted business security needsall while maintaining network performance service level agreements (SLAs).
Upasna Saluja, Operational Resiliency Manager-Product, Infrastructure Risk Management, Investment & Advisory, Thomson Reuters, recommends the use of biometric solutions that are the panacea to all access control problems. Since Biometrics relies on physical characteristics, they are considered to be more secure and are frequently deployed as a single-factor authentication. However, the trend is moving towards two factor authentication scheme, in which a PIN or password is provided for better security, points Saluja.
As per IT Nexts survey, over 90% of the security chiefs have deployed firewalls and anti-virus tools. Over 50% of the security officers have deployed tools for policy control and SSL (secure sockets layer) and user access control. Over 40% of the CISOs have been using User Access Control (UAC), Data encryption and Network Admission Control (NAC) solutions. The study indicates that there is a huge potential for DLP, disk encryption, GRC (governance, risk and compliance), IDS, IPS solutions, which are all on cards.
Abhilash Sonawane, VP-Product Management, Cyberoam, opines that with the emergence of border less networks, organisations are conscious about confidentiality, integrity and availability (CIA) information. Customers are inclined towards using access controls, authentication and non-repudiating tools to meet compliance standards. Not surprisingly, all the top software services companies, IT-enabled services companies, and BPO outfits are going in for security certifications like BS 7799 or ISO 17799, maintains Sonawane. He does not fail to mention RBIs recent regulatory guidelines to protect customer confidentiality and SEBIs risk management framework for mutual funds.
According to Vishak Raman, Regional Director, India and SAARC, Fortinet, customers are deploying standards such as PCI, SOX, ISO 27001, HIPAA, Advanced TCA and GLBA.
The challenge is with regard to commoditization of products, resulting in price aggression and lower value per deal, says Raman.
Bikash Barai, CEO and Co founder, iViZ Security finds increasing adoption of application penetration testing tools, which assure zero false positives, leads to better performance in business terms.
Harvinder S Rajwant, Vice President, Borderless Networks-Securty, Cisco Systems avers that the concept of a perimeter in an enterprise is blurring fast, and this has intensified the challenge of ensuring security across multiple access points.
The trend calls for the security heads to build protection with secure usage practices and policies in their risk management strategies, says Rajwant. Identity Based Networking Services (IBNS), an integrated solution comprising hardware switches, besides offering authentication, access control, and user policies to secure network connectivity and resources are being looked at and this enables enterprises to increase user productivity, reduce operating costs, increase visibility and enforce policy compliance, he informs.
Best security Practices
The CSOs/CISOs have put their best foot forward in adopting the best security management practices with effective standards in place. Various organisations that did not have a standard framework are investing into ISO standards, going all out to convince their top management. It is not just that, the CISOs are ensuring that their outsourced partner too has such standards in place. For instance, the IT Next survey indicated that over 60% of the security heads have ISO 270001 standard in place, while nearly 20% having gone for TechNet and ISA. The study revealed that a majority of the customers would go in for new standards CSI, ISF, BS2599, etc. in the near future. As per the study, over 80% of the CISOs have gone in for access management and majority have deployed intrusion management, patch management and content management solutions.
There is increasing focus in the audit and assessment tools to ensure risk free environment.
To mention, banking segment has gone in for private cloud and is trying out SaaS model around deploying security solutions. Telecom sector has gone in for setting up SoC to achieve the return on security investment, besides introducing multi-factor authentication integrated with identity management and SAP-GRC solutions.
Cloud and virtualisation are being tried out in a big way across manufacturing, FMCG, telecom, insurance sectors. Suresh Menon, CEO, SME Infotech maintains that virtualisation and SaaS model is gaining momentum in the security space. Pay as you use concept being tried out by most companies as one can focus on the core business and leave technology to the vendors. It will avoid the hassle of setting up a data center and business continuity is faster in the event of a disaster, observes Menon.
Organisations are adhering to National cyber security policy and creating national level nodal agency on cyber security under CERT. The CISOs are putting in place national cyber alert system for early warning and response. There are local incident response teams at key locations; interestingly government is creating a CISO post across the department. There is a leaning towards deploying open standards to work out an effective security framework.
For instance, Mehriar Patel, CIO of Globus has introduced a mechanism to have risk assessment done to design a new security framework and invest in user management and education for internal audience. The risk assessment checks have helped in identifying the gaps in the current security state as compared to the requirement. It then helps in designing and implementing solutions to close those gaps and ensure ongoing conformity, informs Patel.
Felix Mohan, Sr. VP & CISO, Bharti Airtel Ltd., has used cloud-based vulnerability scanning services, and is looking at such cloud-based services for securing web traffic and email against malware and attacks. We are using virtualisation, which has introduced the requirement of security solutions that specifically address hypervisor risks, and virtual machine zoning, malware protection and firewalling, which traditional security solutions either fail to address or do so only partially, admits Mohan.
As a best security practice, Amit Nath, country manager, Trend Micro recommends that the organisations ensure to keep their security policies updated with regular reviews with quarterly performance objectives. Regular scan for rogue or unknown access points or use of network management systems are critical, with change default management passwords and secure set identifier (SSIDs) on access points.
Add new comment