Mastering Security Practices

Leakage of information and data and evolution of new threats is the order of the day across the globe and every IT manager is challenged to safeguard critical information. As threats become more sophisticated, the challenges around information security are also getting tougher to tackle.

Vendors like Check Point observe that organisations of all sizes are being forced to re-evaluate their risk management strategies in the light of emerging technology trends and prescriptive compliance requirements. Besides, certain regulatory mandates are also driving security deployments across companies. IT Next survey of senior IT managers tried to understand the security challenges that are fuelling security deployments and best practices being adopted by managers to address emerging threats.

The survey indicated that over 66 per cent of IT managers felt security deployments to be important to business reputation. Over 60 per cent of the respondents found security deployment being critical to ensure business continuity or disaster recovery, maintain internal policy compliance as part of the corporate norms, and over 45 per cent of them felt the need to have good security solutions due to customer demand.

Why Threatened?
The key concerns for IT heads as Michael Sentonas, Vice President and Chief Technology Officer, Asia Pacific, McAfee observes, The sophisticated nature of virus attacks on the intellectual property (IP) of the customers is putting IT heads under serious pressure to bring in sophisticated tools to prevent them.

Sentonas opines that vertical-specific security challenges and threats combined with mobility, new technologies such as cloud, social media, imaging solutions, etc, are adding to the challenges.

According to Sunil Sharma, VP, Cyberoam, rising costs are a challenge for any IT manager who has to deal with multiple network security solutions, one on top of the other.

The basic rule is to understand what threats are out there and what they need to do to protect themselves from them, says Amit Nath, Country Manager, India & SAARC, Trend Micro and adds, As business volume increases, IT heads are unable to completely understand the large number of complex information being collated.

It is beyond doubt that new threats are emerging and hackers are evolving. But IT managers have to deal with bigger issues than these. It could be product related, technology related, trend related and basic solutions specific too, to understand which of them would address their concerns.

While new viruses and security threats are invading the customer places, the key concern that Parag Deodhar, Chief Risk Officer and VP of Program Management and Process Excellence, Bharti AXA General Insurance Co Ltd, says, While many products claim to meet all requirements, it is difficult to find a perfect fit for your environment and business requirements. If by chance one fits, it is generally way over the budget.

Bhavanishankar Ramarao, Senior Group Manager, CISO-IS, iGatePatni Systems, admits, While the business wants us to enable security for various devices like smartphones, laptops, tablets etc, the reality is that security is still in the nascent stage for these technologies.

Bipin Kumar Amin, Principal Consultant, Borderless Networks-Security, Cisco, believes that there are three major trends sweeping through the enterprises which are transforming business and forcing a fundamental shift in how security is developed and deployed, which include rapid rise of consumerised endpoint, the onset of virtualisation and cloud computing, and the growing use of high-definition video conferencing.

Securing BYOD
Bring your own device (BYOD) is emerging as a necessary evil for most companies and increasing security heads concerns. IT Next survey revealed that over 53.3 per cent of the security heads across verticals would allow only a few executives to bring their own devices to ease the process.
Over 46.7 per cent of them said that they would allow only company-given devices for business applications. About 33.3 per cent of the respondents would enable limited or selected applications to be run on mobile devices.

In terms of handling the BYOD issue, Ciscos Amin says, To create an actionable capacity plan, its vital to have a historical point of view into the types of devices in your network, their relative growth, and the demands they place on network resources. To effectively manage a network, security heads need to include all device and user combinations, including guest users.

iGatePatnis Ramarao points, With regard to BYOD, we are looking at MDM solutions to ensure right kind of devices register to this service so that we can track them.

How to Tighten the Leaks
Like any industry, IT security too has certain best practices that the security chiefs need to adhere to. Several experiments are made to address challenges thrown up at various phases from the business users. However, as a pre-requisite, Sentonas suggests, Implement good compliance process which gives you access to information around the network control, production, and other areas on an everyday basis and set up tools which can have self controls and protect itself.

About 53.3 per cent of the participants of the IT Next survey indicated that internal security training for the employees is crucial, besides setting up DLP solutions at various levels.

Bharti AXAs Deodhar who spends approximately Rs 2 crore on security believes in implementing a data privacy policy in line with new regulations, implementing comprehensive DLP solution with SSL inspection, besides relevant solution to secure corporate data on BYOD.

iGatePatni, which spends around Rs 2.5 crore on IT security, recommends intrusion prevention system and data leakage prevention and mobile data management solutions as best practice.
Upasna Saluja, Operational Resiliency Manager, Product and Infrastructure Risk Management, Thomson Reuters, has assigned budget of $50 million towards security, which is of high priority. Best practices that Saluja swears by are: Periodic and random audit, compliance, improving documentation, segregation of duties to prevent incidents, effective monitoring to have good response in first place rather than to react, and so on.

Cyberoams Sharma points out, Understanding the implications of applicable regulations, performing a security risk assessment and understand the relevance and meaning of achieving compliance are critical. The IT heads then need to understand the work effort that will be required to make compliance a reality.

Having a business-based security framework built upon leading practices that not only allows compliance with policy and regulations, but also find a way to proactively identify risks, document compliance gaps, and report the state of the current security environment is imperative.

The security framework must provide a sustainable process that allows for ongoing management of risks and compliance and must be built upon leading practices, accepted standards, contractual requirements, and applicable laws." Ciscos Amin reiterates that IT managers must track new business models in the cloud that they would be exploring, and if employees of the company use personal smartphones/tablets/PCs/others for work, and whether they are protected against vulnerabilities introduced by collaboration tools and social media sites and so on.

Some of the other smart moves for IT managers would be around deploying ISO standards, opting for outsourced model for implementing security solutions, having stringent SLAs, regular assessment of internet facing infrastructure and so on.

Nike Air Max