Against All Risks

The refrain that an organisations information or data security can only be as strong as its weakest linkthe people, has now percolated across the IT establishment. True to the dictum, trends observed in the security market now show that the IT heads or CISOs no longer hold the security reins in the organisation. All security-related controls, be it the risks involved, the emerging threats or the hygiene factor overall, is driven or handled by the users in an organisation. The recent phenomenon around mobility or BYOD (Bring Your Own Device) is the hot topic which is increasingly becoming a bigger reality for most enterprises. Security then does not restrict itself to the data centre, but spreads across the organisation, as threats could emerge from any end point.

Ambarish Deshpande, Managing Director, India Sales, Blue Coat, agrees that for IT managers the concerns have increased given the hybrid environment, with each department having varied needs. For instance, a section of the user group is using the cloud, the sales and marketing teams are leveraging the Web 2.0 platform effectively in their attempt to enhance the brand value and with the CRM strategy, the BYOD trend is invading the market, all of which are throwing up newer challenges,

Tightening the Security Bar
The core aspect of any security framework is to be trained around various security aspects, be it understanding the intelligent proxy framework, the internet browsing trends of users, monitoring the web pulse particularly around the social networking platforms and continuously driving the information hygiene factor, with training modules for employees.

Kartik Sahani, Country Manager, India and SAARC, RSA The Security Division of EMC, rightly argues that the security threats emerge from the outside of the perimeter defence layer; whether through email gateway, insider trading, data leakage and so on. What is important for the IT managers and CISOs is to segregate each security issue or tool and analyse the impact and bearing it has on the organisations at various level, suggests Sahani. These could be the DLP (Data Leakage Prevention) tools, APTs, IPS and so on. According to Sahani, it is mandatory for enterprises to have a SIEM, a single console, within their system to track and assess the security threats.

Anomaly detection is very critical for organisations, besides taking proactive measures to counter threats rather than being reactive in handling the threats. The main concern for V C Gopalratnam, VP IT & CIO, Cisco India and Globalisation is that the enterprises are neither geared to address security measures nor ready for the cloud trend, he states.

According to Gopalratnam, the critical factors which should not be ignored are: greater visibility of the IT teams in the networks, a better understanding of user minds, adaption to threat intelligence framework, installing device intelligence methods, a quality-enabled technology policy and so on.

S. Sivashankar, PACS/Network Administrator, G Kuppuswamy Naidu Memorial Hospital, Coimbatore, says, Enterprises need to form an internal compliance department and adhere to the security policies very strictly, with a regular monitoring mechanism. Most IT heads say that enterprises and the top management fail to allocate sufficient funds towards security and the consciousness about the need to secure the data should flow from the top.

Inflicting Stringent Security Layers
Blue Coats Deshpande recommends that the IT heads place proxy and caching as a defence layer, as this enables storing frequently used data in an easily accessible location, so that time and resources are saved as the data does not have to be retrieved from the original source.

iGate Patnis CIO Chella Namasivayam strictly recommends having a security defence and depth model framework in place which absorbs multiple layers of security tools. We have installed seven layers of security within our organisation, which is around the perimeter, a networking layer, a boundary around the servers, application layers, a data layer and so on, reveals Namasivayam.

The CIO has mapped the security requirement of each division and defined the confidential data along with noncritical data and enabled necessary tools to address security challenges. Namasivayam and his team tried to revamp the security tool architecture and also installed layers by anticipating future threats, which incurred a cost of around $650,000. The CIO is working out a cloud security model with three dedicated team members focusing on the modalities which is currently under the PoC stage.

M Ashfaque Hussain, GM-IT and Head-Data Centre Operations, Tata Teleservices Ltd. says, A risk assessment is an important step in protecting your workers and your business, as well as complying with the law. It helps you focus on the risks that really matter in your workplace and the ones with the potential to harm.

Ciscos Gopalratnam believes in having an open culture in the organisation. He has rolled out a Trusted Device Policy within Cisco with regard to the BYOD trend which helps provide recognition access to the device that comes into the organisation, while making sure that it offers possible level of authentication to the software applications.

Sandeep Singh Walia, Assistant General Manager-IT, HT Media Ltd. believes in conducting the risk assessment and underrating the risk and its impact. It is critical to assess the organisations appetite to absorb risks and design the technical architecture. B Sadashiva Baliga, AGM-IT, BHEL Electronics Division, has opted for a Data Leakage Prevention (DLP) solution which enables him to detect potential data breach incidents in a timely manner and prevent them by monitoring data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). Presently, BHEL has commenced a PoC on DLP based on certain assumptions.

While there are too many point products in the security market, the best practice according to RSAs Sahani is to build security consciousness amongst the various groups.

Mujer