Information Security New ApproachDocument Transcript
Information Security: A new approach - Cover Story - Network Magazine India Page 1 of 6
Archives || About Us || Advertise || Feedback || Subscribe-
Issue of April 2003
Home > Cover Story Print Friendly Page || Email this story
Cover Story: Enterprise Security
Information Security: A new approach
Due to factors like globalization and directives from regulators, certain Indian companies are now
more serious about Information Security. But the rest are complacent and need to do a lot more
than just solutions implementation. by Brian Pereira
As we entered the new millennium, IT managers were busy safeguarding their (legacy) systems from
the Y2K bug. Around that time, the threat of Internet viruses and worms loomed large. Naturally,
every connected enterprise had to have an anti-virus solution and perhaps a firewall. And that's what
security was all about. Today, Information Security (InfoSec) takes on a broader meaning. What's
more, certain Indian enterprises have no choice but to take a more proactive stance towards
security, through means like security certification. As one industry analyst puts it, quot;Security has
become all-encompassing—it's not just about technology and point products anymore.quot;
The prime driver for enterprise security is (Internet) Connectivity. IDC says the worldwide InfoSec
market was worth $6.7 billion in 2000. With a CAGR of 25.5 percent, this market is projected to
more than triple to $21 billion by the end of 2005.
An IDC analyst says remote LAN, Internet, extranet/intranet, and wireless access services will drive
the need for advanced information security services, as technologies for circumventing network
security systems continue to keep pace with the technologies designed to defend against them.
Anil Menon, Sr. Vice President-Operations, SecureSynergy (an Information Assurance firm), says the
transition from a 'bounded environment' to an 'unbounded environment' has made information
security crucial today. quot;With connectivity, the traditional way of securing information is no longer
relevant,quot; he says.
Elaborating further, Menon says enterprise networks became unbounded when companies started
interconnecting their various branches and offices. Then enterprises opened up their networks to the
outside world, by linking their intranets to the Internet. Before that, enterprise networks were
bounded; 99 percent of the users were internal; and there were islands of IT infrastructure.
quot;With the unbounded network we were concerned about the Confidentiality, Integrity and Availability
(CIA) of information. But today we are inviting people from outside into our network, so we also
need to be concerned about access controls, authentication, and non-repudiation,quot; adds Menon.
The other driver for security is Globalization. International companies seeking to outsource work to
Indian firms insist on security certification, or adherence to laws, standards and business practices
prevalent in their respective countries. Not surprisingly, all the top software services companies, IT-
enabled services companies, and BPO outfits are going in for security certifications like BS 7799 or
Indian firms that deal with US companies are also asked to comply with US laws like the Graham-
Leach-Bailey Privacy Act and the Patriot Act. Other countries (like Germany) have similar laws.
The third driver for increased security awareness is the Regulator.
The Reserve Bank of India (RBI) has created a comprehensive document that lays down a number of
security-related guidelines and strategies for banks to follow in order to offer Internet banking. The
Information Security: A new approach - Cover Story - Network Magazine India Page 2 of 6
guidelines broadly talk about the types of risks associated with Internet banking, the technology and
security standards, legal issues involved, and regulatory and supervisory concerns. Any bank that
wants to offer Internet banking must follow these guidelines and adhere to them as a legal necessity.
Taking a cue from RBI, SEBI has now come up with a risk management framework for mutual funds.
Recent information security surveys indicate that the Banking and Finance sector companies are
most serious about security, are the major investors in security solutions, and regularly revise their
security policies following periodic audit trials.
Next in line are the software services companies, BPO firms, and IT-enabled services companies.
But verticals like manufacturing continue to lag, with the exception of companies that have extensive
ERP setups, or those that drive their supply chain through the Web. Aside from these three verticals,
companies in other verticals have a long way to go in establishing information security.
The various consultants and industry analysts that we spoke to cited various reasons for the sloppy
attitude, but they all agreed on one thing—security should not be the concern of only the IT manager
or the IT department. Security is the responsibility of, and concerns every employee in the company
(including top management).
Says Sunil Chandiramani, Partner, Ernest & Young, quot;Security has already
become a boardroom issue for MNCs. But CEOs, the board of directors, and
auditing committees of large enterprises need to increase their security
Alok Shende, Industry Manager (IT Practice), Frost & Sullivan, says the old
economy companies have a long way to go. quot;While the awareness is building
up, the money is not yet flowing. Actual sales (for security solutions) are not Click on image for
happening (in a big way) in verticals like manufacturing.quot; larger view
Reflecting on the PWC-CII Information Security Survey 2002-2003, Sameer Kapoor, Executive
Director, PricewaterhouseCoopers, says, quot;We see that organizations in India are becoming more
aware about security. But when we compare ourselves to international benchmarks, we have a long
way to go.quot;
According to the PWC-CII Information Security survey, 80 percent of the respondents reported
breaches in the last 12 months, as compared to 60 percent in 2000-2001. This has led to increased
security awareness and 74 percent of the respondents said they increased their security budgets
over the previous year to counter threats (See box story, 'Security barriers and counter measures.')
Kapoor says there are two sides to this. quot;The good news is that people have started rethinking
security, and that isn't just about firewalls, anti-virus and IDS. The sad part is that people are
thinking only in terms of which new technology to adopt.quot;
WHAT NEEDS TO BE DONE
Organizations who are thinking about improving security need to first change their Attitude about it.
Chandiramani of Ernest & Young feels InfoSec is still considered a technology issue. quot;It is still
something that only the IT personnel worry about, and they are often the (only) ones who take
decisions related to security. Security has to move away from being a technology issue and become
a business related issue,quot; he says.
The reason for this is that IT personnel miss out on the business objectives or business processes
when making decisions about solutions procurement and deployment.
Kapoor of Pricewaterhouse Coopers says security is left to the individuals (like administrators) who
are managing the infrastructure. quot;We have to rely on a person's discipline or knowledge levels.
Instead, security should be controlled through a procedure or framework.quot;
SecureSynergy's Menon feels enterprise security should involve employees at all levels, customers,
and all entities that deal with the organization.
Information Security: A new approach - Cover Story - Network Magazine India Page 3 of 6
There is also a consensus among auditors that the approach to InfoSec is not correct. For instance,
security is either too tight or too lax. That calls for a right balance—systems should be configured to
let in business associates and at the same time keep out hackers, viruses and worms. Kapoor
recommends a two-fold approach.
quot;Firstly, you need to protect infrastructure. Secondly, you need to enable business. Ideally, security
should protect your assets and at the same time, not hinder business,quot; says Kapoor.
An organization's approach to countering security breaches must also change. Capt. Raghu Raman,
Practice Head, Special Services Group, Mahindra Consulting says it is important to have vision and
have the ability to think like an attacker when planning an information security strategy.
quot;Attackers can exploit your social weaknesses and use you to extract personal/competitive
(corporate) information. So information security is not just a technology issue—this is a people and
process issue too. The answer to this is education and awareness,” he says.
Brian Pereira can be reached at firstname.lastname@example.org
Security: the fourth wave
Reflecting on the evolution of security, we see four waves or phases. In the first phase (before the mid-90s)
enterprises had not yet connected to the Internet. In fact inter-office or inter-branch connectivity were rare or not
constant. The prime objective was confidentiality and integrity of information. Organizations put in access controls to
lock up information, making selective information available to select individuals or groups.
In the second wave (mid to late 90s), companies began connecting to the Internet. This was also the time when the
major security threat was Internet worms and viruses (it still is today). So anti-virus products were prime security
Then people resorted to more sophisticated means of attack. Malicious code on Web pages or embedded in e-mail
overwhelmed corporate Web servers. Hacking tools were available on websites, and anyone could download these
and use it to launch attacks on Internet servers. So enterprises started using Firewalls to filter out malicious code
and safeguard themselves from Script Kiddies.
In the third wave (present day), worms spread within minutes and disrupt corporate networks. Hackers no longer
attack just to brag about it. They now seek financial gain and steal credit card numbers or competitive information
from corporate servers.
More enterprises have opened up their networks to global customers, mobile workers, and suppliers. More
sophisticated defenses are necessary to keep out the 'bad guys' and let in business associates. Sensitive information
in transit needs to be secured. New tools like PKI (encryption and digital signatures), Intrusion Detection Systems,
Virtual Private Networks, Access Control mechanisms etc are being used.
The fourth wave is around the corner. It's about Security Audit and Certification. This covers not just technology, but
also people and processes. Enterprises will approach security from the attacker's end and safeguard against new
risks like social engineering and dumpster diving.
Some wisdom about Information Security
quot;Information Security is a combination of various factors. It involves technology, people and policy.quot;
— Sameer Kapoor, Executive Director, PricewaterhouseCoopers Pvt. Ltd.
quot;Information Security is not just a technology issue—this is a people and process issue too. The answer to this is
education and awareness. You should talk to your employees.quot;
— Capt. Raghu Raman, Practice Head,
Special Services Group, Mahindra Consulting.
quot;Security has to move away from being a technology issue and become a business related issue.quot;
— Sunil Chandiramani, Partner, Ernest & Young
quot;There is a risk aspect to security too. Security breaches create a risk for the enterprise. So it's not just about
hardware and software solutions.quot;
— Alok Shende, Industry Manager (IT Practice), Frost & Sullivan
quot;Security is now essential since it has become a business enabler. Enterprise Security should involve employees at all
levels, customers and all entities that deal with the organization.quot;
— Anil Menon, Sr. Vice President-Operations, SecureSynergy
Information Security: A new approach - Cover Story - Network Magazine India Page 4 of 6
Please click on graphs for a larger view of the same
How attacks affect IT Availability
Critical information systems become unavailable due to various forms of attack. Ernest
& Young's Information Security Survey 2002 reveals that around 76 percent of the
respondents experienced unexpected unavailability. Despite this, only 47 percent of
Indian companies (as compared to 53 percent globally) have a Business Continuity
Plan. Over half the respondents do not have agreed recovery timescales, which could
mean wide expectation gaps in the event of business interruption.
The two main causes of unavailability of systems cited by Indian companies, were:
Malicious technical acts by outsiders (26 percent)
Third-party failure (14 percent).
Only 17 percent of the respondents said that invoking the BCP/DRP had been effectively done. However only 12
percent of the respondents have tested their plans in the past three months.
What might this mean for your business?
Evidence abounds about the number of businesses without business continuity arrangements which fail to survive a
disaster. Poor management of IT operations and third parties, are likely to increase the number of avoidable failures
of business critical systems. Businesses should be able to articulate the financial impact of unexpected system
The Emerging Picture
The Ernest & Young survey findings conclude that security and privacy concerns are the
top barriers to further connectivity. Increasing vulnerabilities: 70 percent of Indian
CIOs, IT directors and business executives surveyed indicate that they expect to
experience greater vulnerability as connectivity increases.
Barriers to further connectivity: Most Indian companies see security and privacy
concerns (67 percent) and lack of standards (17 percent) as the top two
barriers/inhibitors to external connectivity.
Use of security technologies: Current take-up of advancing information security
technologies is still relatively low. Five percent of Indian respondents are piloting or widely deploying Public Key
Infrastructure (PKI) and a further 33 percent are planning to pilot it. Biometrics is in use at only 6 percent of the
organizations and only a further 11 percent plan to pilot it in future. Given the increased interest in authentication on
recent months, this is surprisingly low. Only 17 percent of the organizations are using Intrusion Detection Systems.
Barriers to emerging technologies: Most Indian companies see the cost of implementation and training as the major
barrier to increased use of emerging technologies.
What might this mean for your business?
Organizations that use several technologies but have not invested in other proven technologies may be missing an
opportunity to address some of their security concerns.
Businesses that have not clearly articulated their business needs (e.g. further connectivity) and mapped it to their
technology investments may miss out the potential benefits of such investments and also run the risk of having an
inadequate security infrastructure around such technology.
Security barriers and countermeasures
The Confederation of Indian Industry (CII) and PricewaterhouseCoopers, conduct an Information Security Survey
every year, to access the preparedness of Indian enterprises towards countering security threats and breaches.
The survey for 2002-2003 indicates that although Indian enterprises are more aware
now, and are keen to invest in security solutions, there are certain barriers preventing
them from doing so.
Around 49 percent of Indian corporates attribute capital expense as a barrier to the
effective deployment of secure systems. This is up from a mere 4 percent during 2000-
01 and 55 percent globally.
Technology related concerns like pace of change of technology, complexity of
technology and lack of trained manpower, were the primary barriers during 2000-01.
Their relative influence as a barrier to effective security has reduced in the current year.
his implies that the understanding of the technologies being deployed by organizations has improved from 2000-01.