Security Feature Cover Story


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Feature Cover Story

  1. 1. SecurityIT Has The Cure InsecureFor AnOrganisation! Ensuring the security of an organisation’s physical and digital assets is a complex task! It cant be achieved merely by building high walls of concrete around critical assets or by installing the latest IT security tools, feel experts. Here are some solutions that can help businesses keep this problem at bay! “Let us not look back in anger or forward in fear, but around in awareness.” — James ThurberVandana SharmaBenefIT Bureau10 / December 2009 / BenefIT
  2. 2. SecurityD uring the normal course of Security lapses may cost events, the focus of most a fortune! businesses is to manage day- Here are a few instances whereto-day cash flows, increase market security breaches led to graveshare, and so on. But there are times problems for organisations:when this equilibrium gets disturbed; • The infamous stamp paper scam is a major case of a security lapse.when some crack in the security “If state revenue departments—system shakes the very foundations which are under constant videoof an organisation—damaging its surveillance and have a highlyreputation, causing loss of data, trained security staff—could not prevent a class IV staff from takingassets or money. This leads to a battle out the stamp imprint, no amountof wits for business heads and CIOs of security and surveillance can(chief information officer), as most be considered sufficient,” remarksoften they get caught unaware. Ghildiyal. This calls for an aware organisation and smart use of Rajat Agarwal, executive director, technologies to combat the threat.Bhorukha Aluminium, feels that • Soi shares more: “In June 2006, abusinesses today are aware of the security breach at HSBC’s offshoresecurity threats; yet it’s just not a data-processing unit in Bangaloretop priority, especially when the led to $425,000 being stolen from the accounts of the bank’s UKorganisation is small. However, if customers.”a small company wants to growbig in the near future, it must train Advtits team in the routine security Considering this, information securitynorms and processes and put in has become a necessity for both smallplace technologies, that arent too as well as the big business units toexpensive, to automate security secure itself from such threats.”procedures for data and resource But to be on guard and identifyprotection, and related to authorised vulnerabilities and threats; or toaccess, avers Ram Krishna Ghildiyal, look for security breaches andtechnical head, Sanvei Overseas, an simultaneously find tools andinternational IT-based surveillance solutions to prevent any damagecompany. from happening—isnt easy! To help Sundar Ram, vice president, our readers, we turned to variousTechnology Sales Consulting, Oracle organisations to understand theAsia Pacific, seconds the thought strategies that they have adopted toand adds: “Every organisation today, tackle this challenge. We also spoke toneeds to cope with the key issue of experts to understand more about thesecuring its data, inventory, human vulnerabilities and the IT solutionsresource, etc, from security threats. that are available. “ Information security has become a necessity for both small as well as the big business units to secure itself from such threats.” Sundar Ram, vice president, Technology Sales Consulting, Oracle Asia Pacific BenefIT / December 2009 / 11
  3. 3. Security Security planning: the issues, and solutions T he security domain is infinitely vast and aspects may need attention: complex and requires considerable planning, • Sensitive data or says Ghildiyal. But the key issue here is that information: Documents in small to mid-sized companies, security is still not including confidential reports/ given due importance and the top management do credit card information are all not accept it as a challenge that warrants a dedicated prone to security attacks, either from within the team of experts. Dhruv Soi, chair–OWASP (Open Web organisation or from the outside Application Security Project) India, agrees, “There world. is a sheer lack of security awareness in most Indian • Threats from within the firms. The security budget is often just 5 to 10 per cent organisation: Employees have of the total IT expenditure. Internal reports are often been known to steal sensitive vulnerable to manipulations. Improper/inadequate data from computers, laptops monitoring creates a big hole in security. Since or over the network using USB organisations refrain from spending on regular third- drives. Unsecured confidential party security audits, the real security position of the data can also be sent to the outside world, through e- company is never clear to the top management. In mails. Without solutions to prevent data leakage, it is scenarios like these, one infected system propagates hard to control it, says Soi. the infection to all the systems connected into the Apart from this, how a company treats its organisational network,” he adds. employees also plays a role, feels Milind Mody, CEO, Agarwal seconds the thought and adds that security He breakdowns are not easy to monitor unless regular cites a scenraio: investments are made in IT tools to secure different “Companies that aspects of the organisation. “Having an outsourced deal with their IT department with clear KPIs (key performance employees fairly, indicators)—one of which should be to monitor data earn their respect. security—can help. Apart from this, a thorough cost- However, there benefit analysis should be done before choosing the are organisations right combination of tools and technologies. Factors that delay giving such as threat level, size of the organisation, budget, employees their dues after they leave; that may etc, should be factored in,” he adds. sometimes upset an exiting employee, who could then try to steal data or, in general, act against the interests Identifying vulnerabilities of the company.” Mody suggests laying down clear Before we move on to exploring ways to deal with policies and procedures to deal with such challenges. security-related challenges, it is important to identify • Threats via the Internet: Another threat is from and understand the security vulnerabilities that may viruses*, malware*, spyware* attacks, etc, which may exist/affect an organisation at any point. The following damage, or result in the pilferage of organisational information. “ Security breakdowns are not easy to * •A computer virus is a computer program that monitor unless regular investments can copy itself and infect a computer. are made in IT tools to secure •Malware is a type of different aspects of the organisation.” software that can harm computers, such as Rajat Agarwal, executive director, Bhorukha Aluminium computer viruses and spyware.12 / December 2009 / BenefIT
  4. 4. Security•Spyware is software that’s implanted into a computer systemto gather information about a person or organisation, without the look-out to poachtheir knowledge. good talent. To deal • Unsecured network access: Intruding on the with this problem,organisational network and/or servers* by outsiders or Mody suggests: “Ifby disgruntled employees to pilfer sensitive data can your company has aoccur at any moment, says Mody. board line or EPABX (electronic private*A server is a high-end/high-capacity computer that isrequired to run multi-user applications like organisational automatic branche-mail, data back-up, storage, etc. exchange) system, make sure someone monitors • Critical/valuable physical assets: Physical incoming calls for external HR agencies trying totheft of devices like the mouse, headphones, USB poach employees.” But he agrees that there have beenhard disk drives or cases where HR managers from competitive firmseven cash can be have actually stood outside a company’s premises toanother problem poach its employees. In such cases, it is difficult to dothat organisations anything to prevent the practice.confront frequently, • Irregular processes: Non-adherence to securityin the absence of policies is another vulnerability that a small and mid-adequate security sized company can face. Therefore, all companiessystems, adds Mody. however small they may be, must plan for a periodic • Employee security audit and must invest in automated systemspoaching: Another area where organisations may need rather than people driven be watchful is from competitors or HR agencies on Advt BenefIT / December 2009 / 13
  5. 5. Security Management-level solutions D eploying security tools is important, but, before they unwittingly create prior to that, having an organisational culture a security breach. And the third where both the management and employees advantage is, you can pursue are aware of the correct security policies and practices, the matter in court in situations is equally critical. Experts suggest having the following where a serious security practices to help organisations be better prepared for threat has been committed against the company, by an this challenge: employee.” Plans and policies to counter security Plan security as per the nature of the breaches business A company should have a security policy and a security Planning for organisational security is another important plan, to begin with, opines Ghildiyal. “A security policy task that depends primarily upon the nature of a business. must define a companys information and other assets, Ghildiyal agrees and says: “For knowledge-based its security needs, roles and responsibilities, the rights of companies that have Internet dependent processes, employees, and so on. A security plan on the other hand information is the most valuable asset. Such firms must may describe the procedures, tools and technologies consider information security technologies or solutions, that are required to implement the security plan,” like firewalls*, antivirus* or identity authentication he adds. In fact, a security plan can also include the systems*, etc. Similarly, companies that have large anomalies, special rights and data and asset recovery public assets must invest on surveillance technologies procedures to reduce the impact of a security lapse. like video surveillance, threat detection, etc.” However, some technologies like, “ antivirus, biometric* It is always good to clearly define the access and identity terms and conditions/policies related management are to proprietary or confidential data in uniformly applicable the employment agreements.” to all the companies as they provide the building Milind Mody, CEO, blocks for security process implementation, he adds. *•A firewall is a software Employment agreements must be in tandem tool that enables IT managers to block unauthorised access even with security policies while allowing authorised communications. Mody feels that it is always good to clearly define the •Antivirus software can be used to make Internet access secure terms and conditions/policies related to proprietary and prevent the computer network of the organisation from getting affected by viruses like malware, spyware, etc. or confidential data in the employment agreements. “Also if an employee is working on projects for which •Identity authentication systems or devices help authenticate or verify the identity of a person or other entity requesting access the company has signed an NDA (non disclosure under security constraints. agreement), it should make sure that the employee •Biometrics is a technique used to recognise humans based upon also signs a similar agreement. Clearly mentioning a one or more physical or behavioural traits, like fingerprints, face few examples of what is considered as corporate data recognition, DNA, hand and palm geometry, iris recognition, theft, makes the agreement more well-defined. Get this voice, etc. agreement vetted by an attorney. This is a one time cost, but it has three advantages. First it makes sure that you Avoid complex policies have fulfilled your responsibility. Second it deters people It is one thing to lay down policies and procedures, from commiting unethical deeds and makes them think and it is quite another to implement those14 / December 2009 / BenefIT
  6. 6. Security “ Security awareness training for end-users (like, people in accounts, HR, etc) and IT/ security staff is required, to equip them with the knowledge to protect themselves and the organisation from security threats.” Dhruv Soi, chair–OWASP (Open Web Application Security Project) Indiasuccessfully. One key deterrent in of security products to deal withpolicy adherence is the complexity this challenge, the problems areof policies and procedures, caused by inadequately skilledbelieves Ghidiyal. He explains: or less-aware staff. Soi suggests“For example, most companies conducting training programmesimplement a ‘password aging’ for IT staff to empower thempolicy, which demands all to tackle security breaches,employees and customers to effectively. He says: “Securitychange their computer and/or awareness training for end-users AdvtInternet login passwords every (like, people in accounts, HR,three months. As the number administration departments,of such systems increases, it etc) and training for IT/securitybecomes more of a hassle for staff is required, from time-to-employees and then they start time, to equip them with theusing easily breakable dictionary knowledge to protect themselvespasswords* that are not only easy and the organisation from securityto remember but can be uniformly threats.” Agarwal suggests havingapplied at all places that require regular seminars to discuss issuesa password prior to access. Thus related to security.a theoretically sound system of‘password aging’ actually creates a Better safe than sorrysecurity hole in the system.” So it Agarwal feels that it is better tois best to adopt workable policies limit the use of e-mails and thethat are simple and effective to Internet to only those who reallyimplement and adhere to, in the require it. Also, he advises thatlong run. the IT managers should always monitor out-going attachments,•Dictionary passwords are simple oreasily predictable variations of words as and when possible. Soi agreesused as login passwords.] and adds: “Regular log monitoring of servers, applications andTrain your staff network devices is requiredNearly 80 per cent of security to keep an eye on employeebreaches occur due to weak IT behaviour, and also to takesecurity systems. More than lack preventive actions.” BenefIT / December 2009 / 15
  7. 7. Security It’s Advantage, Unified help of Medley Marketing, New Delhi, one of the key Watchguard Threat Management Secure Partners in India (WSP). At Wadpack, ESS also Solutions! manages the entire IT requirements in addition to managing its ERP system. “Since With vulnerabilities in the digital world rising by the the Wadpack management minute, keeping organisation networks safe is becoming wanted to focus on growth, an acutely challenging task. Wadpack, a manufacturer profitability and operational efficiency, it decided to leave of corrugated packaging material, opted for a the task of efficiently managing comprehensive threat management solution that has the IT function, including IT been acting as a shield against the security menace. infrastructure security, to ESS,” says Narayanan. B “Since the Wadpack angalore-based Wadpack *[A UTM is an all inclusive is one of the pioneers in manufacturing corrugated management wanted security system that can perform multiple security functions. It can fibre board containers. The to focus on growth, functions as an all-in-one security tool—acting as a firewall, antivirus, company is quite tech savvy and profitability and anti-spam solution, VPN security tool, content filtering tool, and a lot is always on the look out for new operational efficiency, more. To know more about a VPN, concepts and technologies in the it decided to leave refer to the box.] packaging industry. Wadpack, which uses ESS’s the task of efficiently Easy to manage, and ERP ebizframe from its multiple managing the IT economical locations, wanted to ensure secured connectivity between function, including IT The major benefit of a UTM is that so many necessary functions branches. “ Ensuring the security infrastructure security, are combined into one solution. of data transacted through the to ESS.” This saves businesses time, ERP system was quite critical Sankaran Narayanan, money and hassles, affirms Anil finance controller, Wadpack for Wadpack, alongwith linking Bakht, managing director, ESS. its various locations. After a “Maintaining network careful analyses we opted for virtual private network or VPN,” security can often become the Watchguard unified threat says Sankaran Narayanan, finance complex and confusing, but management (UTM)* solution, controller, Wadpack. The solution when all security features are suggested by ESS, to secure our was implemented by ESS with the combined into one system, it is easy to see how all the functions are integrated and how they IT’s a networked world work together. Also, because it is coming from a single Most organisations work in networked environments these days where all computers are vendor, training and support connected, not only in one office, but across branches. This becomes an organisation’s for the entire system also comes virtual private network or VPN. Apart from this, these machines that’re connected over a VPN also connect with computers in the outside world or public network through the from a single vendor. A single Internet. Organisational networks are vulnerable to attacks as precious data traverses window solution helps reduce from one end to the other. This can leave a company’s operational resources, customer the hassles associated with data, proprietary tools and technologies, and intellectual capital in danger of being stolen, managing multi-vendor security misused, or vandalised by third parties. systems,” he suggests.16 / December 2009 / BenefIT
  8. 8. Security Technology tools that may helpB usiness units today have begun to look around information, which could be for solutions that can help them protect their their server room or where the software applications, like ERP CRM, etc, and also , accounts or sales team sits.their IT and data infrastructure, observes Ram. The selective application of Now, let us take note of a few IT tools that can help such devices can still be made.businesses to pro-actively deal with this challenge: Otherwise biometric devices cost two or three times more than RFID* (radio frequency identification) card-basedIdentity authentication tools systems, which are also a viable alternative.It is not possible to validate or authenticate the identity *RFID tags refer to small electronic devices that are made of all staff members or customers, up of a small chip and an antenna. The device can carry manually, every time they attempt to approximately 2,000 bytes of data. And, just as information can be retrieved or read from bar codes or magnetic strips access organisational information. This via a scanner or bar-code reader, RFID devices also require a is because small firms operate with less scanner to retrieve the information stored in them. resources, and manual authenticationmay lead to transaction processing delays. Information security tools To address to this problem, companies can opt for Companies that have online systems or processes andtools like biometric devices, which can validate the depend on data and information assets, must consideridentity of an employee, by validating physical traits, information security technologies like firewalls, antiviruslike fingerprints, vein patterns, etc and automate the software, information authentication, encryption* tools,process of allowing information or network access to only etc.authorised staff or customers, suggests Ghildiyal. Agarwal *Encryption is the process of converting information givenseconds the thought and suggests: “This is a great option in plaintext into an unreadable format, which can beif you want to add an extra layer of security to certain decoded by a person possessing a special key/password to convert the coded text into plain text again.areas such as server rooms, electrical control panels, etc.” Mody however feels that while biometric devices are Mody shares details about solutions that hisquite relevant for businesses like jewellery shops that company, eBrandz has adopted. “I personally feel thathave precious assets, for a company with more than if an organisation has more than 25 PCs then antivirus100 employees, such devices can be a real problem if are useless without a hardware firewall. Besides, mostused at the entrance gate. He explains the flip side: “You firewalls have the antivirus component built into it. Sowill have a long queue of employees while coming in you do not need to invest separately on the antivirus.or going out of the organisation premises, either at the Not spending on such intrusion prevention systemsstart of the day or at lunch time. There is a school of (like, firewalls) makes mission critical systems andthought that claims that biometric devices help prevent information vulnerable to new attack variants, warnsthe buddy system that involved the problem of proxy Soi. Agarwal agrees and adds: “This works really wellattendance. But I would advice keeping biometric devices to control and more importantly monitor the kindonly at places where companies store their sensitive of information your employees have access to and also what they are doing with it (saving, e- “ mailing, copying to USB drives, sending to Companies that have large public competitors, etc).” assets must invest on surveillance Many a time organisations resort to using technologies like video surveillance, pirated software to avoid investing in buying original software. Soi cautions that use of threat detection, etc.” pirated software brings spyware to the system Ram Krishna Ghildiyal, technical head, Sanvei Overseas without the knowledge of user, putting the organisation information at risk. BenefIT / December 2009 / 17
  9. 9. Security Tools to safeguard physical assets The way the RFID tracker works for laptops Many organisations assign laptops to their workforce to enable them to keep in touch with the firm from RFID, a combination of radio-frequency-based and microchip anywhere, anytime. In such a scenario, the security of technology helps in identifying an asset. For tracking, an active RFID the laptops, which invariably carry crucial work-related tag of 1.5” (3.8 cm) to 0.765” (1.9 cm) is embedded into the laptop. information, is vital. The RFID reader has both the laptops ID as well as the employees tag ID associated with it. Each time a person passes Organisations can have encryption software installed through the main door/entrance gate where the reader is installed, on all the desktops and laptops to avoid the risk of data the tag in the laptop transmits the information stored in it, to the theft in case a computer is stolen/misplaced, suggests RFID reader. Interestingly, the presence as well as movement of Soi. There are two types of encryption tools. One type is a laptop is picked up from a distance of over 30 feet (9.1 meter). The ability to detect a laptop even if it is placed in a moving car used to encrypt files, digital documents or e-mails that enhances this system further. an organisation sends out to people, within or outside the organisation, over the Internet. The other type of encryption tool is used to convert the data on the hard work: “A network access control system prevents access to drive of a computer into an unreadable format, in such a organisational networks unless the connected computer way that it can’t be made readable again unless a password complies with a set standards.” is entered. This tool is useful to *•An organisation network comprises the local area network prevent data loss in the event of theft comprising a group of computers within the organisation premises or the loss of a laptop. or across its different branches connected to each other for the purpose of communication; the other type is a wide area network A RFID (radio frequency through which the organisation communicates with the world identification) asset tracking system outside, over the Internet. is another solution, which can help in •A Web server is a computer program that fetches content in safeguarding assets like laptops, or any other expensive the form of information, data, images, etc, from the Web pages available over the Internet and delivers it via a Web browser (like, devices. The RFID tracking system keeps track of assets Internet Explorer, Firefox, etc). whether placed within the bounds of the organisation or even when anyone moves out of the company gates. Surveillance tools Tools for network security Have CCTVs (closed circuit TV) cameras across the To ensure organisational network security*, a firm can entire premises to monitor physical threats (external/ disable the use of USB drives on PCs/laptops, advises internal). The devices enable not just real time Mody. “Apart from this, have your network configured monitoring but also keep records for future reference, in such a way that data of different departments are says Soi. Mody agrees and says that CCTV cameras are stored at different places. And, then allow access only to also a must for any organisation that has more than 25 authorised people. Some common data can be stored to 30 employees. “This will deter people from stealing centrally but in this case there is a need to have different devices or cash. In serious cases, it might help the police levels of access rights. track down culprits,” he adds. “Access to Web servers* also needs to be restricted only Aggrwal feels that having CCTV cameras is a good to a few select individuals. If an organisation uses Internet option for firms that are into manufacturing and need to based applications like SaaS (software-as-a-service)-based monitor labour movement and behaviour. “Firms can also ERP etc, make sure all such applications are protected , have CCTV cameras to monitor strategic locations,” he through some specific Internet-based restrictions.” observes. Currently, these devices are slightly expensive, Soi explains how network access protection tools but the cost is decreasing rapidly. Considering the kind of threats any existing or probable security Most importantly, firms shouldthat security vulnerabilities expose loopholes, and then around them create a culture of monitoring andan organisation to, it would be wise to devise strategies and deploy observing safe practices to safeguardfor firms to first look within, for tools to address security gaps. organisational assets. 18 / December 2009 / BenefIT