A recently published 2000 Computer Crime and Security Survey
from the Computer Security Institute/FBI, shows that 273 respondents out of 643
businesses surveyed reported cybercrime losses (e.g. viruses, security breaches,
fraud, net abuse, denial of service attacks) estimated at more than $265
million. The report also highlights that about 90 percent of the organisations
surveyed / detected computer security breaches within the last 12 months. 70
percent reported serious computer security breaches like proprietary info-theft,
financial fraud, system penetration from outside and denial of service attacks.
According to SPEX, a leading web-based end user-oriented IT research affiliate
of META Group, breaches by hackers and disgruntled employees, penetration of
secured transactions and electronic sabotage, are among the highest security
concerns of global organisations. It further observes that the recent breaches
of security within organisations occur internally–58 percent of the time.
However, it predicts that by the year-end, half of all security breaches will be
external and the security systems of the future will be "selectively
permeable membranes," meaning that some entities will be given access to
systems while others will be kept out. The reason: organisations will increase
third-party access and this would become a key driver of security issues, requiring the implementation of more
complex systems than just traditional firewalls. This will compel IT to pay
closer attention to external security.
It is only too obvious that organisations will increase
budgets and make security a priority within the IT department The Information
Security Industry Survey 2000 says that the number of companies spending more
than $1 million on security doubled in 1999. A survey from the META group
suggests that organisations plan to spend slightly more on security, averaging
to $2.8 million. The study reveals that while spending is increasing and most IT
organisations view security as essential, the majority of companies are
reactive, rather than proactive, in their approach to security. META Group found
that IT organisations rarely adhere to purchasing guidelines for applications.
Typically, IT organisations' security policies focus on requiring minimum
password lengths and restricting access to software applications, server data
files and networks. This indicates a trend toward IT viewing security as an
ongoing process and maintenance effort, rather than a proactive endeavour in
which purchasing assets are designed to be protected at the outset. Clearly, the
network intrusion market is experiencing phenomenal growth and consolidation
around more established businesses to provide integrated and comprehensive
suites of security solutions that include firewalls, security scanners, network
management and encryption components.
In India, there is no reliable data available on the level of
security breaches and the spending on the security front. Nonetheless, the scene
here could be proportionate with the global phenomenon. Confirms SV Ramana,
country manager, systems engineering, Cisco India, "It is true that there
is no reporting of security break-ins, most of the times. There is no formal
organisation responsible for consolidating and reporting such break-ins in the
country. However, it has been observed that over 80 percent of security
break-ins are internal to organisations, by intentional or accidental access. We
expect that with the IT Bill having been passed, and the legal framework defined
for illegal security intrusions, there will be a deterrent for such attacks.
Security solutions are available for prevention, and regulation is available for
deterrence. With the right security policy, we should see better control on
break-ins. Since businesses depend on information, it is vital to establish
mechanisms including security tools and methods to protect it." And most of
the industry acknowledges that with the remote access to information over public
networks, it is necessary to implement security solutions, such as firewalls,
intrusion detection systems, systemic scanners and Virtual Private Networks (VPNs)
to ensure a tamper-proof network break-in.
Enterprise Security Issues
With Internet access beginning to take the trek towards
becoming as ubiquitous as telephone service, deployment of IP networks in the
past five years has grown–both in terms of number of Intranets and complexity.
What seems to be the only constant in the deployment of an Intranet is the
constancy of the deployment. Besides, with the wireless traffic growing and
Internet coming to the handheld devices, the security issue only gets further
complicated. In such environments, the elements of security risk are witnessing
a stratospheric growth.
PETE
Enterasys Networks assesses some of the key elements of
security risks as unpredictable access for new mobile workforces; unnoticed
e-vandalism; hard to track e-raiders; difficulty in damage assessment; and
difficulty in profiling and logging the transient attacks. Enterasys singles out
PETE (Potential Employee Threat to Enterprise) as the threat to the enterprise
security currently.
The reasons: PETE is connected to the Intranet; is attached
to the company’s entire IT structure every day; is abusing or attacking
resources through high-speed 10 or 100 Mbps connection; has access to IT
infrastructure from home, hotel, or suppliers facilities; is unchallenged from
99 percent of security systems; does not have to pass through the Internet
firewall technology; may not be intentionally damaging IT resources; maybe
misusing the Intranet or damaging it through virus reception. This is typically
why enterprise security needs to be seen as a holistic approach rather than a
part-means effort or a reactive approach. The game is infrastructure and
management.
BCI
Now, with Intranets being deployed not only to serve internal
needs but to partners, customers, suppliers, and the general public, this
extended Intranet is playing an increasingly critical role. Zona Research terms
this as the Business Critical Intranet (BCI). And according to it, "the BCI
is an increasingly complex network and presents an ever-changing array of
challenges for network managers. It includes supply chain management, electronic
commerce, and a whole spectrum of activities between the enterprise and its
customers, partners, suppliers and the general public. In this environment, the
effort to maintain appropriate levels of security can pose a difficult and
complex series of decisions for the network manager." Interestingly, the
diverse requirements of the BCI have lead to the managers creating a shopping
list of measures intended to meet so-called security requirements. This was more
a consequence of job security than network security.
Studies conducted by Zona Research indicate that IT managers
are caught between the devil and the deep sea. On one hand, there is a great
demand on them to throw open the BCI as an extended Intranet to customers,
suppliers and partners, and on the other ensure a greater security of the data
stored on the network itself. Zona's studies show that IT managers are
attempting to clamp down on information access. In one study, when Zona asked a
series of six high-level questions related to security and information access in
order to gauge general trends and attitudes among enterprise network managers,
more than three-quarters of the sample respondents disagreed or strongly
disagreed that their information access policy is free and open. They were
keenly aware of security issues and were deploying security technology to limit
access. Further, nearly two-thirds of that sample indicated that information on
their networks is centrally controlled, more than twice the number that
indicated information was managed in a decentralised way. Similarly, with
respect to policy changes, nearly two-thirds of the respondents indicated their
information access policies had become less open in the last year, in sharp
contrast to those (less than 25 percent) that had made information more open
during the same period. At the same time, an overwhelming majority stated their
information access policies would become less open in the coming 12 months. From
this, Zona concludes that the desire to control access to information is a trend
that will continue into the foreseeable future.
Enterprise Security: The Approaches
Network security managers, responsible for choosing from a
dizzying array of specialised hardware and software products to solve their
organisations network security and infrastructure needs, are confronted with a
huge shopping list. While individual products from different vendors are
attractive as ‘best-of-breed’ solutions in specific areas such as virus
detection or authentication, organisations require assurance that the disparate
products will integrate to provide seamless, comprehensive network security.
Alternatively, one can choose to purchase a broad range of solutions from a
single vendor -- a part of a product "suite". Further a significant
portion of the Total Cost of Ownership (TCO) for an enterprise network is the
expensive human resources devoted to managing the solution. The ability to
manage all elements of an enterprise security installation from a centralised,
integrated console is what differentiates a cohesive, manageable, cost-effective
solution from a mere patchwork of individual point products.
Tackling Security Issues
Threat-By-Threat: The Zona Research study points that there
is a threat-by-threat deployment of security technology in response to the
desire for increased control of information in an increasingly hostile
environment. The same respondents indicate different levels of security
technology deployment. The first and ubiquitous level is the anti-virus
technology. Second, access control technologies. This category is broad in
definition and includes, from merely deploying passwords on desktops to simply
denying whole parts of the enterprise access to internal or external data.
Access control can be difficult to scale, and can leave large numbers of both
Intranet and extended Intranet clients without access to key information on the
BCI. Firewalls too have substantial penetration and multiple firewall brands may
be deployed to provide the facade of security. The shopping list of the future
would include would include firewalls, intrusion detection, authentication,
encryption and digital signature technology. Affirms Ramana, "The security
products include software and hardware. Firewall solutions to cater to
small-to-extremely large number of connections, hardware-based high performance
intrusion detection systems and scanning tools to protect enterprise data. In
addition, security policy management systems are required for providing security
administrators, with an easy to use tool to define and manage the organisational
security policy."
Holistic Security: While threat-by-threat is being seen as an
ad hoc security framework, the next generation interactive security solutions
will take a holistic approach. Zona Research believes that the next real
breakthrough in BCI security will come in the form of an infrastructure through
which various point security products can be deployed and managed. This, it
predicts, will not only bring coherency to security deployment but will also
eliminate the urge to redundantly deploy various security technologies. It also
says that the old security objective of "keeping the bad guys out"
must evolve to a new objective that also includes "letting the good guys
in." In a more integrated environment, security is an enabling and
proactive technology, not a reactive cash sink. Security should enable
opportunities for the BCI.
Top 10 security products by % of respondents using each. |
|
(1999) | |
1. Firewalls |
(82%) |
2. Access Controls |
(77%) |
3. Client/Server Security |
(73%) |
4. LAN/WAN Security |
(67%) |
5. Web Security |
(59%) |
6. Disaster Recovery |
(57%) |
6. (tie) Network/Communications Security |
(57%) |
8. E-Mail Security |
(56%) |
9. Encryption |
(50%) |
10. Mainframe Security |
(44%) |
Undoubtedly, the march today is towards evolving
architectures for holistic security. Probably in the Q2 2001 onwards, there
could be a wide range of features added on the security architectures and new
platforms evolving. Clear trends in this direction are available. Enterasys
Networks, a Cabletron company, announced their holistic security architecture
for complex BCIs called Secure Harbour. This architecture has been designed to
protect and serve the corporate information ecosystem and claims that its
architecture covers the entire information delivery mechanism–access, user,
data and application. It has five key elements to secure the BCI–prevention,
detection, damage assessment, response, and correction–and spans the new
connection paradigm–wireless, remote access, VPN, etc., too. Clearly, the
swing is towards new architectures and new products coming up quarter on
quarter.
Symatec, a leader in Internet security technology,
traditionally strong in the operational security side–intrusion detection,
anti-virus, content filtration, etc., was missing from the infrastructure
security–PKI, Firewall, VPN, etc. It acquired AXENT, a strong player in the
enterprise area. "AXENT acquisition would enable us to deliver holistic
solutions," explains Roger Chung, regional product manager, Asia Pacific,
Enterprise Solutions division, Symantec. Adds Chung, "With the Enterprise
Security framework we are moving from the provision of point solutions to the
implementation of an integrated strategy."
Some of the companies from India have also got aggressively
into software product development for enterprise security that the networking
vendors can quickly absorb and integrate into their product portfolio. For
instance, Hyderabad-based Intoto Software (I) Pvt Ltd, a subsidiary of Intoto
Inc., USA, has announced an integrated software for network security and
connectivity family called iGateway architecture. Elaborates SN Murthy,
president and COO, Intoto India, "iGateway architecture provides a secure,
reliable, easy-to-use platform for the broadband gateway equipment. It secures
network infrastructure from cyber attacks and secures business communications
between networks, applications, and users across Internet, Intranets, and
Extranets.
The trend is from implementing point solutions, as and when
required, to a clearly defined strategy that takes into account all the possible
elements of current and future operating requirements.
India Horizon
With
India catching up on the Internet, e-commerce, and Intranet/Extranet
connectivity, information security (infosec) activity is on the prowl. But the
big question is what should be the objective of the users today at the corporate
level with respect to security. Is it about information security (infosec) or
beyond that? Says Ramana, "We believe Internet and Intranet based business
transactions will define models of interaction between manufacturers, vendors,
customers, partners and employees. And security needs to encompass maintenance
of informational integrity, confidentiality, authentication of rights of users,
cover for non-repudiation and appropriate availability of information to
internal and external users. In this environment, it will be mandatory for
enterprises to define a good security policy, which encompasses threats from
within and outside the organisation. The ongoing security policy reviews will
need to cater to warding off new threats. Towards this, latest technologies
including perimeter security, intrusion detection and vulnerability scanner
based solutions with administration and management of the security policy would
be the saviour against such threats. The network security policy has to
complement the conventional security mechanisms."
Agreed. But has the importance of protecting information for
the benefit of the company been realised by the Indian corporates? What are the
steps that they are taking? And is it a must that the corporates need to have an
infosec policy and a business continuity policy?
Several security experts like Suresh of Ramco Systems and
Ramana say that the importance of security is felt throughout the Indian
corporate world. Though the Indian corporate world may not have deployed strong
infosec measures, the realisation is beginning. It is no more seen as an
American phenomenon. There is a lot of awareness on requirements and products.
However, security follows computing and networking needs, while it is an
integral part of the infrastructure set-up. And the challenge is to minimise the
skills gap between the rate of technology development and the rate of technology
assimilation.
Many see a desperate need for good security professionals,
who can define, implement, and maintain robust security policies. Another reason
attributed to the slow deployment is that the connectivity infrastructure in
India is very poor and the extent of computerisation and using data as
information for analysis, etc., is hardly seen. Data was not perceived as very
sensitive to businesses. But the transformation is happening. And when it comes
to a business continuity policy, it is seen as an add-on to specific security
requirements. This requirement is dictated by the availability guidelines for
the enterprise.
There are no precise estimates on the levels of security
breach or the nature of breach. The reason being most of the companies are not
open to disclose a security lapse as they believe this could hamper the
company's image and further most attacks go unreported because of two reasons.
First, the breach is more often internal rather than external. Second, companies
do not realise that there has been a security intrusion in the first place.
Interestingly, most of the companies realise that an attack happened only after
months. More often than not, they even fail to assess the level of damage they
had to succumb to. But a couple of the corporates confirm, in private, that over
80 percent of the security break-ins can be attributed to the PETE syndrome.
Nonetheless, with the remote access to information over
public networks growing, it is being increasingly realised that it is mandatory
to implement security solutions, such as firewalls, intrusion detection systems,
systemic scanners and go for VPNs. The security products being deployed include
software and hardware. In addition, security policy management systems are being
considered. Many are seeing the evolution of the network security deployment as
audit, design, test, implement, manage and review as the steps in defining a
corporate security policy to minimise and manage risk
Mostly the services rendered range from security assessment
and engineering to enterprise security implementation to security auditing and
consulting. This is just an illustrative list of the trends. There are other
major vendors like Cisco which has end-to-end solutions in the network security
space and include both software and hardware–firewall solutions, intrusion
detection systems, and scanning tools, in addition to a security policy manager.
The point that was being driven from the alliance partnership is that the
systems and network integrators are playing a very decisive role. And the VARs
and integrators are key constituents of a security solution as they have
acquired or continuously acquiring skills, upgrading those, and significantly
value-add in implementation of security policies and services for reviews,
administration, and continuous improvements–the key to a successful security
policy implementation.
The cost of implementing a security solution is varied
depending on the policy requirements. But the feeling is that the cost needs to
be relative to the implication of loss of information, which could even entail
break of business operations. "The potential loss from such a break can
always justify the cost of a security solution," says Ramana. A lot of
awareness is being generated in the market place through seminars. The clear
message in such programmes has been about the challenges of security. The
message is that security is an ongoing process, not just a single product or set
of products. Policies need to go beyond just the network; and must balance
business needs with risk. This becomes even more challenged with holistic
security architectures beginning to arrive and the networking product vendors
like Cisco, Lucent, Nortel, and Enterasys going all out with security
incorporated solutions.