Advertisment

Network Security -- Beyond Insurance.

author-image
VoicenData Bureau
New Update

A recently published 2000 Computer Crime and Security Survey

from the Computer Security Institute/FBI, shows that 273 respondents out of 643

businesses surveyed reported cybercrime losses (e.g. viruses, security breaches,

fraud, net abuse, denial of service attacks) estimated at more than $265

million. The report also highlights that about 90 percent of the organisations

surveyed / detected computer security breaches within the last 12 months. 70

percent reported serious computer security breaches like proprietary info-theft,

financial fraud, system penetration from outside and denial of service attacks.

According to SPEX, a leading web-based end user-oriented IT research affiliate

of META Group, breaches by hackers and disgruntled employees, penetration of

secured transactions and electronic sabotage, are among the highest security

concerns of global organisations. It further observes that the recent breaches

of security within organisations occur internally–58 percent of the time.

However, it predicts that by the year-end, half of all security breaches will be

external and the security systems of the future will be "selectively

permeable membranes," meaning that some entities will be given access to

systems while others will be kept out. The reason: organisations will increase

third-party access and this would become a key driver of security issues, requiring the implementation of more

complex systems than just traditional firewalls. This will compel IT to pay

closer attention to external security.

Advertisment

It is only too obvious that organisations will increase

budgets and make security a priority within the IT department The Information

Security Industry Survey 2000 says that the number of companies spending more

than $1 million on security doubled in 1999. A survey from the META group

suggests that organisations plan to spend slightly more on security, averaging

to $2.8 million. The study reveals that while spending is increasing and most IT

organisations view security as essential, the majority of companies are

reactive, rather than proactive, in their approach to security. META Group found

that IT organisations rarely adhere to purchasing guidelines for applications.

Typically, IT organisations' security policies focus on requiring minimum

password lengths and restricting access to software applications, server data

files and networks. This indicates a trend toward IT viewing security as an

ongoing process and maintenance effort, rather than a proactive endeavour in

which purchasing assets are designed to be protected at the outset. Clearly, the

network intrusion market is experiencing phenomenal growth and consolidation

around more established businesses to provide integrated and comprehensive

suites of security solutions that include firewalls, security scanners, network

management and encryption components.

In India, there is no reliable data available on the level of

security breaches and the spending on the security front. Nonetheless, the scene

here could be proportionate with the global phenomenon. Confirms SV Ramana,

country manager, systems engineering, Cisco India, "It is true that there

is no reporting of security break-ins, most of the times. There is no formal

organisation responsible for consolidating and reporting such break-ins in the

country. However, it has been observed that over 80 percent of security

break-ins are internal to organisations, by intentional or accidental access. We

expect that with the IT Bill having been passed, and the legal framework defined

for illegal security intrusions, there will be a deterrent for such attacks.

Security solutions are available for prevention, and regulation is available for

deterrence. With the right security policy, we should see better control on

break-ins. Since businesses depend on information, it is vital to establish

mechanisms including security tools and methods to protect it." And most of

the industry acknowledges that with the remote access to information over public

networks, it is necessary to implement security solutions, such as firewalls,

intrusion detection systems, systemic scanners and Virtual Private Networks (VPNs)

to ensure a tamper-proof network break-in.

Enterprise Security Issues

Advertisment

With Internet access beginning to take the trek towards

becoming as ubiquitous as telephone service, deployment of IP networks in the

past five years has grown–both in terms of number of Intranets and complexity.

What seems to be the only constant in the deployment of an Intranet is the

constancy of the deployment. Besides, with the wireless traffic growing and

Internet coming to the handheld devices, the security issue only gets further

complicated. In such environments, the elements of security risk are witnessing

a stratospheric growth.

PETE

Enterasys Networks assesses some of the key elements of

security risks as unpredictable access for new mobile workforces; unnoticed

e-vandalism; hard to track e-raiders; difficulty in damage assessment; and

difficulty in profiling and logging the transient attacks. Enterasys singles out

PETE (Potential Employee Threat to Enterprise) as the threat to the enterprise

security currently.

Advertisment

The reasons: PETE is connected to the Intranet; is attached

to the company’s entire IT structure every day; is abusing or attacking

resources through high-speed 10 or 100 Mbps connection; has access to IT

infrastructure from home, hotel, or suppliers facilities; is unchallenged from

99 percent of security systems; does not have to pass through the Internet

firewall technology; may not be intentionally damaging IT resources; maybe

misusing the Intranet or damaging it through virus reception. This is typically

why enterprise security needs to be seen as a holistic approach rather than a

part-means effort or a reactive approach. The game is infrastructure and

management.

BCI

Now, with Intranets being deployed not only to serve internal

needs but to partners, customers, suppliers, and the general public, this

extended Intranet is playing an increasingly critical role. Zona Research terms

this as the Business Critical Intranet (BCI). And according to it, "the BCI

is an increasingly complex network and presents an ever-changing array of

challenges for network managers. It includes supply chain management, electronic

commerce, and a whole spectrum of activities between the enterprise and its

customers, partners, suppliers and the general public. In this environment, the

effort to maintain appropriate levels of security can pose a difficult and

complex series of decisions for the network manager." Interestingly, the

diverse requirements of the BCI have lead to the managers creating a shopping

list of measures intended to meet so-called security requirements. This was more

a consequence of job security than network security.

Advertisment

Studies conducted by Zona Research indicate that IT managers

are caught between the devil and the deep sea. On one hand, there is a great

demand on them to throw open the BCI as an extended Intranet to customers,

suppliers and partners, and on the other ensure a greater security of the data

stored on the network itself. Zona's studies show that IT managers are

attempting to clamp down on information access. In one study, when Zona asked a

series of six high-level questions related to security and information access in

order to gauge general trends and attitudes among enterprise network managers,

more than three-quarters of the sample respondents disagreed or strongly

disagreed that their information access policy is free and open. They were

keenly aware of security issues and were deploying security technology to limit

access. Further, nearly two-thirds of that sample indicated that information on

their networks is centrally controlled, more than twice the number that

indicated information was managed in a decentralised way. Similarly, with

respect to policy changes, nearly two-thirds of the respondents indicated their

information access policies had become less open in the last year, in sharp

contrast to those (less than 25 percent) that had made information more open

during the same period. At the same time, an overwhelming majority stated their

information access policies would become less open in the coming 12 months. From

this, Zona concludes that the desire to control access to information is a trend

that will continue into the foreseeable future.

Enterprise Security: The Approaches

Network security managers, responsible for choosing from a

dizzying array of specialised hardware and software products to solve their

organisations network security and infrastructure needs, are confronted with a

huge shopping list. While individual products from different vendors are

attractive as ‘best-of-breed’ solutions in specific areas such as virus

detection or authentication, organisations require assurance that the disparate

products will integrate to provide seamless, comprehensive network security.

Alternatively, one can choose to purchase a broad range of solutions from a

single vendor -- a part of a product "suite". Further a significant

portion of the Total Cost of Ownership (TCO) for an enterprise network is the

expensive human resources devoted to managing the solution. The ability to

manage all elements of an enterprise security installation from a centralised,

integrated console is what differentiates a cohesive, manageable, cost-effective

solution from a mere patchwork of individual point products.

Advertisment

Tackling Security Issues

Threat-By-Threat: The Zona Research study points that there

is a threat-by-threat deployment of security technology in response to the

desire for increased control of information in an increasingly hostile

environment. The same respondents indicate different levels of security

technology deployment. The first and ubiquitous level is the anti-virus

technology. Second, access control technologies. This category is broad in

definition and includes, from merely deploying passwords on desktops to simply

denying whole parts of the enterprise access to internal or external data.

Access control can be difficult to scale, and can leave large numbers of both

Intranet and extended Intranet clients without access to key information on the

BCI. Firewalls too have substantial penetration and multiple firewall brands may

be deployed to provide the facade of security. The shopping list of the future

would include would include firewalls, intrusion detection, authentication,

encryption and digital signature technology. Affirms Ramana, "The security

products include software and hardware. Firewall solutions to cater to

small-to-extremely large number of connections, hardware-based high performance

intrusion detection systems and scanning tools to protect enterprise data. In

addition, security policy management systems are required for providing security

administrators, with an easy to use tool to define and manage the organisational

security policy."

Holistic Security: While threat-by-threat is being seen as an

ad hoc security framework, the next generation interactive security solutions

will take a holistic approach. Zona Research believes that the next real

breakthrough in BCI security will come in the form of an infrastructure through

which various point security products can be deployed and managed. This, it

predicts, will not only bring coherency to security deployment but will also

eliminate the urge to redundantly deploy various security technologies. It also

says that the old security objective of "keeping the bad guys out"

must evolve to a new objective that also includes "letting the good guys

in." In a more integrated environment, security is an enabling and

proactive technology, not a reactive cash sink. Security should enable

opportunities for the BCI.

Advertisment
Top

10 security products by % of respondents using each.
(1999)
1.Â

Firewalls
(82%)
2.Â

Access Controls
(77%)
3.Â

Client/Server Security
(73%)
4.Â

LAN/WAN Security
(67%)
5.Â

Web Security
(59%)
6.Â

Disaster Recovery
(57%)
6.Â

(tie) Network/Communications Security
(57%)
8.Â

E-Mail Security
(56%)
9.Â

Encryption
(50%)
10.

Mainframe Security
(44%)

Undoubtedly, the march today is towards evolving

architectures for holistic security. Probably in the Q2 2001 onwards, there

could be a wide range of features added on the security architectures and new

platforms evolving. Clear trends in this direction are available. Enterasys

Networks, a Cabletron company, announced their holistic security architecture

for complex BCIs called Secure Harbour. This architecture has been designed to

protect and serve the corporate information ecosystem and claims that its

architecture covers the entire information delivery mechanism–access, user,

data and application. It has five key elements to secure the BCI–prevention,

detection, damage assessment, response, and correction–and spans the new

connection paradigm–wireless, remote access, VPN, etc., too. Clearly, the

swing is towards new architectures and new products coming up quarter on

quarter.

Symatec, a leader in Internet security technology,

traditionally strong in the operational security side–intrusion detection,

anti-virus, content filtration, etc., was missing from the infrastructure

security–PKI, Firewall, VPN, etc. It acquired AXENT, a strong player in the

enterprise area. "AXENT acquisition would enable us to deliver holistic

solutions," explains Roger Chung, regional product manager, Asia Pacific,

Enterprise Solutions division, Symantec. Adds Chung, "With the Enterprise

Security framework we are moving from the provision of point solutions to the

implementation of an integrated strategy."

Advertisment

Some of the companies from India have also got aggressively

into software product development for enterprise security that the networking

vendors can quickly absorb and integrate into their product portfolio. For

instance, Hyderabad-based Intoto Software (I) Pvt Ltd, a subsidiary of Intoto

Inc., USA, has announced an integrated software for network security and

connectivity family called iGateway architecture. Elaborates SN Murthy,

president and COO, Intoto India, "iGateway architecture provides a secure,

reliable, easy-to-use platform for the broadband gateway equipment. It secures

network infrastructure from cyber attacks and secures business communications

between networks, applications, and users across Internet, Intranets, and

Extranets.

The trend is from implementing point solutions, as and when

required, to a clearly defined strategy that takes into account all the possible

elements of current and future operating requirements.

India Horizon

Top Obstacle is BudgetWith

India catching up on the Internet, e-commerce, and Intranet/Extranet

connectivity, information security (infosec) activity is on the prowl. But the

big question is what should be the objective of the users today at the corporate

level with respect to security. Is it about information security (infosec) or

beyond that? Says Ramana, "We believe Internet and Intranet based business

transactions will define models of interaction between manufacturers, vendors,

customers, partners and employees. And security needs to encompass maintenance

of informational integrity, confidentiality, authentication of rights of users,

cover for non-repudiation and appropriate availability of information to

internal and external users. In this environment, it will be mandatory for

enterprises to define a good security policy, which encompasses threats from

within and outside the organisation. The ongoing security policy reviews will

need to cater to warding off new threats. Towards this, latest technologies

including perimeter security, intrusion detection and vulnerability scanner

based solutions with administration and management of the security policy would

be the saviour against such threats. The network security policy has to

complement the conventional security mechanisms."

Agreed. But has the importance of protecting information for

the benefit of the company been realised by the Indian corporates? What are the

steps that they are taking? And is it a must that the corporates need to have an

infosec policy and a business continuity policy?

Several security experts like Suresh of Ramco Systems and

Ramana say that the importance of security is felt throughout the Indian

corporate world. Though the Indian corporate world may not have deployed strong

infosec measures, the realisation is beginning. It is no more seen as an

American phenomenon. There is a lot of awareness on requirements and products.

However, security follows computing and networking needs, while it is an

integral part of the infrastructure set-up. And the challenge is to minimise the

skills gap between the rate of technology development and the rate of technology

assimilation.

Many see a desperate need for good security professionals,

who can define, implement, and maintain robust security policies. Another reason

attributed to the slow deployment is that the connectivity infrastructure in

India is very poor and the extent of computerisation and using data as

information for analysis, etc., is hardly seen. Data was not perceived as very

sensitive to businesses. But the transformation is happening. And when it comes

to a business continuity policy, it is seen as an add-on to specific security

requirements. This requirement is dictated by the availability guidelines for

the enterprise.

There are no precise estimates on the levels of security

breach or the nature of breach. The reason being most of the companies are not

open to disclose a security lapse as they believe this could hamper the

company's image and further most attacks go unreported because of two reasons.

First, the breach is more often internal rather than external. Second, companies

do not realise that there has been a security intrusion in the first place.

Interestingly, most of the companies realise that an attack happened only after

months. More often than not, they even fail to assess the level of damage they

had to succumb to. But a couple of the corporates confirm, in private, that over

80 percent of the security break-ins can be attributed to the PETE syndrome.

Nonetheless, with the remote access to information over

public networks growing, it is being increasingly realised that it is mandatory

to implement security solutions, such as firewalls, intrusion detection systems,

systemic scanners and go for VPNs. The security products being deployed include

software and hardware. In addition, security policy management systems are being

considered. Many are seeing the evolution of the network security deployment as

audit, design, test, implement, manage and review as the steps in defining a

corporate security policy to minimise and manage risk

Mostly the services rendered range from security assessment

and engineering to enterprise security implementation to security auditing and

consulting. This is just an illustrative list of the trends. There are other

major vendors like Cisco which has end-to-end solutions in the network security

space and include both software and hardware–firewall solutions, intrusion

detection systems, and scanning tools, in addition to a security policy manager.

The point that was being driven from the alliance partnership is that the

systems and network integrators are playing a very decisive role. And the VARs

and integrators are key constituents of a security solution as they have

acquired or continuously acquiring skills, upgrading those, and significantly

value-add in implementation of security policies and services for reviews,

administration, and continuous improvements–the key to a successful security

policy implementation.

The cost of implementing a security solution is varied

depending on the policy requirements. But the feeling is that the cost needs to

be relative to the implication of loss of information, which could even entail

break of business operations. "The potential loss from such a break can

always justify the cost of a security solution," says Ramana. A lot of

awareness is being generated in the market place through seminars. The clear

message in such programmes has been about the challenges of security. The

message is that security is an ongoing process, not just a single product or set

of products. Policies need to go beyond just the network; and must balance

business needs with risk. This becomes even more challenged with holistic

security architectures beginning to arrive and the networking product vendors

like Cisco, Lucent, Nortel, and Enterasys going all out with security

incorporated solutions.

Ch. Srinivas Rao

Advertisment