Like
everywhere in the world, India too is on the way to reap the
benefits of the Internet, e-commerce, and intranet/extranet
connectivity. This means throwing open the networks to security
hazards. The objective being information security (infosec).
Most of the users today have realized the importance of
protecting information for the benefit of the company. But the
issue is that of having infosec policy and business continuity
policy. The concern is about how to maximize the opportunities,
while minimizing the risks, especially when hackers are on a
malady spree, viruses are growing alarmingly, and bugs are
multiplying like parasites. The situation compounds further if
the security is breached from within. Statistics prove that it
is the internal attacks that are a more alarming concern than
those from outside. In fact, most of the users equate this to
internal insurgency and consider the battle to be getting
picayunish.
Preparedness
by Indian Cos.
Getting
the preparedness statistics of the organizations out here is a
closely guarded affair. That is the prime reason why there is no
precise estimate on the levels of security breach. Most of the
companies are not open to disclose a security lapse as they
believe this could hamper the company's image.
Most attacks go unreported
because of two reasons. First, the breach is more often internal
rather than external. Many of the companies have stated this off
the record. Second, companies do not realize that there has been
a security intrusion in the first place. Interestingly, most of
the companies realize that an attack happened only after months.
More often than not, they even fail to assess the level of
damage they had to succumb to.
The Indian corporate world
may not have deployed strong infosec measures but the
realization is beginning. It was not seen as a major cause of
worry some time back for two reasons. One, it was seen more as
an American phenomenon. This is primarily because Internet has
been relatively a very new phenomenon and that private ISPs have
been allowed just a year-and-half ago. And as most of them have
dial-up facility it is perceived that the intrusion can happen
while being online only.
Further, the connectivity
infrastructure in India is very poor. Also, the extent of
computerization and using data as information for analysis, etc.
is hardly seen in India. So data is not perceived as very
sensitive to businesses. However, this seems to be changing.
Today, IT and Internet are seen as important productivity tools
for business growth and expansion. For example, take the case of
the manufacturing sector. Here production scheduling, inventory
management, etc. are commonly used applications that are getting
automated in the network. And an intrusion into the network can
jeopardize everything. And with more and more transactions about
to happen online, the danger of business loss looms large.
The Indian corporate world
has woken up to the reality that data in their networks can be
fiddled with. Some of the bold companies have told that they are
keeping the HR information like compensation and benefits in the
LAN guarded. This is mostly all from within. Competitors are the
last in the category to break in.
Howsoever, infosec is
still seen as a reactive rather as a proactive step. At least,
products like firewall from Checkpoint, Raptor, and Cisco are
getting deployed, though firewall within the network does not
mean an end to all problems. Other products like intrusion
detection, vulnerability assessment tools, anti-virus, and
content security tools all need to go into the network.
Various estimates from the
vendors of different security products suggest that the spending
on network security deployment was to a tune of Rs 15 crore. And
it is estimated that HCL Comnet, Microland, and Ramco share
about 85 percent of the market in India. This figure of the
total investment may not be very huge in comparison with those
in the US or elsewhere. But considering the fact that the
Internet has sprout only last year in a major way and Internet
and e-commerce are being seen as a tool of next level of
business adventure, the figure is remarkable. And a conservative
estimate suggests that the figure will more than double year
after year in the next few years.
It has always been the
software houses, which have been traditionally deploying the
security measures. In a way, security has been a de facto standard
in this segment. But the vertical markets that deployed these
measures in a big-way have been the ISPs and banking and
financial segments. Some of the private banks like ICICI, HDFC,
and GTB have initiated measures because Internet banking is
increasingly becoming part of their offerings. More banks are in
the pipeline to deploy infosec measures. Similarly the stock
exchanges, especially BSE and the NSE, have gone in for security
products. ISPs, almost all the national ones, have a security
system in place. The other early adopters of network security
are those in the e-commerce domain and the government
establishments along with the MNCs who deploy the same kind of
measures that are used in other places.
Security
Dynamics
Network
security is about setting up a defence mechanism. It is more
than just the security measures provided by most applications
like passwords, etc. In the name of security two things are
happening today. While on one hand most companies are avoiding
connecting their LANs directly to the external environment, on
the other some have installed firewalls in the critical servers
on their network. "However, all this is not foolproof and
sufficient," explains Balakrishnan R, COO, Euclid. "A
firewall is only a tool and it needs to be implemented aptly
using security policies and procedures."
Infosec is more about a
well-formulated policy than technology deployment. It is about
allowing universal access. It is about understanding the user's
need and what is provided by way of technology. In toto, a
security policy is about understanding business operations,
applications and usage, and building a framework around this. A
crucial step in this regard is to pinpoint the vulnerabilities,
understand how susceptible the network is to a security
infringement, monitoring of potential risk factors such as VPNs,
cable modems, and mobile users, and to have intrusion detection
mechanisms in place to respond quickly and effectively. And most
importantly, it needs to be seen that the bandwidth is not
clogged.
It is not so easy as on
one hand domain expertise is needed, and on the other, it is a
process involving people from the top to bottom to define a
security policy and how to manage it. Formulation of a security
policy does not end with mapping; it demands defining a security
scheme-password allocation, backing up of data, and so on. This
is a cumbersome process and therefore, most companies are
sulking. Whatever the specs, it is crucial to develop a security
strategy that addresses the network as a single entity. Anything
short of a comprehensive solution leaves the network vulnerable.
Internet Security Systems (ISS), a leading player in the
security arena, professes that the key to creating useful,
transparent, and enforceable network security comes from
adopting a process that provides broad-based needs input,
careful identification of network resources and access
requirements and data-driven implementation and management
services.
Another important factor along with the
security is a business continuity planning. It is the surrogate
capability available in the event of a disaster. Business
continuity planning seeks to preserve the assets of an
organization in the event of a disaster: Its capability to
achieve its mission; its operational capability; its reputation
and image; its customer base and market share and; its
profitability.