Tt's a cat-and-mouse game between security threats and their
solutions. With new technologies come newer security threats. To cope with them
you develop solutions. Threats then find holes in them, surpass them, and new
threats surface. Again come new technologies to fight them. And the process goes
on-a never-ending war.
The enterprise scenario is changing drastically. It is no more
an island operation. Earlier the only point of security or threat used to be the
outside. And to be secured the enterprise only needed to protect its boundaries.
Now the WAN is connecting all the branches, users are spread-out, using the
network from hotels, homes, and cyber-cafes. Mobility has come within the user
enterprise and on top of it the enterprise also needs to provide access to the
contractors, sub contractors, and customers. So the need of connectivity is
growing rapidly. And it is not a luxury anymore. The people using the network
have to be empowered. But how do we secure it? The old style of perimeter
security is obviously no more the answer.
The Wireless Scenario
Not too long ago, the wireless security debate was essentially focused
around wireless LAN or Wi-Fi. Wi-Fi's Wired Equivalency Protocol or WEP were
seen to have flaws. By using freely available hacking tools, Wi-Fi networks
could be easily detected. Data flowing through those networks could be captured
and decrypted. Most of the issues around the Wi-Fi security debate also applied
to PCs, notebooks or the odd PDA with WLAN connectivity.
A Virtual Private Network connection or VPN is the recommended
solution to counter this threat. VPNs can provide an end-to-end encryption
solution that would work over both wired and wireless networks, and across any
protocols-GPRS, Bluetooth, WLAN (802.11) or fixed-line Ethernet. If
implemented correctly with other gateway security applications such as
firewalls, VPNs do offer a reliable and robust wireless security framework.
Fast forwarding to today: Now, the wireless debate has gotten
more complex. It is not just about WLAN-enabled PCs but new converged mobile
devices such as smart phones with GPRS/Wi-Fi connectivity from vendors such as
Nokia, Motorola and HP. In addition, there are broadband cellular networks,
WCDMA networks coming online, GPRS is becoming almost ubiquitous throughout
Asia, and 3G has found acceptance in East and Southeast Asia now. Given the
range of emerging devices and the need to include PC access over high-speed
wireless networks, how should an organization take steps to protect its mobile
data from theft? Are VPNs still the only answer to this conundrum? As it's
rare to find any security on mobile devices, they become more vulnerable to
threats. "Enterprise resources like ERP, CRM, intranet etc, which are
connected to windows-based and smart mobile devices are more vulnerable and
under bigger threat than they are when connected to PCs or cyber networks,"
says Deepak Prasad, vice president, Global Outsourcing, SafeNet Infotech.
"The mobile phone is now turning into a computer which
makes it susceptible to precisely the same vulnerabilities as a PC like viruses,
spam and spyware," says Pranay Jhaveri, sales director, F5, India. Mobile
devices are increasingly coming under attack from viruses. Mobile handsets with
Wi-Fi cards are prone to these attacks as they connect to public networks, while
also being connected to the organization's network. With almost 50 mn people
in India using smart phones and about 6 mn set to join every month, this is
indeed worrying.
CIO Watch |
Protect your smart phones
...and if you don't
|
Available Solutions
Vendors are providing solutions for different kinds of attacks. Some are
offering solutions for end point devices while others have offerings for the
traffic, or the way in which data flows from source to destination. There are
other players with solutions to secure the corporate networks, and some have
only anti-virus solutions. However, the need is for solutions that enable online
encryption for online transactions.
Mobile viruses such as Cabir and Commwarrior can spread via
Bluetooth. Commwarrior can also spread via multimedia messaging systems. Most
mobile phone viruses target handsets that use the Symbian operating system.
Infection can be avoided by turning off Bluetooth on a smart phone.
Another feature designed especially for mobile phones is to
block SMS spam that allows an approved sender list, restricts a blocked sender
list, and has the ability to block SMS messages lacking a mobile telephone
number. Mobile users may also initiate manual scans.
Since mobile devices have become a necessity for all top-rung
executives, the demand for security within an organization is growing rapidly.
Hence, the first step that most CIOs practice and recommend is encryption of
data. Other solutions could be creating awareness, conducting training, and
using passwords.
A Holistic View of Mobility
First of all, an organization needs to examine devices that it plans on
supporting, and consider whether the situation might change in the near or mid
term, before deciding on a security solution. IPSec VPNs are still valid for PCs
and certain mobile devices like the Nokia 9500 Communicator that have inbuilt
VPN client software. However, some IT managers may wish to allow current devices
already invested in by their employees, into the network. If so, these devices
may not have the ability to utilize VPNs, as they do not have the requisite VPN
client software.
However, there are other solutions available that an IT manager
can turn to. All notebooks and the majority of mobile devices today have
web-browsing functionality. Generally, these browsers support secure
connectivity using SSL/TLS (Secure Socket Layer/Transaction Layer Security), the
very same technology used when you are using the Internet to make a secure
online payment. SSL VPNs are now readily available to provide an alternative VPN
solution, without the need for client software.
"Enterprise resources |
"The mobile phone is |
"Right Security |
||
-Deepak Prasad, VP, Global Outsourcing, SafeNet Infotech |
-Pranay Jhaveri, sales director, F5, India |
-Ranajoy Punja, VP, Business Development, Advanced Technologies, Cisco India & SAARC |
There are also network appliance technologies that assist in
corporate access. These technologies help connect any browser-based device such
as Nokia mobile devices, Sony Ericsson P800/900 series, Windows Pocket PC or PCs
connected with the enterprise, over any fixed or wireless medium, even old
fashioned dial-up. The connection is authenticated using secure two-factor
methods such LDAP or RADIUS. The connection is secured end-to-end via SSL/TLS,
ensuring that the connection is encrypted over the air and over the wire. There
is an additional benefit where the device becomes a "thin client",
that of viewing the data on corporate servers. At the end of the connection, no
session data is left on the device. This last point is important, given the fact
that mobile devices are more easily lost or stolen than laptops or notebooks.
In addition, the more advanced technologies can give users of
any browser-based device access to email, attachments (Word, Excel, PowerPoint
and PDF), calendar and contacts. The most cost effective solution for an
enterprise allows a smooth migration from existing mobile access devices to
newer mobile devices, designed to exploit newer performance and functionality.
These technologies will support connections from older WAP-based devices to view
well formulated XHTML Web pages. Should the IT manager decide to allow users to
download attachments or retain emails, this can be enabled easily.
When supporting a mobile workforce, other areas to consider are
encrypting the contents or files in the device and to install personal firewall
and antivirus software. This gives an organization the confidence that its
mobile devices are as secure as the laptops their users carry.
Challenges for a CIO
Today's CIOs and CXOs must manage and mitigate security and
privacy-related risks that dramatically affect their profitability, corporate
governance and compliance imperatives. From simple yet insidious to complex and
pervasive, these security challenges threaten to overwhelm business boundaries
and protection mechanisms, thus requiring an increasing share of management
attention and IT resources.
The people problem: Part of the problem lies in the fact
that employees are not as technology or security savvy as the IT staff and often
don't realize when their actions or lack of it may pose a risk. A first step
in creating a security-minded culture is making it clear why certain security
policies are in place. It is important to make sure security measures do not
impede business processes. The IT security staff must educate users about why
they have to take such precautions.
Communicating risk: IT managers assume that end users know
why a certain policy is adopted or a particular Internet habit is banned in a
company, such as downloading music files. The end user may think the policy is
in place to prevent bandwidth hogging whereas it's really to avoid a specific
virus-so they download after-hours and still open up their organization to
risk. Security managers believe communicating with business units before
establishing policies will ensure that policies are in sync with business
processes as well as increase the chances of groups actually following the
mandates.
Information flow: There are key partnerships one has to form
within the business units and individuals so that they are educated about what
information is safe to travel on mail and what may lead to undesired disclosure
of confidential information. Other means to exchange information may also be
considered. Setting policies on what can and cannot leave the company in
electronic format is an important exercise between the CSO and the users.
Adding technology: A security culture cannot depend on
people and process alone. Technology available today can help automate policy
enforcement, data collection and protection, and help companies short on staff.
Saving future costs: Companies that start honing their
security practises today will save money tomorrow. While most companies spend
about 3% of their total IT budget on security, those that invest up to around 8%
will-within 18 to 24 months-spend less on total security, according to
research firm, Gartner.
"Security today requires organizations to raise the culture
of IT to do things more securely, not to change how others work," says John
Pescatore, lead security analyst at Gartner. He also says "expecting end
users to think about security in the way that IT needs to, will fail. End users
shouldn't have a choice when it comes to operating more securely. The IT team
should make those decisions, which should be transparent to end users."
On the vendor front: Customers complain that as they have
multiple vendors providing them solutions (and even if there's just one)
ultimately they themselves end up working on integrating security and other
functions.
IT Priorities
Being proactive on security and availability of the network should be high
priority for all IT staff within any organization. The larger a company, the
more it relies on a secure, reliable and scaleable data network. If the company
has more than one location, the network between the offices should be secured
via encryption. External gateways should have firewalls and intrusion
detection/prevention to watch for unauthorized attempts to access systems, and
alert any potential violations. Internally, authentication, access control and
accounting (AAA) servers provide a centralized user management platform,
ensuring that personnel only have access to applications and information that
they need. Web and mail filtering technology should be used to ensure compliance
with the HR policy, remove viruses, and reduce the load on the mail server from
spam.
"Security can |
"Companies should |
"If everyone could |
||
-Bhaskar Bakthavatsalu, country sales manager, Checkpoint Software Technologies, India and Saarc |
-Sajan Paul, head, Technology and Consulting, Enterprise solutions, Nortel |
-Niraj Kaushik, country manager, Trend Micro, India and SAARC |
Continuous periodic review or audits of security policies and
vulnerability management are the best ways to judge the security threats, manage
resources and technology optimization for network security. A holistic approach
maintains balance between internal network, parameter and end-point security
strategies.
As the defined line between the internal network and external
network is blurred, it is important to have a holistic approach towards
security. The architecture should have a layered implementation of security.
"Right security policies should be in place and should be monitored and
fine-tuned as per the business requirements of an organization," says
Ranajoy Punja, VP, Business Development, Advanced Technologies, Cisco India and
SAARC.
There is no one-size-fits-all security policy for enterprises.
Every organization needs to define its policy based on the challenges faced by
it, immediate and long-term focus, like scalability, applicability etc.
A security policy is like a wheel, which includes the following
cogs:assess the organizational security posture; assess the impact of a security
breach and classify; define a security policy for the organization; test the
security policy; implement the security policy; and continuously monitor and
refine the security policy.
It is equally important to have end-users educated on the
security policies, and the Dos and Don'ts within the network as well as with
their hosts/end-points.
Outsourcing: Not a bad Idea
"If everyone could deploy their security solutions themselves, the
digital world would be a safer place," says Niraj Kaushik, country manager,
Trend Micro, India and SAARC. However, the problem with such a situation is that
there is a shortage of qualified security professionals. Hence, many
organizations assign the task of security to a single person or a group whose
job role is different. These guys take security as a task to be done when time
permits. But security simply cannot take a back seat. Here pops up the idea of
outsourcing the security tasks to a more qualified service provider. But a
debate is always there.
The primary argument for outsourcing is financial: a company can
get the security expertise it needs much more cheaply by hiring someone else to
provide it. While it is possible for companies to build detection and response
services for their own networks, it's rarely cost-effective. Staffing for
security expertise 24 hours a day, 365 days a year, requires full-time employees
who require training and is difficult to come by. Again, the problem of
retaining them would be even harder, as attacks against a single organization
don't happen often enough to keep a team of this caliber engaged and
interested. This is why outsourcing is the only cost-effective way to satisfy
the requirements.
Deciding whether outsourcing security is right for your business
needs great understanding of both the risks and the benefits associated with
outsourcing. "Security can definitely be effectively outsourced if done
suitably, and after proper due diligence," says Bhaskar Bakthavatsalu,
country sales manager, Checkpoint Software Technologies, India & SAARC. Most
operational tasks of security, such as updating firewall policies, monitoring
logs and patch management can be outsourced. "Companies should outsource
expert assistance: vulnerability scanning, monitoring, consulting, and
forensics, for example. But they should not outsource management," says,
Sajan Paul, head, Technology and Consulting, Enterprise Solutions, Nortel.
It is always best to control security from the data owner's
premises but if security isn't one's core competency, it is advisable to
outsource it to experts under predefined SLAs. Services such as auditing,
penetration testing, security policy documentation, security solution design and
implementation, disaster recovery, education, monitoring and proactive
management are best left to the experts, ie, your outsourcer. IDRBT, IISc, NIC
are good examples of institutions which manage security for multiple banking and
government organizations.
Outsourcing doesn't guarantee a risk-free enterprise. It may
even expose your organization to greater risks, if not handled correctly. But it
can provide remarkable benefits in terms of total cost of ownership and
operational efficiency.
One suggestion to ensure a faultless outsourcing relationship is
to sign a Service Level Agreement (SLA) with the security vendor. Also, impose
penalties for failure to deliver. Always check for case studies with the vendor,
ask before making a choice. The most crucial element here is one of trust. One
must be able to trust one's security provider. Another prime reason to
outsource security management is the expectation of receiving better service as
there are explicit SLAs in place, which can be enforced. These SLAs are often
harder to enforce internally. The service provider has up-to-date hardware and
software. Also in terms of reliability and responsiveness, the outsourcer
responds and provides services at the promised time; and when users have issues,
the service provider is genuinely interested in solving them within time.
Although a security strategy can save the organization valuable
time and provide important reminders of what needs to be done, security is not a
one-time activity. It is an integral part of the system lifecycle.
The toughest challenge for an enterprise is that there is no
early warning system for hitherto unknown threats. Therefore, the enterprise can
never be better prepared to meet them head-on with confidence and impunity.
Hence, the growing challenge is to protect organizations against attacks that
are automated and polymorphic-one that changes every time-and in keeping
up-to-date with hot-fixes and patches on a daily basis.
Gyana Ranjan Swain
gyanas@cybermedia.co.in