Even as corporates, all over the country, are getting hooked on to LAN, WAN
or the Internet network at a frantic speed, driven either by their
communications needs or e-business exigencies, network security is not getting
the attention it deserves, barring in areas like banking and finance, software
and IDCs. Lack of awareness or an understanding of what network security really
means may be a reason in some cases. More pertinent is the fact that even
organizations that are aware of threats or vulnerabilities have largely been
looking askance at issues pertaining to security. Complacency and
an escapist attitude overwhelm a reasonable and well-conceived effort at
fortifying networks from attackers or intruders.
Left to hardware and software, security for most organizations is a comfortable
sleep in the lap of firewalls and anti-virus software.
Sometime
back when VOICE&DATA asked CTOs of both big and small enterprises as to what
were the five biggest challenges and issues they faced with respect to their
network and communications infrastructure, none of them made even a passing
mention of network security. Interestingly, these included a very large company
whose core business is information collection and distribution and also an ISP
for whom network itself is the business.
"There is a lack of structured approach to deal with security. Most
organisations buy bits and pieces of hardware and security is not seen as an
integrated mechanism. People think firewall is everything", says Neel Ratan,
partner, global risk management solutions, PricewaterhouseCoopers, India. Most
people do not even appreciate the need for security, he points out. S V Ramana,
country systems engineering manager, Cisco Systems, agrees when he says that
many companies consider the purchase and installation of security hardware to be
the end in itself, unmindful of the fact that security is not just a box
installed on the network. Swapan Johari, business head, emerging solutions and
services, HCL Comnet, cities another issue. "People in charge of the
network may be highly aware of the threats or security needs but they don’t
seem to have the urgency or pressure to practice ideal security
guidelines", he observes.
A
broad organizational lack of interest in the issues related to security has led
to other anomalies in the corporate India’s approach towards security. On
considering the responsibility of the IT, the engagement of the top management
or for that matter the larger involvement of people (who could be using the
network at various levels in maintaining security discipline) is never
considered. "Security is 50 percent products and 50 percent process. And
process has to be run, analyzed and managed by the people. And here the people
or the process part is largely ignored", says Johari.
All this means that while there are well-documented policies pertaining to
several other organizational functions, there is none when it comes to dealing
with security. According to KPMG, around 77 percent of the organizations in
India do not have a formal security policy. Similarly, Pricewaterhouse Coopers’
IT Security Survey among the top Indian corporates, revealed that even though 74
percent of the companies stated that information security was a high priority
for their business, only 17 percent had complete and descriptive methods to
monitor their security. This, despite the fact that 60 percent of those surveyed
reported security breaches. The lack of well-defined security policy is perhaps
one of the main reasons why most organizations do not practice a holistic and
focussed approach to security.
And
as one thing leads to another — organizations lacking security policies often
look at security as something static. This means that while deployment of
systems or solutions become an end in itself, periodic assessment of threats or
the third party audit of security adequacies is never thought of. Even such
minor things like analysis of log generated by firewalls that could give a fair
idea of the state of one’s security network are rarely looked at. It is rarely
realized that when those looking for holes in it keep changing their destructive
weapons, how can be a security system remain unchanged?
Cost is another issue. Cost, it seems, is more often an attitudinal problem
with organizations defining it more in terms of the immediate expenditure,
instead of taking benefits from preventive measures into account. Security is
considered a costly expenditure and an investment. "Organizations are
unable to justify an expense for building and maintaining the security systems,
and the easy alternative is to deny access to all and share information within a
selected few through outdated modes", says Cisco’s Ramana. He adds that
whether the justification is based on retention of power of information or lack
of skills to manage, access to information is different for each organization.
The other prominent barriers to security are the lack of trained security
professionals and the pace of technological changes. These, to a large extent,
are outside an organization’s control. "What happens in most cases is
that an IT professional doubles as a security professional, in the absence of
specialists dealing in security", observes Ratan. The fact that even though
organizations themselves lack the skills to maintain and monitor a security
mechanism, the idea of outsourcing their security requirements to specialist
agencies does not appeal to them, compounds the issue of shortage.
"Outsourcing of security management is also seen as a threat, since trust
with the security services organization is not desired or non-existent. Also,
outsourced security services are seen to be exorbitantly priced", believes
Ramana.
And where there is an awareness of vulnerability, network managers find it
difficult to keep pace with the promptness of technological changes. "The
truth is that CTOs or CIOs and people usually looking after security, are
spending more time on understanding the new and emerging technologies",
points out Ratan.
The
network or for that matter information security scene in India is indeed grave.
This is not a sweeping statement but a conclusion drawn from the writer’s
interaction with the security consultants, integrators and vendors. And also,
the users who described the situation with adjectives like grave and frightening
with serious implications not only for the networked businesses but the national
image as well. "The damage it can do to the image of the country is very
high — especially in such businesses as call centers, ASPs, IDCs, network
infrastructure management services", warns Neel Ratan.
However, like the proverbial light at the end of the tunnel, organizations
are gradually taking proactive security measures. "The Indian scenario was
earlier different, primarily due to the low deployment of IT and the
unavailability of the Internet. The situation has changed today. With the
deployment of VPNs, companies are beginning to understand the benefits of
connectivity as well as the requirements of security", said Ramgopal
Vallath, country sales manager, 3Com India. He observes that as the connectivity
market develops in India, the security details will also begin to be better
understood.
While Vallath may be right when he says things are changing, the fact remains
that even the majority of relatively aware people still think of security in
terms of technological tools and passwords.
For most organizations, it is just another support function for which
provisions need to be made in the budget every year. Unfortunately, network
security is very much like the ceremonial unarmed security guards seen outside
most offices these days.
As senior management attention and support is lacking, barring few cases,
security issues are largely seen in isolation and not as part of the larger
organizational goal. Exercises like risk and threat assessment, security policy
development, and third party audit of the security system are largely unheard
of.