Advertisment

NETWORK SECURITY: Security! Who Cares?

author-image
VoicenData Bureau
New Update

Even as corporates, all over the country, are getting hooked on to LAN, WAN

or the Internet network at a frantic speed, driven either by their

communications needs or e-business exigencies, network security is not getting

the attention it deserves, barring in areas like banking and finance, software

and IDCs. Lack of awareness or an understanding of what network security really

means may be a reason in some cases. More pertinent is the fact that even

organizations that are aware of threats or vulnerabilities have largely been

looking askance at issues pertaining to security. Complacency and

an escapist attitude overwhelm a reasonable and well-conceived effort at

fortifying networks from attackers or intruders.

Left to hardware and software, security for most organizations is a comfortable

sleep in the lap of firewalls and anti-virus software.

Advertisment

Sometime

back when VOICE&DATA asked CTOs of both big and small enterprises as to what

were the five biggest challenges and issues they faced with respect to their

network and communications infrastructure, none of them made even a passing

mention of network security. Interestingly, these included a very large company

whose core business is information collection and distribution and also an ISP

for whom network itself is the business.

"There is a lack of structured approach to deal with security. Most

organisations buy bits and pieces of hardware and security is not seen as an

integrated mechanism. People think firewall is everything", says Neel Ratan,

partner, global risk management solutions, PricewaterhouseCoopers, India. Most

people do not even appreciate the need for security, he points out. S V Ramana,

country systems engineering manager, Cisco Systems, agrees when he says that

many companies consider the purchase and installation of security hardware to be

the end in itself, unmindful of the fact that security is not just a box

installed on the network. Swapan Johari, business head, emerging solutions and

services, HCL Comnet, cities another issue. "People in charge of the

network may be highly aware of the threats or security needs but they don’t

seem to have the urgency or pressure to practice ideal security

guidelines", he observes.

Neel Ratan, global risk management solutions, PricewaterhouseCoopersA

broad organizational lack of interest in the issues related to security has led

to other anomalies in the corporate India’s approach towards security. On

considering the responsibility of the IT, the engagement of the top management

or for that matter the larger involvement of people (who could be using the

network at various levels in maintaining security discipline) is never

considered. "Security is 50 percent products and 50 percent process. And

process has to be run, analyzed and managed by the people. And here the people

or the process part is largely ignored", says Johari.

Advertisment

All this means that while there are well-documented policies pertaining to

several other organizational functions, there is none when it comes to dealing

with security. According to KPMG, around 77 percent of the organizations in

India do not have a formal security policy. Similarly, Pricewaterhouse Coopers’

IT Security Survey among the top Indian corporates, revealed that even though 74

percent of the companies stated that information security was a high priority

for their business, only 17 percent had complete and descriptive methods to

monitor their security. This, despite the fact that 60 percent of those surveyed

reported security breaches. The lack of well-defined security policy is perhaps

one of the main reasons why most organizations do not practice a holistic and

focussed approach to security.

 SV Ramana, country systems engineering manager, Cisco SystemsAnd

as one thing leads to another — organizations lacking security policies often

look at security as something static. This means that while deployment of

systems or solutions become an end in itself, periodic assessment of threats or

the third party audit of security adequacies is never thought of. Even such

minor things like analysis of log generated by firewalls that could give a fair

idea of the state of one’s security network are rarely looked at. It is rarely

realized that when those looking for holes in it keep changing their destructive

weapons, how can be a security system remain unchanged?

Cost is another issue. Cost, it seems, is more often an attitudinal problem

with organizations defining it more in terms of the immediate expenditure,

instead of taking benefits from preventive measures into account. Security is

considered a costly expenditure and an investment. "Organizations are

unable to justify an expense for building and maintaining the security systems,

and the easy alternative is to deny access to all and share information within a

selected few through outdated modes", says Cisco’s Ramana. He adds that

whether the justification is based on retention of power of information or lack

of skills to manage, access to information is different for each organization.

Advertisment

The other prominent barriers to security are the lack of trained security

professionals and the pace of technological changes. These, to a large extent,

are outside an organization’s control. "What happens in most cases is

that an IT professional doubles as a security professional, in the absence of

specialists dealing in security", observes Ratan. The fact that even though

organizations themselves lack the skills to maintain and monitor a security

mechanism, the idea of outsourcing their security requirements to specialist

agencies does not appeal to them, compounds the issue of shortage.

"Outsourcing of security management is also seen as a threat, since trust

with the security services organization is not desired or non-existent. Also,

outsourced security services are seen to be exorbitantly priced", believes

Ramana.

And where there is an awareness of vulnerability, network managers find it

difficult to keep pace with the promptness of technological changes. "The

truth is that CTOs or CIOs and people usually looking after security, are

spending more time on understanding the new and emerging technologies",

points out Ratan.

Ramgopal Vallath, country sales manager, 3Com IndiaThe

network or for that matter information security scene in India is indeed grave.

This is not a sweeping statement but a conclusion drawn from the writer’s

interaction with the security consultants, integrators and vendors. And also,

the users who described the situation with adjectives like grave and frightening

with serious implications not only for the networked businesses but the national

image as well. "The damage it can do to the image of the country is very

high — especially in such businesses as call centers, ASPs, IDCs, network

infrastructure management services", warns Neel Ratan.

Advertisment

However, like the proverbial light at the end of the tunnel, organizations

are gradually taking proactive security measures. "The Indian scenario was

earlier different, primarily due to the low deployment of IT and the

unavailability of the Internet. The situation has changed today. With the

deployment of VPNs, companies are beginning to understand the benefits of

connectivity as well as the requirements of security", said Ramgopal

Vallath, country sales manager, 3Com India. He observes that as the connectivity

market develops in India, the security details will also begin to be better

understood.

While Vallath may be right when he says things are changing, the fact remains

that even the majority of relatively aware people still think of security in

terms of technological tools and passwords.

For most organizations, it is just another support function for which

provisions need to be made in the budget every year. Unfortunately, network

security is very much like the ceremonial unarmed security guards seen outside

most offices these days.

As senior management attention and support is lacking, barring few cases,

security issues are largely seen in isolation and not as part of the larger

organizational goal. Exercises like risk and threat assessment, security policy

development, and third party audit of the security system are largely unheard

of.

Ravi Shekhar Pandey

Advertisment