Security

India Inc. awakens to the fact that prevention is better than cure

Post 9/11, when security implementations shot into prominence, most companies found their security measures not up to the mark. Since then India Inc. has worked overtime to raise its security standards to globally acceptable levels. In this new security-conscious scenario, Chitra Padmanabhan examines the emerging trends in vital segments of the Indian security space—anti-virus software, enterprise security and access management

Anti-virus software
Retail, ASP and remote management could be the new growth drivers for ant-virus (AV) players

A few years ago, it was the floppy disk that was the dreaded carrier of viruses across the organisation. But now, with the widespread usage of network-based computing, it’s the Internet that has become the source and medium of attack—hundreds of viruses emerge every week from this medium. In the past, anti-virus players developed solutions to stop a virus after it hit the desktop. But this proved ineffective as viruses spread rapidly through the Internet. Realising this, vendors started offering solutions at the gateway itself, so that the damage wreaked by a virus could be curbed even before it reached a server or a desktop.

Home users still believe that anti-virus software deployment is a one-time solution, says Ajit Pillai

Companies such as Yahoo and Sify have forged tie-ups with players like Symantec and Trend Micro to protect their e-mail subscribers from virus attacks. This trend is likely to gain momentum, especially when one considers research figures that show that almost 90 percent of viruses attack via e-mail.

By implementing an anti-virus solution at the gateway, ISPs can kill viruses before they cause damage. While the Indian ISP market is not exactly booming, almost all the existing ISPs have forged tie-ups with anti-virus vendors for providing better service to their customers.

Alarming figures
On the corporate front, there are alarming figures that only emphasise the need for stringent security measures. According to a CII-PricewaterhouseCoopers (PwC) survey, 80 percent of Indian companies reported a security breach during the last 12 months, compared to 60 percent in 2000-01.

Virus attacks have emerged as the single largest cause of security breaches. Nearly 75 percent of respondents reported having suffered a virus attack in 2001-02, up from 49 percent the previous year. Going by the numbers, anti-virus vendors are bullish when predicting product sales in India.

One silver lining is that the increase in the number of attacks on the network have made corporates aware of the need to strengthen existing security measures. Lee Boon Kuey, Network Associates’ managing director for the South East-Asian region and India says, “There has also been an increasing approach by corporates to deploy a plethora of anti-virus solutions, instead of just one.”

Corporates are also looking at adopting server-based anti-virus solutions, which is far more useful than implementing anti-virus solutions on individual desktops. Says Joy Ghosh, country manager of Symantec (India), “Corporates are focusing on safeguarding messaging systems and following a holistic picture of safeguarding the LAN network.”

While things are slowly becoming positive on the corporate front, there is still a lot of education that needs to be done on the home-user front. “Home users still believe that anti-virus software deployment is a one-time solution,” says Ajit Pillai, channel manager, SME and SOHO segment at Trend Micro.

As markets are becoming saturated and competition increases, anti-virus vendors are going all out to woo the SME segment with customised low-priced versions. This drive is also influenced by the fact that the SME segment is one of the biggest users of pirated anti-virus products.

The home segment is also a staunch believer in pirated software, which eats into the organised anti-virus market. “Apart from poor awareness levels, the availability of pirated software for as low as Rs 500 is an important reason why sales in the home segment are not doing well,” says Govind Ramamurthy, chief executive officer and managing director of Microworld.

However, players like Network Associates have started offering ASP-versions of their software, through their managed services centres, which they hope will help curtail piracy. This is based on the fact that unlike business applications where updates are infrequent, an anti-virus software requires updates almost everyday. Just managing and updating can cost more than the software itself. This is where the ASP concept plays a key role by not only curtailing piracy, but also reducing the total cost of ownership.

While security solutions are provided by a host of organisations, Network Associates is also pioneering a unique technology called Rumor. Usually, whenever users are affected by a virus, anti-virus companies develop antidotes and then distribute the updated signature file to their clients, who then update their internal servers and the thousands of workstations they service. But till the virus is completely removed, it keeps on replicating itself and spreads all over the network.

This is where Rumor differs from the rest. It uses a peer-to-peer distribution model instead of the traditional client-server model of centralised update distribution. So, when the first workstation in a network logs on to the Net, the Rumor anti-virus agent first verifies whether the workstation is running the latest version of anti-virus software. If it is not, the server does the upgrading. Thus, even if one desktop downloads the upgrade, it becomes the distribution agent and distributes the patch to others on the network.

Hence, if the updating file is found on the local network, it will be sourced from the LAN, rather than from the anti-virus vendor’s site, thereby decreasing load on Internet bandwidth.

In line with this trend, global players like Sophos Anti-virus have gone a step ahead and are offering solutions like Remote Update. This application not only monitors the network for a new virus but also ensures that employees logging on to the company’s intranet have the latest virus updates. Says Vinod Kumar, director at Satcom Technologies, Sophos’s Indian partner, “The Remote Update application is keenly sought by organisations who have distributed locations across the world. Employees logging on to the company’s intranet through different access points make an administrator’s job very difficult. This is where remote update applications ensure that data flowing in from remote notebooks or computers is trustworthy and virus-free as it can update remote computers with the latest virus protection and upgrades.”

The trend of anti-virus players tapping the retail market will become more pronounced in the future. For instance, in the same way that Satyam Infoway pioneered the availability of Internet access packs on CDs through the retail route—even anti-virus vendors are putting their software on CDs and making them available through retail outlets. A case in point is Mumbai-based Microworld, which has announced plans of placing its products in all major retail outlets across the country. The company is also planning to tie up with players like NIIT and Aptech to enable students to gain experience on its products.

Additionally, information on the company’s products would be displayed on ATM machines of Citibank and ICICI Bank.

Enterprise Security
Security audits, internal security to be key focus points for the segment

Vaidyanathan Iyer says a security policy is essential as it states what is allowed and what is not and clarifies the deployment of security solutions

Yes, the global nature of conducting business has resulted in an increase in the number of opportunities that a corporate has today—but it has also made organisations more vulnerable by exposing them to the unseen hacker who can break into systems.

Before the days of specialisation, security was in the purview of the CIO or CTO, who was responsible for its implementation in an organisation. Now however, responsibilities have been fine-tuned. For example, organisations have been hiring people in specialist positions, who are responsible for network security in the company.

In India though, this is still a nascent trend—it is catching on with more and more MNCs. Sectors like BFSI, telecom and ITES are among the few that have been extremely proactive in not only deploying security policies but also constantly updating it.

Another trend that is emerging is the preference of corporates to opt for a vendor who provides end-to-end solutions. For instance, organisations that purchased multiple products face huge challenges in not only integrating the different products but also managing and updating them separately. Says Vaidyanathan Iyer, national manager for the eSecurity Business at Computer Associates, “Earlier, security initiatives were confined only to the perimeter level, wherein organisations would feel secure with firewalls and the latest anti-virus solutions.”

Enterprises today are also demanding the same flexibility in security applications as those offered by enterprise software vendors, including affordability, interoperability, manageability, modularity and scalability. Technologies in demand are IDS (Intrusion Detection Systems), VPNs (virtual private networks) and content inspection solutions.

Companies are also increasingly banking on security audits, conducted by top consulting firms, to achieve certification that authenticates that the organisation is complying with necessary security requirements. During the certification process a detailed analysis of the organisation is conducted to determine areas that threaten the company’s infrastructure. While the number of organisations that have a comprehensive security policy is on the increase, we are still a long way off from confidently asserting that India Inc. is completely geared to protect itself from invasions on the network.

Says Captain Raghu Raman, practice head at Mahindra Consulting Special Services Group, “Today, most corporates are in a reactive mode when it comes to addressing their security concerns. Companies also need to look at their own internal processes. For instance, employees who are on their notice period are free to tamper with confidential data. The firms who make a mistake in not realising this are soon enlightened about the cold truth—the greatest damage to an organisation’s security comes not from outside but from within the organisation.”

After the 9/11 incident more and more corporates started talking to security consultants to assess the loopholes in their security systems. To give companies a better understanding of security, these firms deploy methods like ethical hacking, which exposes an organisation’s vulnerabilities.

Explains Iyer of CA, “A policy states what is allowed and what is not. Hence, the implementation of the policy, which leads to deployment of security solutions is more important than the policy itself.”

Security awareness levels have also increased in Indian corporates and CTOs are certainly aware that security is as important as the core business activity, so security concerns are extended to storage areas as well.

At the end of the day the general economic climate is one of the biggest factors that is impeding growth in the security market. Spends are on the decline, and companies will evaluate all options and the criticality of spend before investing in any technology—security included.

The good thing is that this is one spend that is inevitable in today’s highly open and inter-connected environment.

Access Management
Access Management keeps internal threats at bay

Raghu Raman says most companies need to look at their internal security processes and realise the fact that employees are the biggest security liabilities

It’s the most unsuspecting intruder who could be the potential hacker—the company’s own employee. A little known fact is that 90 percent of security breaches in India are internal in nature. How do companies overcome this threat? A few years ago, discussions on security were limited to anti-virus and firewalls but today companies are seriously analysing the causes of internal threats to their data.

A Web-centric business model has created accelerated changes in business growth and business managers are forced to find new ways to control access to corporate resources, along with new tools to secure access.

“Password access provided to employees has failed miserably, since they can be broken into very easily,” says Surendra Singh, head for South Asia at RSA Security. Now companies are increasingly looking at a single sign-in access code, wherein a user can access multiple resources without having to authenticate more than once.

Explains Ashit J Panjwani, national manager for alliances and marketing at Onward Novell Software (India), “Employees, partners, customers and suppliers come under this umbrella, in which each has a single profile stored in the directory. This profile allows them to sign-on once and get identified before being allowed to access applications and information.”

Consequently, the network administrator has the ability to activate, update or delete user accounts immediately from a single point with precise control over user access privileges. “Apart from a single sign-on method, companies are also looking at other strong authentication technologies, including PKI, biometrics and hardware tokens,” says Prasinjit Roy, assistant vice president at eServices, Rolta India.

For example, RSA Security has developed a new authentication solution called RSA mobile authentication solution. With this software, users can authenticate their identities with the help of their mobile systems on websites and corporate networks that use RSA’s solution. As soon as a user enters his username and password on the website, the system looks for the mobile number associated with the name and sends a one-time access code in SMS format to the mobile phone. The user then types in the access code to log in. RSA calls it the ‘zero deployment’ two-factor authentication solution, as a company does not have to invest additionally in hardware and software at the user level.

Going forward, we could see more such security solutions that would be designed keeping the mobile phone in mind.