IT security is all about the bottom line

Security is a business issue, and its ramifications go beyond mere technology. Companies need to build security into their processes—that’s the only safe path in a world swamped with security threats, says Prashant L Rao

While organisations pay lip service to security, all too few maintain a security policy and refresh it on a regular basis to deal with fresh threats. Worse, companies tend to buy point solutions, an anti-virus package here and an IDS there, without having a policy in place. This kind of topsy-turvy thinking is exceedingly dangerous in a world where threats multiply faster than defences against them. So what is a CIO to do?

All you need is policy

The answer can be summed up in one word, ‘policy’. If you have a comprehensive security policy in place, that’s half the battle won. Of course, you’ll have to keep it updated on a monthly basis, something only a third of Indian organisations do. The aim is to start with a policy and then map it out to components, ensuring that the said components mesh together and work effectively to provide the company with a seamless shield against the worst that’s thrown against it.

Of course, not all policies are created equal. The PwC-CII Security Survey 2002 found that over half the respondents with a comprehensive security policy in place had missed out on some crucial bits, including risk analysis (not done by 45 percent); classification of data (67 percent missed this one) and procedures for partners (72 percent failed to set down this one). As in other technology areas, the financial services industry leads in terms of defining and implementing security policy.

Just one worm...

Just one worm getting past your network defences can cripple your business and bring it to its knees. Which is why companies are deploying gateway, server and desktop anti-virus for a holistic anti-virus set-up. However, there’s an even more basic issue here—hackers have upped the ante and are eyeing operating system vulnerabilities, which exist only because system administrators have failed to apply patches to operating
systems. This, analysts believe, is perhaps the biggest hole in any organisation’s security.

If it’s too complicated, outsource it

As businesses continue to react rather than taking a proactive stance, they will continue to suffer losses. Indian companies are starting to realise that security is not a one-time issue. One solution is to outsource the whole mess. Third-party security firms are only too willing to take the security burden off a company’s shoulders. As they are specialists in this function, they are likely to be right on top of things in terms of keeping everything up-to-date and they can even educate folks in the company on security measures. Interestingly, Indian companies make use of the services of security consultants to a far greater extent than their foreign counterparts. 48 percent of Indian companies quizzed in the PwC-CII security survey were taking assistance from consultants as compared to 17 percent globally.

Beyond firewalls, towards proactive network security

Software-based firewalls are being replaced by hardware-based firewall appliances that are faster and scale better. That said, companies have realised that there’s more to network security than firewalls and they are starting to go in for intrusion detection systems (IDS). Around a fifth of Indian companies use this technology. IDSes have some weaknesses, the biggest problem being that an IDS generates data by the bucket loads in the form of alerts, many of them false positives. These need to be managed by a process and companies need to have a policy that clearly determines what happens when a real intrusion is detected. This is going to be the next step in perimeter security. IDS tools that spew fewer false positives and are easily managed are the need of the hour. Beyond IDS there’s IPS (intrusion prevention system), a more proactive system that not only detects but also protects.

The proof of the pudding is in the eating. In the case of IDS, we have a case study of HCL Comnet using IDS—both network and host-based—to monitor its network. [Go to Page 7] The solution it picked inter-operates with its firewall. The IDS has 1,400 signatures in its database and the company has added anomaly detection to the mix.

Don’t forget the desktop

It’s all too easy to forget about the desktop while ruminating about network and server-based security. But the desktop is still the final point of defence and it needs to be protected. Simple but effective measures to this end include keeping the operating system and anti-virus up to date, using a personal firewall and using encryption tools such as PGP (the second most popular form of encryption among Indian enterprises after SSL) to keep your data safe and secure.

24x7 e-business

1,566 Indian websites have been hacked this year and the year’s a long way from being over. Security experts believe that organisations install firewalls and intrusion detection systems but they fail to configure them properly and do not update security patches on a regular basis, leaving them open to attack. Most network administrators seem to believe that attacks will cease once a firewall is installed. Online security is becoming more important as airlines, railways and banks have functioning e-commerce websites. It’s only a matter of time before others follow, and they will need to be proactive in their approach to security, or it won’t be long before we read about e-businesses coming a cropper under attack.

As we’ve seen, there is more to security than buying a bunch of point products and expecting them to ward off the evil eye. An organisation’s security set-up needs to continuously evolve to stay in step with the ever-changing environment. The key is to map out your security policy and adhere to it as you roll out the many layers of organisational security. Policy that is set in stone is useless, you will have to constantly update your policies and upgrade the components of your security set-up. That’s the only safe way to keep your business up and running, constantly—which is why security is a business issue, not an IT one.