Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
16 May 2005  
Untitled Document
Sections

Industry
Hardware
Storage
System Software
Enterprise Software
Bandwidth
Security
Printing & Imaging
Outsourcing
Technology Life

Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Security - Article

Signs of maturity

Medium businesses are becoming seasoned veterans when it comes to deploying and managing security solutions, says Abhinav Singh

Medium businesses are aware of the importance of network security. While their adoption of security solutions does not compare with that of large enterprises, they are waking up to the fact that information security is essential. These companies have basic security systems in place. A third of them use anti-virus solutions. Firewalls, IDS and access control devices are also popular with some relying on encryption and cryptography. Integrated security appliances are occasionally used (AV, FW, IDS anti-spam in a box). Says Vishak Raman, Country Manager, India and SAARC, Fortinet, “Although medium enterprises’ knowledge of security is not very high, they are beginning to update their security infrastructure. Going in for security certification is a sign of maturity.”
Medium businesses are aware of the kind of security they want. They do not want vendors to deliver point solutions. They prefer comprehensive
solutions
Ajit Pillai
Country Manager
India & SAARC
WatchGuard Technologies
Although the average medium enterprise’s knowledge of security is not very high, they are starting to update their security infrastructure. Going in for security certification is a sign of maturity
Vishak Raman
Country Manager
India & SAARC
Fortinet

Ajit Pillai, Country Manager, India and SAARC, WatchGuard Technologies, reveals, “About 33 percent of our business comes from the 100-500 user segment. Medium businesses are aware of the kind of security they want, and they keep upgrading their security infrastructure. They do not want vendors to deliver point solutions. They prefer comprehensive solutions.”

Telecom and IT/BPO sectors view security as a high priority area. For instance, Mumbai-based Zip Telecom manufactures pay phones and has chosen an integrated security appliance from WatchGuard. States Nandu Bhat, General Manager IT, Zip Telecom, “We were not able to scan e-mail for viruses and spam, or detect and track network intrusion, or detect hacking when it occurred. With the integrated security appliance, many of these vulnerabilities have been plugged.”

Security appliances to the fore

Survey findings
  • Medium businesses are mature when it comes to the adoption of basic security solutions.
  • These companies buy security with greater thought than smaller enterprises.
  • These companies have expressed the desire to invest in firewalls,anti-virus solutions and intrusion detection systems.
  • Many have IT teams headed by CIOs. The opinions of the functional heads and the CEOs are considered while framing a security policy.

Fifty percent of medium business plan opt for a firewall, which is six points more than those who prefer anti-virus solutions. Intrusion detection systems (22 percent) and integrated security appliances (20 percent) are next in line. Investments have also been planned in encryption and cryptography tools, identity management and biometrics.

Security policy integral to security

Most medium businesses have a documented security policy and are planning to invest in network security. Of the verticals that were planning to invest in security infrastructure, manufacturing and engineering businesses lead, followed by the BFSI and the IT/BPO verticals. A high incidence of documented security policy reveals the maturity of security adoption in this segment. The role of functional heads, CEOs and CIOs was critical in formulating security policy. Many medium businesses have an IT team headed by a CIO. The opinion of the functional heads and the CEO is considered while formulating security policy.

What’s in the policy

53 percent of companies have
invested in branded systems. This is primarily because the price difference between branded and assembled PCs has narrowed

Data security is first among items on the security policy agenda, followed by unauthorised employee access and data security in transit. Of the 71 businesses that have a documented security policy, 35 percent review it once a quarter. Another 22 percent review it once in six months, and 28 percent once a year. Around 15 percent also said that they had no fixed periodicity for reviewing security policies. The proportion of companies that review their security policy every three months is higher in auto and auto component manufacturers, telecom, IT/BPO and Government/PSU.

No security audits for many

Forecast
  • Security is the first IT priority among medium businesses. Accordingly, the sophistication of security set-ups in medium businesses will increase.
  • Investment in security is expected to stay flat this fiscal.
  • Since most medium businesses have a basic security system in place, i.e. anti-virus and firewall systems, investments will continue in the current year. Traction is visible in the chemical, pharmaceutical, IT and BPO verticals.
  • Biometric-based security systems are generating interest in the IT and BPO verticals.

71 percent of respondents do not conduct security audits. 12 percent conduct internal audits, 9 percent choose ISO 17799 audits, 4 percent prefer COBIT, and the remaining 4 percent are BS 7799-certified. A security audit is normal practice at 23 percent of those companies that do have audits. For 21 percent of these companies, it falls under the ambit of security policy. For the rest it is either a business or regulatory requirement, or because of client pressure. Frequency of audit varies from monthly, to two-, three- or six-monthly and annual. Many companies rarely review their security audits. 44 percent have the audit conducted by their internal IT team, and 28 percent by an external team. The rest use a combination of external and internal teams.

Organisations that rely on their internal team for audits have well-developed IT teams and do not want to expose their security to any external agency. As per the survey, the major drivers for conducting security audits internally are better co-ordination and understanding due to the internal team, and the lower cost of conducting an audit. Says Pillai, “Most organisations do not want to reveal their security infrastructure to an external team, and many do not have a budget which can support an external team to conduct security audits. Tools are available for download which can be used to conduct an internal audit.”

Having a security audit conducted by an external team is often because of lack of an equipped internal team. Explains Deepesh Gosawi, Officer, Systems, Infrastructure Development Finance Company, “Our IT team is very small and doesn’t have the expertise and strength to conduct a security audit. We get the audit done by an external team which has the required expertise.”

T K Bhaskar, Chief Executive Officer, Eyeglobal Technologies, adds, “We get more credibility when an external team conducts a security audit. It also gives us a fresh perspective because an external team has experience in conducting security audits in different industry verticals and adopts a multi-faceted approach.”

Security is being discussed in boardrooms by 39 percent of respondents. The incidence of security coming under the purview of top management is higher in chemical and pharma, services and in IT/BPO.

Integrated security
Integrated security appliances have special relevance for medium businesses.This appliance typically has two or three inbuilt capabilities such as VPN, firewall, anti-virus, IDS or anti-spam. The functionality can be altered to suit the requirements of a mid-sized company. The emerging integrated security appliance market is driven by the transformation of single function appliances into devices that offer several security features in a single box.

Security appliances provide sophisticated security. As networks become complex, so do the threats. Appliances are effective in dealing with security threats especially in a medium enterprise where the IT teams are not as large or skilled as those in large enterprises. Security appliances are efficient in defending against content-based threats. Appliances can perform deep pocket inspection (look inside e-mail attachments, downloads and the like), thereby shielding the company from content-level threats and ensuring secure content-level management.

These boxes can be deployed in remote locations, as they do not need much expertise to manage. Appliances are easy to configure and deploy and yet they can be efficiently monitored from a central location. The ease of management of these appliances has helped organisations trim their IT headcount (or freeze it).

Additionally, as most medium businesses are still doing perimeter security, it makes sense to think about investing in appliances. Says V C Sekar, Manager, IT infrastructure, Sonata Software, “An integrated security appliance is the need of the hour as we get multiple functionalities in a single box. All our clients insist that we have a minimum security set-up before they do business with us. Integrated security appliances help us instill confidence in customers and ensure that multifunctional security is in place. Additionally, security appliances have multiple functions and are easy for us to manage as we do not require separate staff to manage each product such as a firewall, anti-virus and IDS.”

There is more to security appliances. Businesses can avoid dealing with three to four vendors for their security

requirements and no longer need to lose sleep managing separate SLAs (Service Level Agreements). Says Nandu Bhat, General Manager, IT, Zip Telecom, “We were not able to scan mail for viruses and spam. We were also not able to detect any network intrusion or hacking when it occurred. With an integrated security appliance, many of these vulnerabilities are plugged. This creates immense value for users.”

R Karthikeyan, Senior Manager, IT, United Interactive Centre, observes, “Appliance-based security solutions are more stable in terms of speed, in achieving higher throughputs. We use ours as an integrated single-point solution against all security threats. Security appliances are user-friendly, and they are easy to install and configure.” After deploying a Fortinet integrated security appliance, the company has not suffered any security breaches. By getting all the functionality in an integrated box—VPN, firewall and IDS—the company has saved on multiple investments.

abhinav@expresscomputeronline.com

 


Untitled Document

UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.