|
Trend
Application security: the next wave
With SAP and Oracle providing security and compliance tools,
security vendors are under pressure to provide comprehensive, integrated solutions.
By Megha Banduni
Security is an oft-told tale. Every organisation knows that
it is critical to have the right security policy and solutions in place. Undoubtedly,
most organisations today have appropriate security solutions, whether at the
gateway, desktop or server level. So, what’s new that we are discussing
in this article?
After network, desktop and server level security, vendors are now focusing on
security at the application level. Application vendors are providing security
tools to their customers along with their products. Another trend that we see
is that application vendors are not only looking at security, but are also providing
complete compliance suites that are as good as the solutions that security and
compliance vendors provide.
This is a positive trend for customers and application vendors. So what do security
vendors feel about it? Express Computer spoke to some vendors and analysts to
answer that question.
Says Mohan Verma, Associate Director, PricewaterhouseCoopers
(PwC), “This trend might affect security vendors by taking away a small
chunk of their business. However the solutions that these security vendors provide
have been tested and refined over time and in a different league altogether.
Also, their efficacy in functioning in a heterogeneous environment provides
them significant immunity from this threat.”
"At the infrastructure
security level, they don’t face a threat, but at the application
level, we are getting stronger and they will have to come up with strong
solutions too"
- Atul Sareen
Vice President
Platforms
SAP India |
Atul Sareen, Vice President, Platforms from SAP India feels
that as application vendors have started providing application security and
compliance tools, the business of security vendors might get affected. “At
the infrastructure security level, they don’t face a threat from us, but
at the application level, we are getting stronger and they will have to come
up with strong solutions too,” says Sareen.
Counter view
"Application security is the next big frontier. It depends on factors
such as who is accessing the application, how the application is designed
and what quality processes the application development process has gone
through"
- Niraj Kaushik Country Manager Trend Micro India and SAARC |
Though analysts and application vendors feel that this trend
might have some kind of impact on the security vendors, the latter are quite
confident that their business won’t be affected.
According to Niraj Kaushik, Country Manager, Trend Micro
India and SAARC, “Application security is the next big frontier that every
vendor is working on. Application security basically means making an application
more secure and this depends on factors such as who is accessing the application,
how the application is designed and what quality processes the application development
process has gone through. These factors are understood by application vendors
which is why they are also providing security tools.”
According to Jari Heinonen, Director, APAC & Oceania Region,
F-Secure, believes that it will take a long time for big companies to reach
the level where many security companies already are. “We have extensive
experience in the security field and while I am sure that there will be customers
who will select the security solution from non-security vendors as well, but
there is a big market out there and we all will be able to grow in our own business
areas.”
Says Kaushik, “There are more than a hundred vendors
in the security space. Gartner has said that in three years of time Microsoft
will achieve just a seven to eight percent market share in the security space.
There is space for every one because of the simple reason that the security
area is vast. I don’t think there will be a threat to anyone from this.”
Kartik Sahani, Sales Director, McAfee concurs that there is no threat for security
vendors because most of them provide solutions for network and desktop security.
“Vendors such as SAP and Oracle are providing security solutions for their
applications. The thing to notice is that customers require network and desktop
security over and above this and that they will keep coming to us for this requirement.”
So, why are the application vendors coming up with such solutions that already
exist in the market? One obvious reason is a need to add value to their portfolio
and tap additional revenues.
|
Database Security
Oracle Advanced Security Option: It delivers state-of-the-art data
at rest and network encryption
Oracle Database Vault: It protects against insiders accessing data
and applications outside the scope of their responsibilities
Oracle Label Security: Protects classified or confidential data
with the flexibility of row level restrictions
Oracle Secure Backup: Provides encrypted tape backup for databases
and file systems
Middleware Security
Oracle Identity Management: Delivers single sign-on, user provisioning,
identity federation and directory services
Oracle Web Services Manager: Secures and manages J2EE and .NET
Web Services
Oracle Application Server 10g: Provides a secure middleware platform
based on industry standards
Applications Security
Oracle applications including e-Business Suite, PeopleSoft, Siebel, JD
Edwards, and Retek feature core security capabilities such as secure user
access and detailed auditing
|
Application vendors enter the security space
"We are prominent players in database security. On the middleware
side, we are providing options like identity management, user provisioning,
single sign on, identity federation and directory services"
- Sunil Mehra Sales Director Fusion Middleware Oracle India. |
We spoke to the two leading application vendors who have been
providing security solutions as well for quite a long time.
Oracle has been actively providing security solutions to their
customers. Security is divided into three areas at Oracle: database, middleware
and application security.
“We are prominent players in database security, where we provide advanced
security options. On the middleware side, we see a lot of momentum and are providing
options like identity management, user provisioning, single sign on, identity
federation and directory services,” says Sunil Mehra, Sales Director, Fusion
Middleware, Oracle India.
Explaining the user provisioning offering from Oracle, Mehra says that every
application has its own user repository. And one user might be mentioned in
different repositories. Oracle’s user provisioning tool consolidates different
repositories and gives the user a single view.
“When we sell any application, security management goes
with it as part of that application. At middleware level, it depends upon user
to user whether they want to opt for our security options or not. We have support
centres as well as managed services,” adds Mehra.
Explains, Sareen, “There are two levels of security:
application level and Intranet level. We don’t provide Intranet security.
We provide application security such as data encryption, authorisation and authentication
at server and database level. Once the user enters into a secure infrastructure
or network, our role consists of providing secured information to the right
people commences.”
Moving into compliance
Today, corporate scandals have raised serious questions regarding trustworthiness
and have led to a slew of mandates and regulations such as the Sarbanes-Oxley
Act (SOX) that requires companies doing business in the US to document their
business processes, identify risks and define controls to mitigate them, and
regularly demonstrate the effectiveness of those controls.
To address this need, many application vendors are now providing compliance
tools as well. For instance, SAP offers a set of access control applications
for monitoring, testing, and enforcing access and authorisation controls across
the enterprise. These applications, available as part of SAP solutions for governance,
risk and compliance include access control applications that help the company
to comply with SOX and other regulations.
“Over and above SAP application and security solutions, we have Global
Risk Compliance (GRC). GRC has two components—process and access control.
SAP plays strong role in this area. We offer such products separately but it
can run only on SAP systems or applications,” says Sareen.
“Compliance consists of lots of things. Application vendors are providing
compliance tools. But one needs to understand that compliance is needed at every
level. Today security vendors are moving one step ahead of providing basic compliance
needs and that step includes improving compliance,” explains Kaushik.
| Global Risk Compliance (GRC) Process Control application
– Allows users to automate the monitoring, testing, assessment, remediation,
and certification of enterprise-wide business processes.
SAP GRC Process Control is powered by the company’s
NetWeaver platform, enabling it to integrate directly with SAP and non-SAP
enterprise applications. This integration eliminates false positives and
enables users to drill down on supporting data for faster remediation.
Training Services
SAP offers both instructor-led and e-learning training to help you get
the most from your access control applications. Courses such as “Compliant
Provisioning: Introduction to Virsa Access Enforcer” and “Manage
Compliance: Introduction to Virsa Compliance Calibrator” prepare
the team to manage and reconfigure the software. These advanced courses provide instruction, demonstrations,
and practical experience using the software, as well as insight into best
practices and optimisation strategies that organisations can leverage
for their businesses. Instructor-led training is typically conducted at
SAP training facilities located worldwide, but on-site and customised
training is also available.
Engineering Services
SAP offers engineering services to integrate legacy and custom applications
and incorporate them into a company’s GRC processes. SAP consultants
help create custom adaptors to interact with these target applications
to extract user and access information and submit the same to a centralised
machine for access risk analysis.
|
Multiple options
|
There are more than a hundred vendors
in the security space. There is space for every one because of the simple
reason that this area is vast
|
With application vendors entering the security and compliance
space, customers have multiple options.
Says Sareen, “Our customers are asking us to provide
them with security and compliance tools. Earlier, we had few management control
tools in applications. After security and compliance came up in a big way in
India, our customers have started demanding such tools from us.”
"We have extensive experience in the security field and while there
will be customers who will select security solutions from non-security
vendors, there is a big market out there and we all will be able to grow"
- Jari Heinonen Director
APAC & Oceania Region F-Secure |
For a customer, it depends on the extent of the security or
compliance requirement. Specialised requirements mean additional investment.
They would definitely benefit if these offerings are as mature as those from
specialised vendors.
According to PwC, this trend will definitely affect the user,
security vendors and application vendors. For application vendors, it is a positive
trend. “A few benefits accruing to application vendors are entry into newer
markets and captive clients, more entry barriers for best-of-breed solution
providers, a cleaner IT landscape for the client providing greater opportunities
for up selling and binding a client to its own suite of products,” adds
Verma.
From a security vendor’s perspective, the trend is negative.
“They will now have to cater to niche markets where requirements are specialised
or customers who are very choosy or who do not have large ERP systems,”
adds Verma.
Meanwhile Heinonen argues that it is always safer to select
an independent security solution to protect computing environments. “We
are specialists in the security field and give customers the maximum protection.
Sometimes, if you are trying to do too many things at the same time, you are
not able to do all of them in the best possible way.”
Adds Mehra, “Indian customers have matured. They want such security that
is easy, auditable and does not act as a bottleneck for applications. Cost is
also a key consideration. If the user gets all this from the same vendor, customers
would like to go for it. If a vendor can integrate various technologies with
its applications faster and cheaper, customers will love it.”
No clear winner in sight
The thought process of an Indian customer is changing. On
the one hand he doesn’t want to buy everything from one vendor. At the
same time, if a vendor is providing complete integrated and best of breed solution,
it will be a handsome deal for the customer.
Vendors (both security and application) agree that application
security is the upcoming thing. Many security vendors are looking at it aggressively,
whereas application vendors already have such solutions in place. Now we have
to see whether security vendors will be able to compete with Oracle and SAP’s
security application solutions and who the user goes with.
|
