|
Security
Secure but not perfect
As medium businesses look for a place at the top of the pyramid,
security is taking on a professional shape making it less vulnerable to attack.
By Kushal Shah
 Security
serves as the backbone of any IT infrastructure within an organisation. Companies
of any kind and size do whatever is practically and economically feasible to
secure their IT set-ups in order to secure their data and other resources. Some
spend crores; some lakhs and some organisation contribute only few thousands
for a secure environment. It’s not about the kind of money that you are
willing to invest; it’s about how you spend that money. An organised security
system; and not just anti-virus or a spam filter is the need of the hour. Organisations
need to know the importance of well-defined security.
If the small segment seemed complacent vis-a-vis security with few companies
even bothering to go in for a comprehensive implementation large organisations
are equipped with multimillion dollar security systems. In terms of spending
and know-how, medium businesses fall somewhere in between these two classes
of the Indian corporate sector. They have software in place and some of them
have even have well-defined policies, but somewhere down the line they come
up short when it comes to managing devices and using them right and in turn
fall prey to intrusions and various other kinds of attack. These companies have
a significant number of employees across the country which, in turn, increases
the loopholes within a company’s boundaries for attacks. Thus this middle
layer of pyramid is vulnerable to attacks, if not as vulnerable as its counterparts
in the bottom layer.
If we are to look at a company’s security stability
according to statistics, then according to the survey, almost 84 percent of
the medium segment had the infrastructure in place to deal with security issues.
For about three-fourths of these organisations, an average of 25 percent of
their IT budget is spent on security. Unlike small enterprises which have a
small footprint at the national level, medium businesses are spread across the
country making the job of security personnel that much more tedious. Organisations
are moving towards UTM, IPS, IDS in addition to defined policies but most of
them are still stuck with anti-virus and anti-spam. A positive aspect to look
at is that almost every company in this segment has some form of security software
installed at the desktop level to provide basic security if not organisation-wide.
Managing security
With 99 percent of 141 respondents having implemented anti-virus this could
lead one to believe that they are secure, which is not true if we examine the
spread of these organisations across the country. With an average of 13 branches
in India and more than 1,100 employees across the country, these companies need
more than vanilla anti-virus. They need a full fledged organisation-wide security
policy and other equipment to deal with viruses and other threats.
Only 21 percent of the 141 organisations had opted for managed security services.
Even with such a low count, organisations didn’t see interested in going
for managed security in the coming year with only 10 percent of 167 respondents
planning to go in for the same. When you are growing fast to take the prime
spot atop the pyramid, there are many aspects which needs to be automated and
made such that they need minimal human intervention to operate. High end implementations
can make that aspect easy for the IT team and IT department can sigh with relief
when everything is in place and no threat can harm the business. Well-defined
restrictions and access controls, automated attendance systems and user level
permissions as well as vulnerability assessments are some of the ways in which
one can move towards protecting the organisation.
In order to manage the security set-up, organisations had teams of varied sizes
and budgets according to the criticality of the matter. Unlike in the small
segment where organisations barely had an IT team; this section of the industry
usually has a full fledged IT department. Apeejay Surrendra Corporate Services
has a team of about 50 people headed by the CTO to take care of IT. The company
appears well equipped with a team of 35 to handle operations at the head office
including developers. Most companies have decision makers of security in the
form of the IT-head. Very few have a designated CSO or CTO to take decisions
regarding security.
- Attacks motivated by the prospect of financial
gain such as banking Trojans which steal a user’s identity to access
his bank account.
- Denial of service (DoS) attacks to extort
money from e-commerce Web sites.
- Internal threats from employees and trading
partners. In fact, most of the security breaches emanate from internal
business networks.
- Interconnected networks with no clear
boundaries. As boundaries between networks disappear in order to connect
partners and suppliers, multiple vulnerability points are introduced.
- Security for Web services has been problematic
and difficult to standardise and enforce across organisational
boundaries, leaving enterprise network boundaries porous and permeable.
- Growing use of personal applications such
as Web-based e-mail, instant messaging, and peer-to-peer applications
provide multiple points of entry for viruses, worms, and other
attacks and provide a readily accessible means of disseminating proprietary
and confidential information.
- Phishing and pharming attacks: New schemes
for Internet-based fraud are difficult to stop, and they pose the risk
of identity theft to unsuspecting customers and employees.
Spyware on the rise.
Two-thirds of computers are infected
with spyware.
- Spam and spim: Unsolicited e-mail (spam)
accounts for more than half of e-mail traffic, costing businesses billions
per year. Instant messaging spam (spim) is also on the rise.
|
Sectors and their policies
One thing in common between small and medium IT/ITES companies is that they
are the least secure amongst the verticals surveyed. This is in contrast the
common perception of IT companies. IT /ITES showed only about 72 percent implementations
for security. This sector was least interested in implementing IPS (Intrusion
Prevention System) and IDS (Intrusion Detection System) with not even a single
company bothering to do so. There were few who took their security seriously.
For some security was more about making their employees aware about it and restricting
them from making the system vulnerable.
“The most important aspect for security is that of stopping misuse of Internet
access and securing data. In order to prevent this, we have restricted Net access.
This restricted access saves a lot of bandwidth,” says Navin Kumar, Vice
President- Technology, Go..IP Solutions Ltd. They have user level permissions
for Internet access across the organisation.
One of the common practises observed by the companies in
terms of restriction is to block social networking sites such as Orkut, Hi5
and messengers such as msn and yahoo. Messengers pose the highest threat for
security since the transfer of viruses is likely through the P2P interface.
Where IT companies had the infamous distinction of being laggards, auto &
auto components on the other hand were found to be the most secure with 100
percent implementation of security systems. Every aspect of security was taken
care of by some or the other industry. Some even had IPS, IDS and UTM systems
implemented and a lot is on the cards in the coming year.
All the other verticals had more or less the same ratio of
implementations as that of average implementations across medium industry segments;
which is that of 84 percent. If we are to compare Chemical & Pharmaceuticals
and FMCG/Consumer Durables then Chemical & Pharmaceuticals wins in terms
of the number of implementations with about 88 percent of these companies having
some sort of security infrastructure. On the other hand, FMCG/Consumer Durables
has better infrastructure in place with 22 percent of these organisations having
implementing UTM. More than half these companies have security policies in place.
“For me security is everything, if any organisation is not secured enough
there cannot be any business,” says Jitendra Nath, CTO, Apeejay Surrendra
Corporate Services Pvt. Ltd. They have taken care of almost all the aspects
of security which is handled with the help of policies, anti-virus software
and UTM.
Some companies in Manufacturing & Engineering have some the best security
implementations in place on the lines of encryption and user level restrictions.
Over 86 percent of organisations in this segment were found to be secure.
Overall, barring IT/ITES, the rest of the verticals have their act together.
| Unified Threat Management is an emerging trend in
the firewall appliance security market. It is the evolution of the traditional
firewall into a product that not only guards against intrusion but performs
content filtering, spam filtering, intrusion detection and anti-virus—duties
traditionally handled by multiple systems.
When hackers were the primary focus of an IT enterprise,
a firewall was sufficient to protect most networks. Then as viruses became
more prevalent, corporates took to anti-virus gateways that scanned for
viruses followed by Web content filtering, and later, spam filtering.
This resulted in a mess of systems that were costly to administer and
took up valuable rack space.
As the hardware that powered today’s enterprise
firewalls became more robust it became viable to add functions that were
traditionally off the box right into the firewall. Firewalls became ‘firewall
appliances’. This is where Unified Threat Management comes in. Rather
than administer multiple systems that handle anti virus, content filtering,
intrusion detection and spam filtering, companies can purchase a Unified
Threat Management firewall appliance that integrates all of the above
into a single rack mountable network appliance. The multiple functionality
of the Unified Threat Management appliance can be the justification for
replacing older more basic firewalls.
A UTM appliance must have an operating system and
an installation process that requires a minimum of human intervention.
The appliance must have the ability to perform network firewalling, intrusion
detection and prevention (IDS/IPS) and gateway anti-virus (AV). All capabilities
need not be utilised, but the functions must exist in the appliance. A
UTM appliance may also include other features such as security management
and policy management by group or user.
Advantages:
- Reduced complexity: The all-in-one
approach simplifies product selection, product integration, and ongoing
support.
- Easy to deploy: Customers or more
often resellers, distributors or managed services providers can easily
install and maintain the products. Increasingly, this process is handled
remotely.
|
Steps Taken
More or less every company, about 99 percent of 141 respondents had anti-virus
in place; the point to wonder is how the remaining one percent handles the business
of more than 100 crores without even an anti-virus solution.
Organisations vary in how they handle security; some had stringent policies
for employees whereas some had tightened entry points to the network making
employees less burdened.
Where many companies had their policies in place, some of them outsourced their
IT operations to a third-party and didn’t have any department as such to
handle operations. For manual desktop level management, they relied on anti-virus
such as Norton or McAfee.
Pasupati Spinning & Weaving Mills Ltd has outsourced IT management to a
third-party but in terms of policies; it had only a few nodes where the Internet
was available and this has reduced its need for high end infrastructure to some
extent. Where as SICPA India Ltd, even after having a Sonicwall appliance sitting
at its gateway has policies to stop intrusion through mail and over the Internet.
It has restricted Internet access for employees.
One of the oldest tea vendors in India, Wagh Bakri has a different way of dealing
with security. It decided to go with a complete Linux environment. According
to them, it is secure and does not need any other vendor to protect its network.
One additional mechanism it adopted was that of having two different networks.
“We have two separate networks, one for Internet and other for non-Internet
business. The allotment of nodes were such that we provide only one computer
per department for Internet usage for private work such as mails and surfing,”
says Nisheeth Doctor, General Manager –IT, Wagh Bakri.
Linux, which is spreading its wings in the medium sector owing to the cost factor
and low risk associated with it. OM Logistics Ltd has more than 1,500 computers
running Linux. Linux seems to have reduces the expenditure on security software
and hardware by a significant amount. “We have customised firewalls and
security systems developed by our own developers which are running on the Linux
machines. Apart from that we have defined policies which restricts the usage
of employees in order to secure the network,” says Prithvi Palsingh, Manager
IT, OM Logistics.
Every user is password protected, user level security, application level security
and implementation of UTM certainly makes an organisation well secured if not
perfectly secure. Jagsonpal Pharmaceuticals Ltd has all these security systems
in place in addition to their tie up with McAfee and SecureSynergy for anti-virus
and Netgear for a firewall. “In our organisation, not all applications
are meant for everybody. Application level security ensures that only an authorised
person gets access to a particular application; Accounts people can only use
accounting applications. We are thinking of roping in some application level
consultants for further enhancements,” explains Prakash Pradhan, Head-IT,
Jagsonpal Pharmaceuticals Ltd. Even after having such security in place Pradhan
feels something is lacking and that it needs to improve.
A high end security system, this is how Apeejay Surrendra
Coprporate service’s security system can be defined. Cisco firewall, Fortinet
UGM, Trend Micro suite which includes anti-virus, IPS, IDS and other security
options and hardware support from Juniper makes this company as secure as it
can be. It has well-defined security policies in place. Three brackets of Internet
security provide segmented security in order to restrict usage. These three
brackets include senior management which gets access for the whole day, business
group in which access is limited for business purposes only and lastly for unlimited
access employees have to fall in the third category which starts after office
hours. Such restriction on employees not only makes securing the network easier
but also saves on bandwidth. “The top priority in my security policy is
to make our employees aware and conscious about the benefits attached to security.
Unless and until my employees are educated, there is no point in installing
any number of security solutions. Both, awareness and implementations play a
50:50 role in organisational security,” says Nath.
Apart from firewalls and antivirus software, BLA Industries
limited, a coal mining company, has implemented a RSA Token system. This dual
sector encryption based token system changes the token every hour for enhanced
security. Apart from this, Citrix Presentation Server further enhances security
by providing 48 bit encryption which can be extended to 128 bit if needed. These
implementations account for about 25 percent of its IT budget. As part of its
policies, the company does not allow the unauthorised usage of storage devices
such as USB drives and CDs. “Checking Internet usage of employees and tapping
on their shoulders remotely to know what are they doing are the most important
aspects of my organisation’s security policy. I should know what software
is being installed and what ports are open,” says Atul Bansal, Manager
–IT, BLA Industries limited.
Irrespective of what is installed or how much money is spent, what matters is
defined management with the help of policies.
|
