Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

When networking technologies became pervasive in the 1990s, with the rapid adoption of the Internetthe single most disruptive technology of this centuryboundaries disappeared and distances died. But as the world became increasingly connected, the flip side also started to manifestthe biggest flip being the security concerns. Once information got shared on the network, its access patterns also significantly changed. As information anywhere, anytime became the mantra of the digital economy, security became one of the biggest challenge for enterprises.

Security Challenges
No doubt, security is a daunting challenge for CIOs. Todays business environment is characterized by an unrelenting demand for real-time information from employees, partners, and customers. This puts an enormous amount of pressure on businesses and IT organizations when you consider three variables: the compounding amount of information that companies have to store, secure, and manage; the increasing infrastructure complexity within the organization; and the diversity of government and industry regulations with which organizations must comply.

The transmission and access of data on the network goes through several uncharted territories and in each territory, the integrity of the data is compromised. Hence, one is not 100% sure that confidential data is foolproof because hackers and people who indulge in data theft use innovative ways and means to poach data and hence a pre-emptive and proactive approach to managing the security issue is a must.

Experts aver that security is a big challenge that keeps CIOs awake at night. It is because despite the best of security measures, threats manifest in various formsviruses, worms, trojans, network hacks, data loss, improper access control, phishing, and social engineering. Some of these threats are easy to tackle while some are getting increasingly difficult to address.

The easy availability of hacking tools also makes for data poaching. For instance, in less than $50, one can download phishing toolkits that even a novice can use. Securing the perimeter is just not enough anymore. There are enough threats originating from within the organization, making access control and data leak prevention policies and technologies a reality.

Given the plethora of challenges, implementation of security solutions has emerged as the focus area for CIOs of both large enterprises and small and medium businesses in India.

Adoption of new technology platforms, devices and applications like mobile phones, Wi-Fi, messaging, and VoIP are creating new vulnerabilities. The sophistication of attack has significantly increased. Gone are the days of hacking for Fifteen minutes of fame. Hacking, today, is a professional crime for financial profits. The increase of worldwide Internet usage and the always-on connections have actually opened more corridors for security threats.

Hackers constantly uncover and exploit network vulnerabilities and dont wait for upgrades. There is always a lag between availability and installation, and new protections that upgrades offer. This is precisely what hackers exploit.

A Proactive Strategy
Given these dynamics, it is not surprising that security strategies have evolved within organizations to become more strategic, more expansive, and more complex. Security is no longer just an IT function but touches every part of the businessfrom CEO and board members responsible for company reputation to HR, finance, and legal departments that need to manage compliance to business leaders that drive performance.

A September 2007 publication by Goldman Sachs stated that the top three drivers of enterprise security spend were IT policy compliance, data loss prevention, and endpoint protection. These are three significant challenges in themselves because they touch every aspect of the business.

Clearly, there is a need for a security policy that gives a ringside view of the threat factors and provides solutions. Here, a traditional or conventional approach is only part of the security strategy. The CIO has to closely link with the HR department and do individual profiling of employees who do mission critical jobs. Today, most leading BPOs do comprehensive verification of employees prior to their recruitment, but still data thefts like credit card details getting stolen from third-party BPO companies do happen.

So, where does the panacea lie? Security has to be multi-layered, with Unified Threat Management (UTM), firewall, intrusion prevention, anti-virus and content filtering. Meanwhile, at the end point, one needs anti-spam and access control measures. Control and identity management is also a vital need.

Evolving a Strategy
An effective security strategy must be policy driven, information-centric, and operationalized across a well-managed infrastructure. By operationalizing security, we mean standardizing and automating processes, integrating products and services, and streamlining workflows and reporting. This will not only drive down the costs of day-to-day activities, but provide stakeholders with an increased understanding of overall IT risk.

Some experts advocate a four pronged security strategy to customerstransform security from an inhibitor to an enabler of business goals, standardize and automate IT controls and security policies to improve compliance, identify, and risk-rank both system- and people-based vulnerabilities, and protect sensitive data and proprietary information whether its at rest, in use, or in motion.

Just securing the perimeter is not enough. Firstly, in todays ever-expanding online world, it is very difficult to define a perimeter. Secondly, hackers are getting more sophisticated and finding out newer ways of circumventing the perimeter security.

A good starting point of a good security policy should factor in the following questions: what is it that we are trying to protect? What is it that the hackers are after? The second set of questions to ask should include: what information is important for the business? What risks do we need to protect against? Addressing these questions will lead to an information-centric security strategy sthat will focus on the risks involved.

With explosion in mobility, being on the private network can mean being anywhere and too often we hear of security breaches stemming from within. As for that perimeter firewall, with open ports for every partner, contractor and remote user that demands access, it serves as nothing more than an initial line of defense.

An effective security strategy should ensure that the organization is protected at the infrastructure and data level against all threats, infiltration, and loss of data. The strategy should aim at building the security architecture for maximum manageability and scalability. It should be reliable so as to ensure productivity and business continuity and be extensible to meet the organizations needs today and tomorrow.

Experts say that the fundamental issue that todays enterprises face is that of unplanned expansion and the so-called good enough fragmented security solution. Siloed between departments and absence of a central control is an increasing concern. The current strategy of reactive, incident-driven approach has resulted in large revenue losses. The duplicative approach and unplanned expenditure for security solution indicates the absence of clear roadmaps and strategy to handle future threats.

It is vital to ensure that security strategy is seen as a business enabler, and not as a disabler. It is important to understand that even the smallest of business changes may possibly throw open a wide array of security vulnerabilities for the organization.

Shrikanth G
shrikanthg@cybermedia.co.in

Page(s)   1