A CII-PwC information security survey, conducted during 2003, found that 41% of Indian enterprises do have a comprehensive security policy in place. This was indeed a sharp increase compared to a figure of only 17% from the previous year's survey. Similarly about 74% of Indian enterprises increased their security budget as compared to 46% the previous year. These figures are important-they point toward two broad trends that emerged during 2003-04. One was the gradual acceptance by most enterprises that security has now become mainstream, and therefore adopting a more proactive approach towards embracing security measures.

Product Categories
The market for security vendor products was mainly confined to four areas during 2003-04. These included firewalls, anti-virus solutions, intrusion detection systems (IDS) and authentication-related products. In addition, the year also saw some sales of content filtering/spam control tools, while forensics too made its entry into the Indian market. With mobile enterprises becoming a reality, more and more Indian companies looked at VPNs for providing their employees remote access to their intranets.

The anti-virus market benefited from the latest worms and viruses like Blaster and Sasser and grew by more than 60%, leading to an increase in revenues of all the three leading anti-virus vendors-Network Associates, Symantec and Trend Micro. The major virus attacks that caused havoc in India during the year were Sasser, BugBear, Blaster, Sobig, and Dorm towards the end of the year. The havoc caused was not only in terms of data losses but also in the denial of services leading to business losses. The speed of virus proliferation also reached phenomenal levels. While previous blended threats like Code Red and Nimda had exploited vulnerabilities known for one year, Blaster was known for a month and Sasser for 17 days.

The speed of emergence of these blended threats necessitated that anti-virus solutions and applications be patched regularly. But patching regularly turned out to be not so simple-first, there were too many patches to track and secondly, CIOs are still not sure of the order in which patches have to be installed and whether the patches have been properly applied. Result: vendors like SecureSynergy spotted an opportunity and launched specialized products to handle management and application of patches. Anti-virus products, therefore, increasingly turned out to be a hybrid solution offering various other functionalities like spam control, vulnerability management and policy compliance.

Other than patch management, one more key trend witnessed was that most anti-virus solutions started incorporating spam control into their products. Though spam was no more just a nuisance factor, it is now consuming network bandwidth and data storage space, hampering business productivity. However, content filtering among Indian enterprises was still restricted to Web and mail filtering.

Another area of sustained growth was in the firewall and VPN market. While firewalls moved from just being on the Internet gateway to every single client desktop, on the VPN front, SSL-based VPNs still scored over IP-VPNs. The firewall market registered a 20% growth with increased deployment of hardware firewalls. While Cisco still outsold other vendors like Checkpoint, Watchguard and SonicWall in firewalls almost in a 2:1 ratio, vendors like Rainbow, Netscaler and Netscreen (acquired by Juniper Networks) emerged as serious players in the VPN space.

Cisco was the undisputed leader also in the IDS space, managing 50% growth. It outsold its nearest competitors ISS and Symantec by nearly five times. The security authentication space emerged in India for the first time as a serious domain-RSA Security ruled the roost with its token-based product.

Integrated Focus
Significantly many enterprises tended to go for an integrated security appliance that combined a host of functions like anti-virus, firewall, VPN, content filtering, IDS/IPS in addition to providing network monitoring tools. While that did not signify the end of the concept of best-of-breed point products popular in India, it surely started the trend of networking equipment vendors like Cisco, Nortel, Juniper Networks or D-Link bundling security functionalities into their products. During the year, corporates also moved towards maintaining a centralized solution in a single console where updates are easier to be applied. With a wide array of security point-solutions being deployed, the need was felt for a security command center that would enable enterprises to integrate security operations under a common point of control.

High-growth Services
While the market for security products showed a sustained growth, the most spectacular event of 2003-04 was the maturity attained by the security services market. While the large system integrators like Wipro, HCL and Datacraft have been providing security solutions as part of their total services bouquet, the year saw two significant trends. One was the growing tendency among enterprises to outsource their security requirements to third-party service providers, hitherto virtually unheard of in India. The second was that some of the security service providers also donned the hats of security consultants-not only were they helping enterprises in implementing security measures, but also providing consultancy in terms formulating policies. No wonder the services market reached about Rs 90 crore, though traditional implementation and external consulting provided the bulk of it.

Even if security functions were not outsourced during the year, external consulting now tends to precede the purchase of any solution. Rather than swayed by the marketing pitches of the product vendors, organizations prefer to undertake a security audit and a vulnerability assessment to see where they are currently placed in terms of security. Priorities can then be set as per available budgets as everything cannot be done at once.

While security was once seen as something that would never be outsourced, corporates are gradually giving away their security functions to external service providers. While only a few organizations have subscribed to managed security services during 2003-04, security functions towards maintenance of IT infrastructure were being increasingly outsourced as part of normal IT outsourcing. Currently, security functions like management of firewalls, network and host intrusion detection systems, managed VPNs and vulnerability testing are getting outsourced.

Indian companies have been outsourcing security functions in a piecemeal manner until now. This spans one-time consulting, implementation of various security products or reacting to a computer security incident. This is because outsourcing the entire security infrastructure would not only require a vendor with sizeable experience within this niche market but would also mean sharing of administrative rights to mission-critical resources (such as database servers or production servers).

Emerging Domains
Legal compliance has played a crucial role in the framing of security policies by India Inc. Both private enterprises as well as the government have been proactive in taking appropriate steps to tackle security concerns. Most of the software/BPO companies as well as MNCs from other sectors opted for international security standards like ISO 17799, BS7799, COBIT and ITSM. In addition, the security policies of some of these companies were framed complying with the requirements of different standards like HIPPA, SAS70, Graham Leach Bliley and the Sarbanes Oxley Act. Quite obviously captive firms of international companies were relatively more mature in adopting these standards driven by the parent's international practices.

Issues of standards and legal compliance also spawned the growth of a serious training industry specifically focused on security for probably the first time. With certification compliance becoming mandatory in many organizations, there is a growing increase in the number of certified security professionals. And several consultants and integrators like KPMG and Wipro have utilized this opportunity and jumped into the bandwagon where they are helping organizations to walk through the entire certification process. Others like SecureSynergy started offering training services for security professionals. The Government of India undertook certain initiatives during the year. These include the Standardization, Testing and Quality Certification (STQC) Directorate, responsible for certification process and training personnel; the Indian Computer Emergency Response Team (CERT) to protect India's IT assets against security threats; and finally the Information Security Technology Development Council (ISTDC) to respond to security incidents, threats and attacks at the national level.

Though digital signatures were accorded legal acceptance by the IT Act, and the Controller of Certifying Authorities have issued licenses to different players like Safescypt, NIC, IDRBT and TCS, the market was still less than Rs 10 crore in 2003-04, primarily because e-commerce had not taken off as expected. The government also plans to extend this facility to leading nationalized banks during this year.

Rajneesh De in Mumbai

Next Page :

Security Sans Wires

Page(s)   1  2  3  4