The last 12 months have seen a great increase in the importance of enterprise security. Seminars and road shows on the topic have become a common feature with vendors and experts pitching their expertise at these forums. Spurred by this awareness, an increasing number of enterprises have gone in for enhanced security solutions.

Perimeter solutions
Enterprises seem to be going in for greater IT security deployment. This is also reflected in the robust growth of the security market. A Gartner Dataquest survey estimates the worldwide market for security solutions to grow up to $4.3 billion this year up 18% from $3.6 billion in calendar 2001. The Indian market for information security is currently estimated to be between Rs 150-175 crore (Nasscom-IDC estimates) and is expected to grow at 25-30% annually.

The security market in India however, is still in its nascent stages and is largely restricted to the purchase of anti-virus software and firewalls. But this will change as the market matures with organizations becoming aware of the need to have an integrated security policy that would address all areas of concerns and not just perimeter security.

Most SMEs are in the first phase of the security cycle. Corporates, mainly in the financial sector would generally be a step ahead and will step in to secure directory architecture and cross platform user administration.

The last year has also seen a perceptible shift in the service offerings of the larger system integrators- right from building security practices (audit, consulting, policy matters) as well as offering high value services to customers. Most of the large system integrators and resellers have already set up a dedicated division solely to address Internet security.

According to the latest PwC-CII (Pricewaterhouse Coopers-Confederation of Indian Industry) survey on IT security, virus attacks account for a majority of security breaches with more than 75% of respondents indicating the same. About 9% of respondents reported a denial of service attack. Coming to the method of attack, exploiting operating system vulnerabilities seems to have become the most common mode of attack. This was followed by basic level security lapses such as poor access controls and human error. Vaidyanathan Iyer, national manager, security solutions, Computer Associates points out that organizations have gradually realized the need to have a security solution that addresses all areas of an organization’s e-business defense.

Goh Chee Hoh, regional sales director, Trend Micro talks about the noticeable trend among large corporates of investing in perimeter security solutions.

Stress on finance and telecom
Given the nature of their business, banking organizations, especially the private banks and insurance companies have invested heavily in security solutions. Says Cisco India’s vice president systems engineering, S V Ramana, "Even today, most corporates neglect the security aspect while designing their networks".

All businesses which are connected to the net for all practical purposes, are at risk. Of these, the segments that run mission-critical data have been most proactive and can be classified among the early adopters. At the same time, public sector banks would still be in the process of completing their networking exercise and hence demand greater security measures. Banks and financial institutions would be most susceptible to security attacks. A vulnerability index developed by US based Computer Economics puts banks and financial institutions at the top of this list. The PwC-CII survey indicates that over 75% of financial institutions reported having suffered a security breach in the previous year.

While segments such as power and manufacturing have usually stressed on ERP and SCM, security has not been their key priority. The government sector is also catching up in a big way, though the existence of legacy systems is a hindrance.

Off-the-shelf approach
A comprehensive approach towards addressing security would mean more than just deploying products off the shelf. But as Rajeev Wadhwa, COO, Esecure says, "Setting up of best practices would be critical for organizations to ensure security."

There needs to be greater realization of information security as crucial to an organization’s business planning process, as opposed to being treated as an IT problem within these segments. The biggest challenge for any organization would be to avoid a security breach which would damage their reputation, cause them to lose customers, open them up to law suits, or causes regulators to step in.

This in turn, would entail formulation of an adequate security policy. The next step would be to go in for the deployment of the best tools in areas such as authentication, encryption, access control, intrusion detection etc.

Unlike other categories in the infotech industry, technologies used in various security fields are totally different and usually not related.

Success in one field does not represent success in another. Therefore, it is very important to choose the best solution in each field to maximize protection for the company. The third step would involve the scalability of the security solution and vision of the solution provider. A good security solution needs to be scalable so that the company can preserve investment on security solutions and still meet its security needs during growth.

According to CA’s Iyer, " The lack of a well-defined security policy is perhaps one of the main reasons why most Indian organizations do not practice a holistic and focused approach to security. Though these studies reflect practices in large enterprises, it is indicative of the attitude towards security across businesses. Nevertheless, the bright spot is that the organizations have woken up to the danger and are serious about Internet security today. A secure environment is a pre requisite to successful e-business."

Goh Chee Hoh of Trend Micro adds, "We see a lot of companies in Asia experience security breaches because of an inappropriate security policy. For example, some companies tend to use desktop based anti-virus packages on their LAN, leaving the anti-virus jobs to the helpdesk in the IS department. They experience repeated virus infections, and spend a lot of human resources to handle virus infections. Some of them even experienced huge losses in major virus outbreaks like ILOVEYOU and Melissa." Surendra Singh, country manager, RSA Security says, "There is an increasing awareness among enterprises that security products implemented do not ensure comprehensive security for the enterprise. Hence ensuring security through the redesigning of network and access methodology is gaining popularity." DMZ design (Demilitarized zone design), Honeypots, and layered security approaches are among the new architectures that are gaining popularity.  

Among other trends, managed service providers are expected to gain popularity in the near future. Globally, there is a trend towards outsourcing Internet Security Services. Corporates globally are attracted to outsourcing security because outsourcing can provide an aggregation of expertise and experience that is something that would be impossible to replicate in-house.

Security Service Providers (SSPs) are definitely gaining popularity in the west. But does the same apply to India? Rajeev Wadhwa of Global Esecure opines, "SSPs in India are still at a nascent stage of evolution and would thus need to strengthen their delivery mechanism as well as the QoS to ensure confidence among corporates of their abilities."

The increased awareness of IT security among corporates is indeed a welcome development. But this is clearly not enough and the next phase should involve an integrated approach for securing the network better.

Amit Sarkar in New Delhi