|
An increasing adoption of security solutions by India Inc translated into
growth in the size of the Indian security market. According to Dataquest
estimates, the overall size of the security market in India during 2003-04 was
about Rs 240 crore. While revenues from products of security vendors contributed
around 60% of this at about Rs 150 crore, the remaining 40% or about Rs 90 crore
came from security services. The Frost & Sullivan 2004 Network Security
Market Report pegged the size of the security market at $29.9 mn or Rs 138 crore,
though this survey mainly focused on the products segment. This, however, makes
India the second fastest growing security market in Asia-Pacific.
A CII-PwC information security survey, conducted during 2003, found that 41%
of Indian enterprises do have a comprehensive security policy in place. This was
indeed a sharp increase compared to a figure of only 17% from the previous year's
survey. Similarly about 74% of Indian enterprises increased their security
budget as compared to 46% the previous year. These figures are important-they
point toward two broad trends that emerged during 2003-04. One was the gradual
acceptance by most enterprises that security has now become mainstream, and
therefore adopting a more proactive approach towards embracing security
measures.
Product Categories
The market for security vendor products was mainly confined to four areas
during 2003-04. These included firewalls, anti-virus solutions, intrusion
detection systems (IDS) and authentication-related products. In addition, the
year also saw some sales of content filtering/spam control tools, while
forensics too made its entry into the Indian market. With mobile enterprises
becoming a reality, more and more Indian companies looked at VPNs for providing
their employees remote access to their intranets.
The anti-virus market benefited from the latest worms and viruses like
Blaster and Sasser and grew by more than 60%, leading to an increase in revenues
of all the three leading anti-virus vendors-Network Associates, Symantec and
Trend Micro. The major virus attacks that caused havoc in India during the year
were Sasser, BugBear, Blaster, Sobig, and Dorm towards the end of the year. The
havoc caused was not only in terms of data losses but also in the denial of
services leading to business losses. The speed of virus proliferation also
reached phenomenal levels. While previous blended threats like Code Red and
Nimda had exploited vulnerabilities known for one year, Blaster was known for a
month and Sasser for 17 days.
The speed of emergence of these blended threats necessitated that anti-virus
solutions and applications be patched regularly. But patching regularly turned
out to be not so simple-first, there were too many patches to track and
secondly, CIOs are still not sure of the order in which patches have to be
installed and whether the patches have been properly applied. Result: vendors
like SecureSynergy spotted an opportunity and launched specialized products to
handle management and application of patches. Anti-virus products, therefore,
increasingly turned out to be a hybrid solution offering various other
functionalities like spam control, vulnerability management and policy
compliance.
Other than patch management, one more key trend witnessed was that most
anti-virus solutions started incorporating spam control into their products.
Though spam was no more just a nuisance factor, it is now consuming network
bandwidth and data storage space, hampering business productivity. However,
content filtering among Indian enterprises was still restricted to Web and mail
filtering.
Another area of sustained growth was in the firewall and VPN market. While
firewalls moved from just being on the Internet gateway to every single client
desktop, on the VPN front, SSL-based VPNs still scored over IP-VPNs. The
firewall market registered a 20% growth with increased deployment of hardware
firewalls. While Cisco still outsold other vendors like Checkpoint, Watchguard
and SonicWall in firewalls almost in a 2:1 ratio, vendors like Rainbow,
Netscaler and Netscreen (acquired by Juniper Networks) emerged as serious
players in the VPN space.
Cisco was the undisputed leader also in the IDS space, managing 50% growth.
It outsold its nearest competitors ISS and Symantec by nearly five times. The
security authentication space emerged in India for the first time as a serious
domain-RSA Security ruled the roost with its token-based product.
Integrated Focus
Significantly many enterprises tended to go for an integrated security
appliance that combined a host of functions like anti-virus, firewall, VPN,
content filtering, IDS/IPS in addition to providing network monitoring tools.
While that did not signify the end of the concept of best-of-breed point
products popular in India, it surely started the trend of networking equipment
vendors like Cisco, Nortel, Juniper Networks or D-Link bundling security
functionalities into their products. During the year, corporates also moved
towards maintaining a centralized solution in a single console where updates are
easier to be applied. With a wide array of security point-solutions being
deployed, the need was felt for a security command center that would enable
enterprises to integrate security operations under a common point of control.
High-growth Services
While the market for security products showed a sustained growth, the most
spectacular event of 2003-04 was the maturity attained by the security services
market. While the large system integrators like Wipro, HCL and Datacraft have
been providing security solutions as part of their total services bouquet, the
year saw two significant trends. One was the growing tendency among enterprises
to outsource their security requirements to third-party service providers,
hitherto virtually unheard of in India. The second was that some of the security
service providers also donned the hats of security consultants-not only were
they helping enterprises in implementing security measures, but also providing
consultancy in terms formulating policies. No wonder the services market reached
about Rs 90 crore, though traditional implementation and external consulting
provided the bulk of it.
Even if security functions were not outsourced during the year, external
consulting now tends to precede the purchase of any solution. Rather than swayed
by the marketing pitches of the product vendors, organizations prefer to
undertake a security audit and a vulnerability assessment to see where they are
currently placed in terms of security. Priorities can then be set as per
available budgets as everything cannot be done at once.
While security was once seen as something that would never be outsourced,
corporates are gradually giving away their security functions to external
service providers. While only a few organizations have subscribed to managed
security services during 2003-04, security functions towards maintenance of IT
infrastructure were being increasingly outsourced as part of normal IT
outsourcing. Currently, security functions like management of firewalls, network
and host intrusion detection systems, managed VPNs and vulnerability testing are
getting outsourced.
Indian companies have been outsourcing security functions in a piecemeal
manner until now. This spans one-time consulting, implementation of various
security products or reacting to a computer security incident. This is because
outsourcing the entire security infrastructure would not only require a vendor
with sizeable experience within this niche market but would also mean sharing of
administrative rights to mission-critical resources (such as database servers or
production servers).
Emerging Domains
Legal compliance has played a crucial role in the framing of security
policies by India Inc. Both private enterprises as well as the government have
been proactive in taking appropriate steps to tackle security concerns. Most of
the software/BPO companies as well as MNCs from other sectors opted for
international security standards like ISO 17799, BS7799, COBIT and ITSM. In
addition, the security policies of some of these companies were framed complying
with the requirements of different standards like HIPPA, SAS70, Graham Leach
Bliley and the Sarbanes Oxley Act. Quite obviously captive firms of
international companies were relatively more mature in adopting these standards
driven by the parent's international practices.
Issues of standards and legal compliance also spawned the growth of a serious
training industry specifically focused on security for probably the first time.
With certification compliance becoming mandatory in many organizations, there is
a growing increase in the number of certified security professionals. And
several consultants and integrators like KPMG and Wipro have utilized this
opportunity and jumped into the bandwagon where they are helping organizations
to walk through the entire certification process. Others like SecureSynergy
started offering training services for security professionals. The Government of
India undertook certain initiatives during the year. These include the
Standardization, Testing and Quality Certification (STQC) Directorate,
responsible for certification process and training personnel; the Indian
Computer Emergency Response Team (CERT) to protect India's IT assets against
security threats; and finally the Information Security Technology Development
Council (ISTDC) to respond to security incidents, threats and attacks at the
national level.
Though digital signatures were accorded legal acceptance by the IT Act, and
the Controller of Certifying Authorities have issued licenses to different
players like Safescypt, NIC, IDRBT and TCS, the market was still less than Rs 10
crore in 2003-04, primarily because e-commerce had not taken off as expected.
The government also plans to extend this facility to leading nationalized banks
during this year.
Rajneesh De in Mumbai Security Sans Wires
Wireless, especially Wi-Fi, is the fastest growing network technology in the
world. In India, it was nearly non-existent in 2003-04, except in some hotels
and a very few enterprises.
One of the reasons is the apprehension about security-partly valid, but
often exaggerated or misplaced.
Wireless LANs (WLANS) do present new challenges for netadmins and the IS
security folks, given that they broadcast radio-frequency data for any snooping
Wi-Fi enabled laptop user to potentially pick up.
But consider that security is not the sole responsibility of the little RJ45
Cat5 Ethernet cable connecting the laptop to the wall-and the Wi-Fi link
basically replaces this cable. Security must reside elsewhere: in the network,
the perimeter, the servers, on every desktop, and most critically, on every
laptop.
Now, the most basic of Wi-Fi access points (APs) costing under Rs 5,000
support three levels of security: WEP encryption at 128 bits or better,
MAC-address-based security, and 802.1x. They aren't all foolproof: for
instance, MAC addresses can be 'spoofed' or mimicked. But together, they
present a fair first level of security.
Nonetheless, security in the IEEE 802.11 spec (including the .b, .g and .a
variants) has come under intense scrutiny. Especially the vulnerabilities in the
authentication, data-privacy, and message-integrity mechanisms. For instance,
the "SSID" is advertised in plain-text by the AP, and can be
"sniffed out" by intruders using packet analyzer tools like Sniffer
Pro. Some APs have the option of disabling SSID broadcasts. WEP makes things a
lot more secure.
The more important layers, of course, must exist in the rest of the network
and the enterprise. The servers, clients, other IDS/firewall products, and user
and IS policies, email...all of which has spawned a whole industry of security
products, solutions and services. Business Continuity, Home Truths
n 58% of organizations operated in
24x7 environments
n 79% have separate IT budgets for
Business Continuity Management (BCM)
n 95% recognized BCM as an ongoing
initiative
n 78% were confident about third-party
service providers
n 100% used backups for ensuring
availability of IT systems; 64% used alternate routing; 70% used RAID; 28% used
online replication; 25% used clustering
n 60% had their backup storage less
than 40 km. Away from the primary site; 27% had it more than 40 km away
n 75% used multiple vendors for
telecom infrastructure
n 62% had alternate recovery site
options (co-operative arrangements 9%, co-location 10%, cold site 8%, warm site
19% and hot site 15%) India: Uphill Journey
n India lacks formal information
security management process or written policies for information security
n Insufficient budgets are cited
as an obstacle to effective security management, followed by resource priorities
n RoI on information security is
not valued as a measure of effective spending. Interestingly, 57% of
organizations never calculate RoI for information security spending
n Though viruses and worms
dominate the landscape, security officers are increasingly becoming alert of
internal threats because of employee misconduct in an organization.
n Only 31% of respondents placed
information security assessment findings among their top three influence factors
n Digital risk framework must
evolve with the organization's business objective to successfully manage their
digital risk in the future
Source: Ernst & Young Global Information Security Survey 2003
|
