Awareness on security requirements reached a new high among Indian enterprises during the year. Not only did it reflect the growing maturity of Indian organizations, it also led to increased adoption of security measures across enterprises. This translated into a burgeoning Indian security market in FY 2004-05: the security product revenues reached Rs 203 crore, registering a 35% growth over the FY 2003-04 figure of Rs 150 crore. On the other hand, the security services grew by a whopping 74% to reach Rs 157 crore from a turnover of Rs 90 crore a year earlier. Overall, the Indian security market was pegged at Rs 360 crore in 2004-05 registering a healthy 50% growth over the previous year, making it one of the highest growing sectors for the concerned period.

Security Products Get a Boost
Within the security product market, it was secure content management that led the way with a 43% share at Rs 88 crore, followed by Security 3A software (authorization, authentication, access) with 26% at Rs 52 crore. Firewall/VPN software with a 17% share at Rs 35 crore and intrusion detection software with 12% at Rs 24 crore were the other major segments in the products category. Cisco, Symantec, Checkpoint, McAfee, Trend Micro, Juniper Networks, ISS, RSA Security, BindView, CA and Safenet were some of the leading vendors to have profited from this burgeoning security market.

Secure content management covered three specific product areas: anti-virus software, Internet access control and employee Internet management (IAC/EIM), and email scanning. Some of the leading vendors operating in this space were Symantec, Trend Micro, McAfee, Cisco, CA and Bindview amongst others. The Security 3A software market covered authentication software (digital encryption and PKI), authorization software and administration software and included vendors like RSA Security, Bindview, Verisign, NetScaler (now acquired by Citrix) and Cisco amongst others. The sudden spurt seen in this market was owing to almost every security vendor as well as other enterprise application players like Sun, IBM, HP and Novell coming to market with their identity management solutions. Checkpoint, Cisco, Juniper, Fortinet and Safenet were some of the leading vendors in the firewall/VPN category, while ISS, McAfee, Cisco and Symantec led the pecking order in IDS/IPS and the vulnerability assessment software category.

Anti-virus software remained ever perennial: this was because 2004-05 again turned out to be another big year for viruses, worms and malicious codes. These threats were combined with content such as spam and phishing throughout the year. Bots and mass mailers remained the predominant method by which virus writers impacted enterprises, whereas exploits and adware accounted for over 60% of the malicious threats tracked, significantly impacting consumers and home users.

The Integrated Appliance
With anti-virus gradually becoming a commodity, it grew faster than even the PC market. One significant trend observed last year in the security market was the emergence of integrated security appliances combining the capabilities of firewall, VPN, IDS and anti-virus coupled with anti-spam. Organizations went for an integrated appliance at both the client and gateway levels. India Inc invested generously in security appliances on account of the ease of manageability that these appliances offered. Appliances were easy to configure, and deployment was smooth too. Besides, these boxes could be efficiently monitored from a central location. Another bonus was that using appliances permitted organizations to do away with licensing fees that would otherwise have to be incurred on software-based security solutions.

Security appliances were well-suited to the needs of organizations with more than 500 users. No wonder, vendors too were bullish about its prospects. While it accounted for more than 70% of WatchGuard's business, Fortinet also bagged large orders from Air-India, Ramco, Biocon and Lason. Ahmedabad-based Elitecore's Cyberoam appliance had over 500 deployments at companies such as Chambal Fertiliser & Chemical, Government of Gujarat, BSNL, Indian Institute of Management-Bangalore, National Dairy Development Board, Indian Institute of Remote Sensing and Bharat Heavy Electricals. There was a strong push for security appliances from the government and education segments, who wanted content and URL filtering at the gateway level to stop users from accessing unwanted Web sites. In addition to integrated appliances, the year also saw brisk sales of content filtering/spam control tools, while forensics too made its entry into the Indian market.

The speed of emergence of these blended threats necessitated the need for anti-virus solutions and applications to be patched regularly. But patching regularly turned out to be not so simple-first there were too many patches to track and secondly, CIOs are still not sure on the order in which patches have to be installed and whether the patches have been properly applied. Result: the security vendors themselves spotted an opportunity and launched specialized products to handle management and application of patches. Anti-virus products, therefore, increasingly turned out to be a hybrid solution offering various other functionalities like spam control, vulnerability management and policy compliance.

The VPN War
Last year there was considerable debate about which VPN technology would dominate-SSL or IPSec, with both having multiple takers. While the traditional IPSec VPN market was pegged at Rs 58 crore, SSL VPN too made its entry with market size totaling around Rs 6 crore. At least 20% of this overall VPN market was accounted for by VPN security software. Cisco was the leader in the Indian market for IPSec VPN. In the SSL VPN space, Juniper Networks, Aventail, Nortel and NetScaler emerged as the market leaders.

The SSL VPN market showed promise of growing since the TCO of installing and maintaining an SSL VPN network was lower than that of IPSec VPN. Additionally, the overheads associated with the latter technology such as installing IPSec-VPN clients on each desktop were avoided in the case of SSL VPN. IPSec VPN was traditionally meant for office-to-office connectivity, but SSL VPN was best suited for remote connectivity as it facilitated the same level of secure access to an employee on the move as he would have working onsite. Therefore, large organizations with mobile workforces needing remote connectivity-banks, ISPs, e-businesses, BPOs and e-traders-looked at deploying SSL VPN. Even Indian mobile operators looking at rolling out new platforms to deploy mobile data applications looked at SSL VPN with interest.

IDS Gets Proactive
While the robust growth of IDS could be attributed to customers who had already invested in VPN and firewall adding one more layer of security, 2004-05 saw the debut of Intrusion Prevention Systems (IPS) that aimed at taking a proactive approach to network security by attacking the root cause of the problem rather than detecting a problem and then fixing it. The Indian IDS sub-segment grew by 65% to rank among the fastest growing in the Asia-Pacific region. McAfee pioneered the concept of IPS-it launched McAfee IntruShield 2.1, based on IPS that offered network-based encrypted threat protection with an integrated firewall. The product provided for decryption and inspection of SSL-encrypted traffic, while maintaining the integrity of encrypted data and encryption keys. Another product, McAfee Entercept 5.0, a host IPS solution that acted as an added layer between the system and the network offered protection against zero-day attacks.

IDS and IPS products were integrated better with vulnerability assessment products during the year to determine the risk of an attack based on the assessment of a system or network. SecurityFusion module from ISS came with this feature by correlating events against known vulnerabilities and assets to prioritize events. Cisco's Threat Response technology performed "just-in-time" event validation to remove spurious alerts. Interestingly, one competitive component of the IDS/IPS and vulnerability market was the use of open source or freeware products like NESSUS that was included in many products as a baseline vulnerability scanner.

Security Gets an Identity
Identity management emerged as a key segment within the security space. Not only the pure security vendors, even enterprise application players like IBM, HP, Sun, BEA Systems and Oracle came up with their identity management solutions during the year. It gradually became a core component of Web services, dealing with the problem of authenticating and authorizing machine-to-machine in addition to people-to-people and people-to-machine interactions and transactions. There was the influx of more and more hardware in the identity management area. Tokens, smart cards, and biometrics, to a lesser extent, gradually started becoming part of comprehensive identity management solutions. Identity management solutions from vendors like RSA, Secure Computing and SafeNet, as well as other hardware authentication vendors, saw significant benefits from the reduction of password reset requests and an increase in security, especially for remote users on VPN connections.

With theft of information and stalking becoming a nuisance for Internet users, a search for an effective deterrent led the software experts to explore encryption as a method to safeguard the data they stored or transmitted through their computers. Based on the same technique, a computer software named 'WonderCrypt' was developed to secure not only e-mail contents and instant messages exchanged on the Internet, but also the files, folders and documents stored in the computer hardware. The software, developed by Wonder Software Technologies, was used to encrypt files meant for individuals and also for multiple recipients. Proving to be effective in almost all the fields, the software was installed by several multinational banks and vital government agencies, including the Indian Parliament.

The market for public key infrastructure (PKI) certificate authorities and certificates did not live up to the hype heaped on it. However, the market remained of interest and had a number of vendors. PKI remained a market in the doldrums for a number of factors, primary being the confusion on how to measure return on the PKI investment.

Security's Legal Tangle
Legal compliance has played a crucial role in the framing of security policies by India Inc. Both private enterprises as well as the government have been proactive in taking appropriate steps to tackle security concerns. Most of the software/BPO companies as well as MNCs from other sectors opted for international security standards like ISO 17799, BS7799, COBIT and ITSM. In addition, the security policies of some of these companies were framed complying with the requirements of different standards like HIPPA, SAS70, Graham Leach Bliley and the Sarbanes Oxley Act. Quite obviously captive firms of international companies were relatively more mature in adopting these standards driven by the parent's international practices.

Issues of standards and legal compliance also spawned the growth of a serious training industry specifically focused on security, probably for the first time. With certification compliance becoming mandatory in many organizations, there is a growing increase in the number of certified security professionals. And several consultants and integrators like KPMG and Wipro have utilized this opportunity and jumped into the bandwagon where they are helping organizations to walk through the entire certification process. Others like SecureSynergy started offering training services for security professionals.

To meet this growing requirement of security professionals, the Government of India undertook certain initiatives during the year. These included the Standardization, Testing and Quality Certification (STQC) Directorate responsible for certification process and training personnel, the Indian Computer Emergency Response Team (CERT) to protect India's IT assets against security threats and lastly the Information Security Technology Development Council (ISTDC) to respond to security incidents, threats and attacks at the national level.

Services Come of Age
If the 35% growth in security products was still not good enough, services clocked a sensational 74% growth figure to reach Rs 157 crore maintaining the momentum of the maturity the market showed the previous year. For one, this was driven by the growing tendency amongst enterprises to outsource their security requirements to third-party service providers. However, the real momentum came from security consultancy-not only the service providers like Wipro, HCL or Datacraft, even security vendors themselves helped enterprises in implementing security measures, as well as providing consultancy in terms of formulating security policies. No wonder, that vendors like Symantec, McAFee, Cisco or Trend Micro too registered significant contribution from services.

On the consultancy front, keeping company to global majors like Ernst & Young, Deloitte, PricewaterhouseCoopers and KPMG were infotech companies like GTL's Global eSecure, Datacraft, Wipro Infotech and HCL Comnet, old economy companies like Miel e-Security of the Mukand group and L&T Infotech as well as the Mahindra Special Services Group and quality certification agencies like Norwegian firm DNV. Also getting into the act were boutique companies of all sizes like SecureSynergy, Network Security Systems, iSec Services and Coral e-Secure. While certification companies verified compliance with and implementation of standards by companies, the consultants checked the vulnerability of networks and advised companies on how the standards were to be implemented. A typical information security audit involved risk and vulnerability assessments of networks, checking the implementation of security policies and procedures as well as the effectiveness of procedures through ethical hacking and other tests, identifying gaps and suggesting solutions.

The three factors that were driving the growth of the security services industry in FY 2004-05 were regulatory requirements in the West, especially in the banking and financial sectors; demands made by offshore development customers on their service providers; and an increase in general awareness about the need for information security. But the biggest growth propeller was undoubtedly the boom in the offshore development and the BPO sectors. These firms accounted for the bulk of the clientele of security auditors, though other industries like the financial sector, telecom and pharmaceuticals also provide a big chunk of business. With several high-profile BPO fraud cases sending tremors amongst the Western outsourcing crowd, security service providers had a field day as BPOs of every hue and size ran to put a minimum-security framework in place.

Rajneesh De