Security continues to dominate CIO concerns

Even though many companies have come out with security solutions, most CIOs believe that none of them have been successful in providing 100 percent protection against threats. Megha Banduni reports

Every boon has its bane. Though life has become easier due to technology, it has also raised other concerns, prominent among which is security. Be it a virus attack, spam, hackers or phishing, security is one of the prime concerns of every CIO/CTO.

Security applications have changed with time—from stand-alone anti-virus solutions to integrated security appliances combining the capabilities of anti-spam, firewall, VPS, IDS and anti-virus—for both the desktop and the gateway. The need to manage a variety of applications has led to the adoption of Unified Threat Management (UTM)—single rack solutions that combat most security threats.

IDC forecasts that the threat management security appliance market will grow at a combined annual growth rate of 17 percent till 2008. This translates into a global market of $3.45 billion. By 2007, 80 percent of all security solutions will be delivered via a dedicated appliance. IDC believes that over the next five years the revenue generated by the sale of UTM appliances will exceed that of standard firewalls/VPNs, effectively replacing these products.

The scenario today

Current practice is to deploy more of existing security technologies in every segment of the network. This includes firewalls to block access and perform application inspection, intrusion protection systems to provide granular traffic inspection and identify known threats, encryption software to counter eavesdropping, and anti-virus software to battle viruses. Recently, all-in-one solutions like UTM are also in demand.

Although there are different solutions available in the market, no one guarantees 100 percent security—at least that is what many organisations feel. Having said that, they also feel that regular upgradation of security solutions and applications is critical.

Aamer Azeemi, General Manager, Global IT, Wipro Technologies, believes that the solutions available in the market are not impregnable when it comes to defending against security threats. “No amount of technology can solve an organisation’s security problems. There is a whole lot of awareness that needs to be a part of any security programme. However, the solutions and devices available today are largely capable of detecting and preventing known security threats. There needs to be a process of continuous upgrades of software and hardware to keep an organisation ahead of the curve,” he states.

IDBI has deployed security solutions such as firewalls and IDS. They have a separate information security department to deal with security- related issues.

Sanjay Sharma, Corporate Head, IT, IDBI, believes that every time any new technology comes out, solutions to overcome the security issues associated with it materialise.

Awareness among users remains a crucial area in tackling this problem. Says Sharma, “I see that a lot of awareness has been generated among the masses. They now understand the need for security solutions in their organisations.” A company does not become secure by just installing the appropriate security solution; it also needs an adequate policy regarding future needs and issues related to the same.

All in the implementation

Other than choosing the right security solutions, what is important is the implementation. Network design, network traffic saturation, and frequency of updates are the factors that must be considered here.

Solutions should be sufficiently scalable to accommodate any network design. Software and signature files will need updating on a regular basis. This poses problems due to the manpower or the manual work involved.

Azeemi believes that keeping an organisation secure from threats is a constant challenge. The best thing to do is to be aware of all the threats and risks associated with an environment, patch those which can be addressed through technology, increase awareness in the organisation, and be prepared with a risk mitigation strategy for the risks that cannot be covered by any of those.

“We have implemented IDS, firewalls at various levels, anti-virus at the desktop, e-mail gateways and spam control solutions. While we feel these are not 100 percent sufficient, together with the process awareness that we conduct regularly and the continuous monitoring of our security posture, we are very secure. The solution should be easy to operate, cost-effective and compatible with the existing architecture of the organisation,” Azeemi elaborates.

The role of a CIO

According to a new survey from AT&T in co-operation with the Economist Intelligence Unit (EIU), over two-thirds of corporate executives view ensuring reliable network security as the single most critical factor for the successful implementation of a converged IP network.

The EIU global survey of 236 senior executives, representing firms from 50 countries and more than 20 industries, addressed the electronic security implications of network convergence. They reported that for the second year running, security remains at the top of the list as the most critical network attribute of network performance ahead of cost, complexity and business disruption.

According to 89 percent of respondents, viruses and worms remain the top electronic security threat to companies; 83 percent expect the situation to be the same even two years from now.

With threat levels rising, investment in security has kept pace. Corporate spending on network security is levelling off at about 15 percent of IT budgets, suggesting a commitment on the part of the executive to maintain spend at a relatively high level to maintain organisational defences.

Many businesses are growing and expanding their business network. They have offices spread across India and abroad which generate enormous amounts of data that need protection.

Investments are expected to be made in firewalls and anti-virus solutions for better data protection as that happens to be the top priority while formulating security policy.

“We have spent about 10 to 20 percent of our IT budget on security solutions. We also need to be vigilant about the new threats in the market. For example, for any new virus attack we need to immediately patch with the right solution. Deciding on the solution is again one of our major concerns. The price of it is not important, but the huge business loss that would be generated due to a security failure is,” comments Sharma.

All-in-one solution

Enterprises prefer to invest in appliances due to easy manageability. This is precisely the reason why the UTM is gaining acceptance. It guards against intrusion, and performs content filtering, spam filtering, intrusion detection and anti-virus duties which were traditionally handled by multiple systems.

Having a single appliance ensures better handling of accountability. Earlier, since there would be more than one vendor supplying solutions, pinpointing what went wrong would be difficult as no one would take the responsibility. With the UTM, CIOs can turn to a single vendor for support or for accountability.

Reservations about UTM

Though there are various benefits of the UTM such as simplified product selection, product integration, installation and ongoing support, users still do not find it the most efficient solution.

“A few vendors are coming with an all-in-one box approach of converged security appliances. It is welcome provided it covers the whole range of security. I have doubts that the security solutions available in the market today provide 100 percent safety against threats,” says Zoeb Adenwala, Chief, IT, Pidilite. Adds Subhashish Gupta, Assistant Vice-president, Department of IT, UTI Technology Services, “We have deployed various security solutions like WatchGuard’s firewall and McAfee’s anti-virus solution at the desktop. Many companies have come up with an all-in-one box solution, but we prefer different solutions to a single appliance for everything. The reason? First, the all-in-one approach is expensive. Second, needs vary from organisation to organisation. Hence we will deploy only those solutions which we require instead of an all-in-one solution.”

Besides, whether it is a stand-alone or an all-in-one, the 100 percent guarantee is just not there. What is important is the support and vendor credibility. Adenwala opines that though there are many point solutions available in the market, none is comprehensive enough to cover all areas of security. “We have deployed a corporate firewall, gateway level anti-virus, proxy, IDS, content filters and anti-spam, and on desktops anti-virus and personal firewall. We look for various features in the products, and check the vendor’s technical ability and credibility before opting for a solution for our organisation. Pidilite spends 7 percent of the IT budget on security.”

The battle is far from over. Security threats will continue to evolve. As more advanced threats emerge, there is a need for network security to become more holistic. Organisations must act in tandem to detect and defend against more sophisticated threats. And there is a growing need for devices that detect and destroy the enemy before it even attacks.

megha@expresscomputeronline.com