Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
01 October 2007  
Untitled Document
Sections

Market
Management
Technology
Technology Life
Columns

Between The Bytes

Events

Technology Senate
Technology Sabha
Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp.Channel Business
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Express Healthcare
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Market - Article

30 Minute Interview

The security adoption cycle

Jerry Cox, Director, Security Solutions for CA’s Asia Pacific and Japan operations, shares his views with Neeraj Gandhi on the importance of step-by-step implementation of security and the security adoption cycle.


Jerry Cox

The criticality of security deployment

A secured network is critical for the protection of sensitive information and the operational stability of the enterprise. Enterprises today are implementing security solutions to protect their digital boundaries. However quite a few of them are unaware of the security adoption cycle and deploy solutions hastily, thereby compromising on security. We focus on the following three areas while implementing a security solution—Building a Secure Foundation, Protecting the Jewels, and Enablement and Automation. We call this the House Concept, with the three focus areas being the bottom, middle and the top layers of the house respectively. Therefore when enterprises implement security, they should focus on all three areas, the three layers of a secured house (enterprise). Compromise on any layer can bring down the entire enterprise. So we guide enterprises on how to go about this adoption cycle of security, starting from the bottom and making their way up the ladder, without missing out on any area.

The foundation: Threat Management

It is very important from security point of view that enterprises start with building a strong foundation. The first and foremost step towards achieving this goal is to secure the network, and protect the enterprise from malware. To attain this objective, enterprises must deploy firewalls, intrusion prevention system, anti-virus, spyware, network access management and gateway level content management. Threat management provides the foundation for good security by keeping us protected from people and malware. Mostly perimeter based, this is what most people think of when they think about information security.

Protecting the jewels: Access Management

Access management deals more with enforcing and controlling access to internal IT resources and can be thought of in layers. The first layer talks about the host systems, ensuring that they are configured correctly. It identifies vulnerabilities or holes through which unauthorized access can be gained to data and systems. This is an important component, as usually the configuration problems in this area are the things most commonly exploited in attacks that cause real damage. Examples could be guessable passwords, improperly protected system files or unpatched application vulnerabilities.

The next layer in access management identifies the users (authentication) and controls what they can access (authorization). This has to be done at the operating system level, for Web applications, custom applications and Web services. An example of one of the important missing access controls in most environments is the separation of duties and least privilege. Commonly users are allowed excess privileges through which they can gain access to data that they should be out of bounds for them. An example of this could be a backup operator being given domain wide administrative privileges to perform backups, and inadvertently also access to a spreadsheet describing upcoming company acquisition targets. Because access management at this level is as much about inclusion as well as exclusion, it moves more towards business enablement.

Enablement and automation: Identity Management

Identity management automates the processes associated with managing identities and the ability to link multiple identities into a single virtual identity. It can provide significant cost savings in terms of user administration, automating the provisioning of users to back end systems to which they require access. It can also automate functions for users, such as password resets for forgotten passwords on back-end systems, reducing the number of calls to a help desk. The identity management systems needs to be linked and integrated with the access management system, so that access enforcement policy is enforced based on that common identity at all of the layers in which they have access rights.

Security adoption in India

Some Indian enterprises are very advanced in terms of security and are already leveraging security components in all of the layers. Mostly, these are the IT services companies and companies that have to comply with global regulations such as SOX and Basel II. Outside of these customers with global requirements, Indian companies have now largely completed implementation of threat management solutions and are now ready to move towards access management. That said, we do not see this happening at all levels. Many Indian enterprises are jumping directly to the identity management layer, skipping the access enforcement layer in between. This is a dangerous trend and tends to make an enterprise vulnerable. Identity management is important, but it should be done after business critical systems, applications and data are properly protected.

We also feel that convincing enterprises to adopt a security solution, particularly access management solutions, is not easy. This has got nothing to do with technology, but essentially with the power that these products tend to take away from people looking after that particular area of security. Also cyber criminals always manage to locate a loophole and wage an attack. We cannot stop them from doing this. However we can always stop these malicious attacks by deploying complete security solutions.

Next up from CA

Currently in India, we are driving a first things first approach to help companies ensure they protect their corporate data through appropriate risk mitigation as they move up through the layers of security adoption. A strong emphasis is being placed on our security configuration management product, Security Vulnerability Manager, which is developed in Hyderabad. The next area of emphasis is access enforcement, especially for servers and Web applications.

Importantly, we are now driving these approaches through our Indian partners, who are now starting to focus not just on overseas global customers but are also providing services to India and other countries in the Asia Pacific and Japan. We are also starting to see some of our global consulting partners developing strong security practices in India focused on India customers, including Deloitte Touche Tohmatsu India and PricewaterhouseCoopers.

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.