With India catching up on the Internet, e-commerce, and Intranet/Extranet connectivity, information security (infosec) activity is on the prowl. But the big question is what should be the objective of the users today at the corporate level with respect to security. Is it about information security (infosec) or beyond that? Says Ramana, "We believe Internet and Intranet based business transactions will define models of interaction between manufacturers, vendors, customers, partners and employees. And security needs to encompass maintenance of informational integrity, confidentiality, authentication of rights of users, cover for non-repudiation and appropriate availability of information to internal and external users. In this environment, it will be mandatory for enterprises to define a good security policy, which encompasses threats from within and outside the organisation. The ongoing security policy reviews will need to cater to warding off new threats. Towards this, latest technologies including perimeter security, intrusion detection and vulnerability scanner based solutions with administration and management of the security policy would be the saviour against such threats. The network security policy has to complement the conventional security mechanisms."

Agreed. But has the importance of protecting information for the benefit of the company been realised by the Indian corporates? What are the steps that they are taking? And is it a must that the corporates need to have an infosec policy and a business continuity policy?

Several security experts like Suresh of Ramco Systems and Ramana say that the importance of security is felt throughout the Indian corporate world. Though the Indian corporate world may not have deployed strong infosec measures, the realisation is beginning. It is no more seen as an American phenomenon. There is a lot of awareness on requirements and products. However, security follows computing and networking needs, while it is an integral part of the infrastructure set-up. And the challenge is to minimise the skills gap between the rate of technology development and the rate of technology assimilation.

Many see a desperate need for good security professionals, who can define, implement, and maintain robust security policies. Another reason attributed to the slow deployment is that the connectivity infrastructure in India is very poor and the extent of computerisation and using data as information for analysis, etc., is hardly seen. Data was not perceived as very sensitive to businesses. But the transformation is happening. And when it comes to a business continuity policy, it is seen as an add-on to specific security requirements. This requirement is dictated by the availability guidelines for the enterprise.

There are no precise estimates on the levels of security breach or the nature of breach. The reason being most of the companies are not open to disclose a security lapse as they believe this could hamper the company's image and further most attacks go unreported because of two reasons. First, the breach is more often internal rather than external. Second, companies do not realise that there has been a security intrusion in the first place. Interestingly, most of the companies realise that an attack happened only after months. More often than not, they even fail to assess the level of damage they had to succumb to. But a couple of the corporates confirm, in private, that over 80 percent of the security break-ins can be attributed to the PETE syndrome.

Nonetheless, with the remote access to information over public networks growing, it is being increasingly realised that it is mandatory to implement security solutions, such as firewalls, intrusion detection systems, systemic scanners and go for VPNs. The security products being deployed include software and hardware. In addition, security policy management systems are being considered. Many are seeing the evolution of the network security deployment as audit, design, test, implement, manage and review as the steps in defining a corporate security policy to minimise and manage risk

Mostly the services rendered range from security assessment and engineering to enterprise security implementation to security auditing and consulting. This is just an illustrative list of the trends. There are other major vendors like Cisco which has end-to-end solutions in the network security space and include both software and hardware—firewall solutions, intrusion detection systems, and scanning tools, in addition to a security policy manager. The point that was being driven from the alliance partnership is that the systems and network integrators are playing a very decisive role. And the VARs and integrators are key constituents of a security solution as they have acquired or continuously acquiring skills, upgrading those, and significantly value-add in implementation of security policies and services for reviews, administration, and continuous improvements—the key to a successful security policy implementation.

The cost of implementing a security solution is varied depending on the policy requirements. But the feeling is that the cost needs to be relative to the implication of loss of information, which could even entail break of business operations. "The potential loss from such a break can always justify the cost of a security solution," says Ramana. A lot of awareness is being generated in the market place through seminars. The clear message in such programmes has been about the challenges of security. The message is that security is an ongoing process, not just a single product or set of products. Policies need to go beyond just the network; and must balance business needs with risk. This becomes even more challenged with holistic security architectures beginning to arrive and the networking product vendors like Cisco, Lucent, Nortel, and Enterasys going all out with security incorporated solutions.

Ch. Srinivas Rao