By Heena Jhingan
The year 2013 was a testing one for the global IT security market, including India. According to Cisco’s 2014 Annual Security Report, globally, overall vulnerability and threat levels reached their highest in 2013, ever since the company began tracking the trends in May 2000.
The report reveals that 2013 was a “particularly bad year”, with the cumulative annual threat alert levels increasing by 14 per cent since 2012.
While skeletons tumbled out of whistle blower Edward Snowden’s closet, making glaring revelations to the world about the US government’s snooping tactics, one of India’s sensitive organizations — the Defense Research and Development Organization (DRDO) became a victim of security attack (perceived to be an Advanced Persistent Threat). Though it wasn’t the first time that a government agency’s IT security had been breached. It had happened in the past to Border Security Force, IRCTC and Andhra Pradesh government as well, but this time, the country’s most critical systems had been intruded.
According to the data compiled by the Indian Computer Emergency Response Team (CERT-In), more than 1,000 government websites, storing critical and sensitive data concerning national security, have been hacked by cyber criminals over the last three years. The DRDO breach was yet another evidence of the vulnerability of the country’s systems.
The Government of India later responded by announcing the National Cyber Security Policy 2013 to safeguard both physical and business assets of the country. However, the concerns around IT security do not get resolved here alone as data security threats dog the country’s public and private enterprises alike.
A recent Dell Global Security Survey finds that over 6 in 10 IT decision-makers surveyed from Indian companies, claim that security will be their top priority in the next 12 months, compared to the global average of 38%. Security has thus, emerged as a top priority for IT heads across the country.
Research firm Gartner finds that the three main trends shaping the security market moving forward, are mobile security, big data and advanced targeted attacks. With an increasing influence of bring your own device (BYOD) on the IT landscape, it is one of the major drivers of growth for security solutions today.
Trends presaging the security space include increased threats to the “Internet of Everything” or (IoE), more and bigger data breaches, and law enforcement challenges.
Gartner predicts that security of embedded technologies that organizations have right now, may be the most important operational responsibility for them in 2020. The firm says digitalization will create new infrastructures and new vulnerabilities to these infrastructures. It recommends that enterprises build a portfolio of security vendors because no single vendor addresses more than a fraction of the problem, and establish more agile security processes.
Over the last couple of years, business needs have evolved, companies seeking greater flexibility and agility are embracing mobility, virtualization and cloud computing. The nature of threats has evolved as well, taking advantage of more open networks with targeted and persistent attacks. Security companies must also respond with flexible, adaptable data and threat protection that follows the data wherever it goes, as in the era of the cloud, the enterprise data could be residing anywhere.
Besides, these changes are a sign of the tectonic shift that has happened in mindset and the focus from just infrastructure to information or data. Market analysts say data is the most valuable asset in the entire ecosystem. 64% of India organizations responded to Dell’s Global Security Survey saying losing critical business data is the greatest concern for them.
The new threat scape
If an enterprise today thinks it is fairly secured, Surendra Singh, Regional Director – SAARC at Websense says its time to rethink as the attackers are also in investing in ways to outsmart these solutions.
The enterprise security invasion game has changed from script kiddies (unskilled individuals, who use scripts or programs developed by others to attack computer systems and networks), hacktivist groups, organized groups to nation states being involved.
Of mobile and cloud
India’s security understandings and needs are maturing at a rapid pace. Rammurthy of eScan observes while a couple of years back, BYOD had absolutely no or a miniscule influence on the security landscape, 2013 has witnessed a sudden increase when it comes to large scale tablet and smartphone deployment.
Going by IDC estimates, India will emerge as a very strategic market for smartphone shipment in the next couple of years. While the unit shipment was expected to reach 155.6 million in 2013, which is a phenomenal increase the research firm believes, last year, the smartphone sales in India surged almost three-fold.
Rammurthy points out that though till recently, Linux was touted to be the next best thing, to save on license and deployment costs, but that OS has now been relegated to the back bench, with Android and Chrome taking over Linux’s place.
A trend that Trend Micro observes to have kept security experts on heels, was an increase in mobile threats, something that is expected to continue in 2014. Thakkar notes, “Among the familiar threats, an increasing sophistication in attacks against mobile banking, mobile malware was noticed and is expected to cross the 3 million mark for Android in 2014. And the expiration of support for both Windows XP and Java 6 together will create an unprecedented pool of vulnerable users for attackers. Therefore, the security piece has become utmost important in the mobile device management (MDM), extending not to just device, but application as well”
Another technology trend that has been making waves across the world and in India is cloud. While cloud impresses, CIOs from a TCO optimization perspective, it is a platform where they resist putting their business-critical data.
Dell Global Security Survey finds that many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. The report finds that
73 % of respondents in India currently use cloud and of which, 21% said cloud apps or service usage were the root cause of their security breaches.
He says, “At Essar, a simple but robust policy for virtualized environment provided a solid base for a secured environment. In case of public cloud, a detailed assessment of selecting applications based on their criticality was done before hosting them in the 3rd party environment. Low critical applications were hosted out in public cloud and security related to that environment has been dealt with accordingly.”
He feels that the new IT and threat environments have led the CIOs to revisit their security strategies and adopt solutions that are smarter, more comprehensive and offer greater control.
Advanced and persistent
Organizations have recognized the importance of securing the endpoint and have upgraded the anti virus at the endpoint to endpoint security solutions, covering anti-virus, host-based firewall, and host-based IPS. Additionally, encryption for endpoints has also been a key focus for organizations to protect the data at the endpoints.
With security breaches in large organizations causing monetary damages and loss of brand reputation, organizations have started focusing on security with greater caution. Additionally, regulations in verticals like Banking and Telecom have necessitated organizations to focus on security compliance and invest to ensure that they are secure and meet the regulations.
“In 2013, we picked up some of the major deal security solutions deals from state governments and some large deployments with telcos to meet advance security threats were also taken up this year,” he says.
However, Singh of Websense says, not all segments of security solutions grew. In fact it has been a mixed bag .
“Enterprises demand solutions that can help them collate logs and do intelligent reporting, including behavioral patterns. The new RBI guidelines around access, authentication and self service passwords have generated interest in advanced solutions.”
According to Mahapatra, SIEM (Security Information and Event Management) is no longer a viable solution, unless it provides the ability for real time incident analysis, compliance and response taking into consideration every device connecting and communication within an organization. The requirement is to bring together event, threat, and risk data with security intelligence which will facilitate rapid incident response and the ability to make real-time decisions as to the security posture of the organization and how to make better informed decisions on how to protect the organization.
Swaminathan cites the example of a mutual fund company that uses their solution for about 15 lakh users and the concurrency rate there, is about 200,000 users. For this, the company uses their single sign-on solution. Similarly, he adds that a large government client (power sector) uses its identity access management solution for its 40,000 employees.
Interestingly, it is not just the telcos and BSFI users that are aggressively investing in security, verticals like Pharma are showing amazing pace of adoption of security solutions. Another FMCG client uses their privilege management solution for 200 servers and the system is managed by the administrator.
Kaura of Symantec says that the industry now expects management of entire life cycle of security. He picks up another example of an insurance company that claims to close all insurance buying processes with the help of their field staff on the move.
“The staff has tablets and they key in all the customer information on the device. In such cases, securing the information processing is a challenging task. In all verticals like BPO where the attrition rate is high, securing information at each level is critical,” he says.
For this, the enterprises need to have a well defined policy to guard the C-level information. The IT head must have a control over who and what devices have what information. While formulating security policies, enterprises should focus on development of local and external threat intelligence, testing and educating employees against social engineering attacks, formulate mitigation and cleanup strategies in case of an attack, deploy custom defense solutions to protect against APTs and protect company data through data protection and management solutions.
An area where most Indian enterprises lack, is management of these security solution. Data centers hosted in India are becoming increasingly common, security for data centers by managed security service providers (MSSP) is a big trend. As per CERT-In reports, India faces a shortage of about four lakh trained cyber security professionals, and therefore, enterprises are increasingly relying on managed security services.
While most most systems and CIOs are reactive to security threats, very few have the capability to simulate threats.
Dhiraj Gaur, Senior Engineer- IT, Power Grid Corporation of India, feels that the organizations need to be proactive and must test their preparedness to deal with threats from time to time.
He says that at government agencies like theirs, the critical infrastructure is always air-gapped and no confidential data is shared on Internet-connected machines, and even on the employee side, several checks and balances have to be put in place. They have IPS firewall solutions and then they run correlation on logs. “We have DLP (data leakage prevention) solutions in place. Security has become so important that we think of it even while procuring non-IT infrastructure, checking the source of codes, etc. so that there is no back door control, especially by hostile companies like China.”
“One of the easiest ways of testing one’s security strength is by participating in the mock drills conducted by CERT, where virtual machines run in parallel, and the agency poses various threats. The organizations are later rated on the basis of their responsiveness and ability to deal with the attacks,” Gaur explains.
In an era when almost every component of IT is available as a service, security too is available on demand.
Buy SaaS with care
With cloud-based security, eliminating the cost and hassle of provisioning, managing, and scaling security hardware and software is an easy route for the enterprises. However, as of now, it is a phenomenon among the small and medium enterprises.
As per management consulting firm Zinnov, Indian SMBs have adopted SaaS at par or more than the rest of the world, may be more because many Indian organizations are not limited by regulatory or compliance requirements compared to their western counterparts, therefore giving them freedom to choose and adopt cloud more quickly. As a result, the market is ripe for more widespread adoption of SaaS to help SMBs reach greater levels of profitability in India. Security SaaS allows SMBs to focus on their business while leaving the security of their endpoints, email, web, and vulnerability management to the security experts
Bhattacharya explains, “Major offerings today in security as a service are in content security space – to getting secure emails before it hits organization’s email servers and also securing the employee Internet access. With cloud adoption picking up pace, going forward there shall be more focus on identity and authentication and how this can be used to secure access to applications.” In any case, the enterprises will have to choose their solution provider with caution.
While 2013 has been a challenging year and full of threats, 2014 holds a bigger challenge, with mobility penetrating further into enterprises. CIOs will have to watch out for more sophisticated models of attacks and developing skills around security management. And not to forget that yesterday’s viruses and malware are still lurking out there, requiring vigilant updating of traditional defenses. In this backdrop, CIOs need to develop new immunities, and keep updating the traditional shields.