Security trends for Indian organizations: The 2010 edition

Top concerns include Web 2.0 threats, data leakage and application security. DLP, DRM, endpoint security and content filtering emerge as top strategies.

The Internet's dynamic nature and new age businesses have had a profound impact on the forms of attack vectors. As a result, security attacks are now evolving in sophistication and complexity, by targeting both financial and intellectual property assets. Infrastructure driven security initiatives now focus more on the most critical asset — "information".
As far as India is concerned, 2010's notable information security concerns and trends will focus largely of protection of information. So without any further ado, we bring you the top information security issues and trends for Indian organizations during 2010.

Issues related to data leakage
The corporate, vendors and consultants unanimously accept data leakage as the biggest threat for Indian organizations. On this front, the prime challenge is to first understand the kind of information critical to your organization.
Keshav Samant, the head of IT for Financial Technologies says that identification and classification of sensitive data is a herculean task. Organizations generate large amounts of new information every day, and classification becomes a constant process. As a result, Indian companies need solutions that help them classify data on the fly (as and when information exits the organization), says Surendra Singh, Websense's regional director for SAARC. "For example, if credit card information has not been classified as confidential, the system should have inbuilt intelligence to recognize it as confidential. Automatic classification tools can be helpful in such cases," he adds.
Insider threats and corporate espionage will be a major cause of data leakage within Indian organizations, says Faraz Ahmad, the head of information security for Reliance Life Insurance. As a result, technologies like data loss prevention (DLP), document right management (DRM), encryption and network access control (for endpoint security) are expected to gain more adoption across industries to tackle data security.
DLP technology enables organizations to establish policy based monitoring and control of various kinds of data (Web, email and endpoint). BFSI, telecom and BPO companies will be among the early adopters of DLP technology in India.
DRM technology allows companies to protect documents with limited access rights. Industries like construction which are comparatively less sensitive, are also considering DRM solutions. "We plan to adopt DRM to protect the information stored in our SAP-based Document Management System," says Satish Pendse, the CIO of Hindustan Construction Company.
Web 2.0 related threats
Samant feels that even as Indian organizations try to leverage Web 2.0 tools like collaborative applications and social networking sites, they should be careful about not punching holes in security. Predictions of leading information security vendors for 2010 indicate increased use of social

In order to avoid crimeware, Indian organizations should adopt content filtering solutions which use behavior based technology instead of signature based detection.
Sameer Ratolikar
CISOBank Of India

networks and collaboration tools like Facebook, Twitter, MySpace and Google Wave to spread attackers' wares.
Cybercriminals will exploit social networking sites to further enhance their social engineering techniques of infusing malware and Trojans. It is recommended that organizations regulate usage of social networking sites through separate policies and rules. Content filtering and unified threat management (UTM) solutions will continue to be popular among Indian companies to deal with Web 2.0 threats. The UTM is expected to gain more adoption among SMBs, since they require a consolidated and integrated security solution which is easy to manage, says Singh.   
Crimeware is considered as the biggest concerns for Indian banking in 2010. As Sameer Ratolikar, the CISO of Bank of India informs, there will be a significant rise in attack vectors like clickjacking and ransomware. "In order to avoid such crimeware, Indian organizations should adopt content filtering solutions which use behavior based technology instead of signature based detection," suggests Ratolikar. BFSI will also see more targeted attacks (driven with financial gain motives). Unlike the earlier attacks driven by misguided teenagers, 2010 will see breaches driven by scamsters, fraudsters and cyber criminals, believes K K Mookhey, the principal consultant of NII Consulting.

Application security becomes paramount
Indian organizations now realize Web application security as one of the critical challenges for 2010. While companies have made significant network security investments, application level threats have not yet been properly mitigated, says Ahmad.
Web applications which lack proper code review are subjected to threats like cross scripting, and SQL injection. Strong focus on the software development lifecycle (SDLC) and Web application firewalls can help mitigate application layer threats, recommends Mookhey.

Compliance (especially to the IT amendment Act 2008)
Compliance and regulation has been one of the prime drivers for information security investments in most countries. In India, such compliance-driven security investments have been largely restricted to sectors like BFSI, BPO and telecom. This will change in 2010.
IT amendment Act 2008, which came into effect in 2009 will be a significant driver of such security investments in India. Several regulatory requirements specified by the IT amendment Act 2008 will boost security spends, especially in areas such as data security and privacy.

Security management and awareness
Mookhey feels that regulatory pressures will create a strong shift to products that provide platforms which help organizations answer the question - "How secure are we today?" As a result, more Indian organizations will look at enhancing productivity through the use of maturing governance, risk management and compliance (GRC) automation tools.
Security information and event management (SIEM) and log correlation tools will also be popular, feels Ahmad. He cautions organizations against having a single point of contact for management of network, application and systems. "If this person turns rogue, it could be costly for the organization. Segregation of duties will help avoid such situations," he says. Since people are the weakest information security links in any organization, the CIOs and CISOs whom we spoke to, showed interest in increasing information security awareness levels among users during 2010.

Secure access issues
Most Indian organizations now have a large number of mobile employees, who require remote access to applications on a 24/7 basis. As a result, user identity and access management becomes a very complex issue, especially for large organizations.
SSL VPNs and IPSec VPNs have been popular technologies to provide secure access in Indian businesses. However, organizations are now on the hunt for more advanced solutions for authentication and access management. Single sign-on software and two factor authentication types of technologies are expected to gain prominence in India.

Cloud based security woes
Organizations are now moving away from traditional models of deploying on-premise applications. Even as Indian organizations try to reconcile with accessing applications over the cloud, they should look for new security challenges in this model, cautions Asheesh Raina, the principal analyst of IT research firm Gartner. User identity and access management will assume further significance in such environments.

Outsourcing security
Managed security services contracts are now becoming common in India, even in security paranoid verticals like BFSI. This is also becoming the case in other verticals like manufacturing, telecom and retail. This trend is substantiated by Ratolikar, who firmly believes that security delivered as a service over the cloud will be a prominent trend during 2010.

Read more on IT risk management