Data Leakage Protection To Gain Momentum In Enterprises

Today’s computing environments are significantly different as compared to conventional ones and managing security in these diverse environments is impacting the way strategies are formulated. Sangram Gayal, principal consultant, PricewaterhouseCoopers, speaks to Biztech2, about some of the issues concerning security frameworks today and what we can look forward to in the security space.

Today’s data centres are high on virtualised environments mixed with legacy. How can one manage security effectively in this kind of a diverse environment?

There will definitely be a change in the way security policies are executed. The more important thing here is that when one is analysing diverse technology environments, the implementation of technology architectures will also be different. From the technical perspective, the use of middleware today is gaining ground. Today, most transactional security frameworks can be established using middleware.

For example, when you have legacy mainframes, these are exposed to customers or B2C portals through middleware, where controls can be exercised. Today, there are add-on controls that you can add to the legacy infrastructure; however, it is important to first have a mindset change if you want to implement these technologies.

If you look at middleware architecture today, it closely resembles a business solution.

In cases like these, firstly, you have to look at alternate solutions. Secondly, one can look at integration with newer systems and newer bolt downs where you can have security add-ons. So you definitely need to have a security strategy for the long run, which is in line with IT and business strategy right from the start.

What are the key issues with security frameworks today?

One thing in India as compared to the global security scenario is that our investment in security has been smaller as compared to global security spend. If one looks at the network side, everyone has deployed firewalls, IDS, etc. However, these are disparate components and one needs to look at it from a broader perspective. There is a need to integrate and understand the fact that mere network security is not enough.

Security strategies today need to be present at the application level, and should extend down to the people and processes within an enterprise. If you look at India, 70 percent of the organisations would have nominated someone as a security officer, or someone whose role was defined keeping security in mind. This leads to establishing KRAs for security in the organisation. In fact, if one looks at it, India has the leadership for security, the road is set, all that remains now is for the investments to follow.

SOA is gaining tremendous momentum within the enterprise. What kind of security requirements does this space demand?

SOA is a little tricky considering each SOA implementation is vendor specific, so in order to have a secure environment, one has to depend on the vendor. If you look at SOA security standards, such as XML encryption, signatures, etc, the standards do exist; however, they are disparate. Today, if I need to connect to a secure SOA system, really speaking there’s no handshake. So there’s a long way to go before we can utilise the features of SOA security standards and a lot of development needs to be done in this area.

How is the scenario going to change in the near future in terms of the security space?

Very interestingly, our recent survey ‘The Global State of Information Security’ has shown that the capability for security of Indian companies has increased by 100 percent over the last three years, which is substantial.

India leads in terms of security capabilities as compared to US and European markets, especially when you consider the kind of planning, policies and processes that are being put into place. The next two or three years will see more of a focus on security on the application side considering the last four to five years have seen lots of investments going being made on the network side.

Another key area as far as security is concerned is Data Leakage Protection (DLP). Conventionally, the way this works is that one encrypts the concerned machine; however, going beyond that how do you control data in motion?

One cannot stop employees from e-mailing or using pen drives. DLP technologies enable an environment that stops people from transferring confidential data based on the policies set. The next few years will see further development in this place.