In your assessment, what do you think is the future of compliance and security at an enterprise level?
I feel happy to see that Information Security is being seen seriously at the enterprise level. However, I believe that most enterprises possess a very basic perspective of security. The future of security lies in the fact that enterprises should have a concept of layered security or “defense-in-depth” where they deploy/implement multiple controls in a layered manner to prevent/detect and correct against attacks or potential security breaches to their organizations.
I believe web application security should be taken very seriously in the future as enterprises move to the web and the cloud and their web applications will become an extremely important business channel. There will also be an increased demand for quality information security services. Enterprises are beginning to grasp the need to have domain experts in information security assisting them in securing their enterprise. Information security is a matter of continuous vigilance and services that create processes that are more robust and security practices will be absolutely necessary for the enterprise.
Compliance has always been a key driver for information security and will continue to do so. While many see this as an adverse point, I believe it’s quite the contrary. Compliance creates awareness of certain security practices among enterprises and many of them begin their information security journey because of compliance requirements.
I believe governmental regulation around information security will increase with elevated threat levels and a few high-profile security breaches. There may be industry specific compliance requirements that might be promulgated for companies in a similar industry or domain as a mandatory requirement.
Organizations grapple with the challenges of securing their critical data. What do you think are the current threats to enterprise data?
Application security: One of the key threats that enterprises grapple with is web application security. Enterprises have taken to the web in a massive way. Applications ranging from e-commerce to ERP to bespoke web applications have been deployed by enterprises to provide new business avenues or provide additional efficiencies to the existing business. However, due to non-secure configuration and non-secure coding practices, around 80% of the web applications deployed is seriously vulnerable to attack.
In fact, we find these numbers when we do enterprise web application security assessments for our clients. Attacks like SQL Injection, where an attacker can potentially gain command and control access to the database from the web application’s input parameters are widespread and organizations have struggled to keep pace with the wildly evolving and fast changing web application landscape. In fact, most CIOs and CISOs are clueless about application security issues.
The modern enterprise runs several servers, workstations and commercial/open source software all across their environment. I have largely found that the security configurations for these operating systems are largely very lax because of improper patch management and improper operating system security settings. Third party applications are an important aspect of every organization. However, they are not without their risks. Several third party applications like Document readers, word processors, client software are rife with security vulnerabilities that are just unprotected. For instance, there are several backup softwares that are vulnerable to serious security vulnerabilities. The attacker can potentially exploit the vulnerability of a backup service on a machine and gain access to the entire machine with all the backup data. In fact, in assessments my company does, we find over 70% of organizations do not patch or protect their operating systems and third party software. I see this as a major challenge for enterprises today.
Organizations greatly undermine Insider threat. They don’t seem to realize that insiders can be even more dangerous than an outside attacker. For instance, let us imagine that a disgruntled employee makes a copy of your entire customer database and sells it to your competitor. There is a concept of large business risk involved with insiders. I have seen companies that are focused on keep the outside attackers out, but have very poor/no controls for people inside the organization.
Popular statistics indicate that 60% of security breaches are caused by insiders simply because they have more access to data. Organizations need to implement a holistic security program that encapsulates a robust Information Security practice to safeguard data from insider threats.
What do you think should the controls be to mitigate risks of data breach?
The organization must first focus on identifying all the risks to critical data. Risk assessment and management is a key factor in identifying specific risks to critical data and then creating controls to handle the risk most appropriately. A structured risk assessment process goes a long way in defining a focused and optimal set of controls for the organization’s critical information assets.
Organizations must implement controls using the “Defense-in-depth” maxim that advocates the implementation of layered security controls to mitigate security risks. Security is continuous process that requires multiple controls to be implemented in a layered fashion for organizations to be optimally secure.
Organizations serious about protecting their data should build a comprehensive information security practice encompassing preventive, detective and corrective controls to ensure that the chances and effects of a data breach are greatly reduced. Organizations generally perceive this to be a large increase in the Information Security budget and extensive spending on tools, when it is clearly not. Most Information Security implementations are process and practice based requirements that can be achieved by consistently enforcing these security practices across the organization.
Organizations should have regular information security assessments performed by third parties to identify security vulnerabilities in their infrastructure and processes. Individuals who are strong on deep technical issues as well as process implementation and best practice implementation must perform the Assessments.
What solutions do you have for mitigating threats to mission critical enterprises?
We45 is an Information Security Services company that has Security services for organizations at all levels of Information Security. We perform Risk Assessments and Information Security Assessments for companies that are new to Information Security and want to evolve in their security processes and practices. We perform vulnerability assessments, penetration tests for networks, operating systems and web applications for organizations that have an established Security practice but would like an in-depth and quality validation of their security processes. We also help companies develop secure web applications by infusing security into their Application development lifecycle with our web application security consulting and secure SDLC services.
Apart from this, we perform compliance consulting and assessments for companies looking to comply with the PCI Standards, HIPAA, ISO, SB-1386 and GLBA among others. We are also the only company to provide vendor liaison services where we interact on behalf of the company with security product vendors and identify the right products and implementation for our clients.
Where do you think is enterprise security industry in India headed?
I believe the enterprise security space is heading in two directions. The first is that there is an increasing demand for information security services, because information security is one of the most intellectually challenging professions on earth and organizations need help from external agencies and companies to help them secure their environment optimally. There is an increasing demand for Web Application Security services.
Enterprise security industry is also heading towards products that are geared towards providing security for different aspects of the organization’s environment.