Security Practices Knowledge Circle Vol 1 Issue 3
Fortifying the enterprise Sachin Jain, CIO, Evalueserve
Fortifying the enterprise
Jankari se jaagruti tak
Sachin Jain, CIO at Evalueserve has transformed the challenge of data and web security into a key strength.
Excerpts from a Websense paper on the benefits of a unified content security solution like TRITON.
Shobitha Hariharan, CCA and CISO, Shoppers Stop, throws light on the principles and practices of information security.
“It was a good workshop and gave us an insight into DLP and the related Risk Assessments based on earlier research done by Deloitte. As a Subject Matter Expert, Websense helped us understand the technical aspects of the DLP product suite, how it is different from others in the market, and practical ways to approach a DLP solution. I would like to see more of such events and seminars.” Mr. Vikas Raina, Senior Leader - Corporate Information Security Office Convergys Corporation.
Websense presents Cloud-based SaaS solutions Websense recently launched Cloud-based Securityas-a-Service (SaaS) solutions for Indian companies, facilitating locally hosted security solutions necessary for data compliance. Websense Security-as-a-Service (SaaS) provides a fast and easy deployment path for the Websense Hosted Web Security and Websense Hosted Email Security products. SaaS shifts security inspection, enforcement, and management processes from the customer’s location to globally available datacenters ‘in the Cloud’. With this, infrastructure, web, and email security services can be deployed across large and small offices located around the world in minutes. The benefits of SaaS to Indian companies include: l Sophisticated
real-time security l No hardware or software to buy or maintain l Reduce bandwidth costs l Ease of scalability l Automatic spooling for email backup l Carrier-grade data center availability and security l Web and email security
Websense Security Workshop: Advanced Persistent Threats (APTs) Today’s APTs target confidential data and proprietary corporate information. From Aurora and Stuxnet to RSA and Sony, ATPs are becoming increasingly frequent and affect corporations across the globe. Security breaches affect not just users, but also companies who then have to deal with damaged reputation and financial loss. Websense’s Security Workshop on APTs is designed to help you better understand how to address these threats within your own environment. Participants learn about: l What is an APT? l What makes APTs different from traditional attacks? l What are some examples of APTs and how are they different from blended threats? l How does Websense address both APTs and blended threats? Dates: Bangalore – 15th September, 2011 Chennai – 16th September, 2011 Register: Email your contact details to Manish Bansal at firstname.lastname@example.org for more details.
Fortifying the enterprise “A single instance of data leak can impact our entire company,” says Sachin Jain, CIO at Evalueserve – a leading Knowledge Process Outsourcing (KPO) enterprise. As a KPO, the company is privy to sensitive information from clients across sectors. This makes data security paramount. However, Sachin and his team have transformed this challenge into a key strength – clients are impressed with Evalueserve’s stringent information security processes. Read on to know how they made it happen. Chinks in the security armour Evalueserve began their fledgling operations in Gurgaon, India, in 2000; today, they are a team of more than 2400 people across locations. Data security has always been vital given the nature of their business – associates access sensitive client information and conduct custom research. “We even help our clients draft and file patents,” says Sachin, explaining why it is critical to keep the data, residing in their network, absolutely safe.
The Evalueserve infrastructure overview l Five
connected global offices – two in India; one each in China, Chile, and Romania;
broadly distinguished as:
Enterprise setup for on-demand projects; this supports everyday operations;
Offshore Knowledge Center, which functions as an extension to a client’s office, with physically segregated and dedicated IT setup. Employees are trained to adopt security controls framed by Evalueserve and it’s clients.
The company has always been aware of the responsibility such information brings; even during their early years, they had measures to safeguard it. “We had a basic set up with a firewall. But we realized the importance of stricter information security – from compliance as well as business perspectives. We formed a core team to manage enterprise security,” he says. They began by creating policies and structures that evolved with their business. Grappling with different challenges, they adopted a step-by-step approach to fix gaps through which data could be leaked. This resulted in certifications and streamlined data sharing processes. However, as technology evolved so did the business need. Using the latest technology solutions as business enablers meant greater complexities to manage. The company needed a more robust solution to ensure that email access, inadvertent data leakages, instances of employees sharing official information through personal mail ids, etc., did not pose as risks.
The Websense advantage for Evalueserve: l Greater
data security across the network, including on mobile devices such as laptops, which will soon be extended to smartphones such as Blackberry;
protection, not just against data leakages, but also against malware and external threats;
employee productivity – employees can easily access the websites essential for their work;
bandwidth utilization – Internet usage can be monitored and the solution’s smart feature issues alerts in case of high bandwidth usage; so heavy sites (such as sports news sites during the cricket season) can be blocked;
access to social media – employees can use social media sites too (if relevant to the work) without fears of external spyware intrusions.
Strengthening the links This is where the Websense Data Loss Prevention (DLP) solution fit in. Implemented at the enterprise level, it covered Evalueserve’s network and also data end points. So, data on laptops, phones, and other mobile agents was secured against leaks and thefts. It also allowed blocking of a category of websites compared to a more tedious blocking of individual sites. Moreover, data on mobile devices was protected from hard-to-detect malware. Tailored workflows for different business units meant each unit could define critical information, and spot policy violations relevant to the operations. The solution’s features ticked the other right boxes too: simple architecture, low hardware requirement, and easy integration with existing infrastructure. It also offered the requisite flexibility and came with a centralized console to simplify management and reporting. Of course, it encountered user resistance; but that faded away once the employees saw the benefits. To make change management easier, the enterprise also focused on knowledge sharing. “We have e-learning modules, quiz tests, posters, screen savers etc., to introduce and reinforce the security policies.” The company culture ensures that anyone who joins the team gets educated about the security policies and complies with them.
Sachin also knows that the trick lies in keeping things simple. “It’s on the roadmap: simplifying the Websense security solution we use as much as possible, so that we don’t build complexity into it,” he says. Safety becomes the norm How long did the implementation take? It began with data classification where Evalueserve’s different business units had to organize data into different categories based on its sensitivity and use – from confidential to what could be in the public domain. After this, they identified keywords and sources through which data could be leaked (email, FTP, etc.). Soon, policies were aligned to strengthen the initiative. The phased implementation approach will soon see completion; but the early results have already started trickling in. These include: l Instances of breaches and data security violations have decreased. l Employees are more sensitive to data security policies and manage critical information better. l Gaps in business processes (such as data leakage through personal IDs) have been fixed. Clients have also been impressed with Evalueserve’s commitment to data security and the security framework being followed. “In one of the instances, one of our clients had asked for an hour slot to review our security policies and controls. When they saw the controls we
have in place in addition to ISO 27001 certificate, we wrapped up the talks in just 5 minutes!” Smiles Sachin. Evalueserve’s commitment to information security and data protection has resulted in more business, and greater approval through client audits, which Evalueserve is open to, at any point in time. What were the other steeping stones to this successful solution? Apart from classifying and identifying information, the team is managing false positives. The fine-tuning is still underway and will eliminate instances that seem deceptively similar to data breaches.
Creating the winning combination Reflecting on the entire process, Sachin discusses the key lessons learnt. He stresses on the need to get adequate representation from all business groups for such initiatives. “You cannot drive it alone,” he points out. “Understand the nature of your business; try the solutions available and then take a decision. It is important to identify the kind of solution and tools, which are relevant to your business and do not compromise the organization’s productivity or efficiency. Strike the right balance between being nimble and fast, and staying protected and safe.”
– making seamless data security a reality Today’s organizations need a unified content security solution: among many other challenges, fast-evolving malware, blended threats, internally initiated data leakage, and an increasingly borderless enterprise have rendered traditional point product approaches less effective while driving up costs and complexity. The Websense TRITON™ solution is designed to slash content security Total Cost of Ownership (TCO) while enabling organizations to safely leverage new communication, collaboration, and social web tools like Facebook and Twitter. Organizations achieve the lowest TCO through its unified content security, which consolidates web security, email security, and data loss prevention (DLP) into a highly flexible and scalable unified architecture; unified platform of on-premise and Security-as-a-Service (SaaS) deployments; unified content analysis with the real-time threat intelligence provided by the Websense Advanced Classification Engine (ACE); and unified management infrastructure. The TRITON solution provides unrivaled visibility into an organization’s computing environment and application traffic. Unified policy management that spans on-premise and Cloud-based deployment options further ensures that remote office and mobile workers receive the same high-quality protection consistent with their headquarters-based colleagues.
Its leading features and unique capabilities include: l Market-leading web and email security technologies. Flexible user authentication, application control, antivirus, real-time security scanning, URL filtering, advanced reputation analysis, SSL inspection, real-time updates, and integral Web DLP are all leveraged to protect against malware, improve employee productivity, and help prevent data loss while enabling safe use of dynamic Web 2.0 resources. Likewise, comprehensive protection is provided for email with a cocktail of antispam, antivirus, reputation analysis, and integral email DLP capabilities. l Enterprise-class DLP. Leading DLP technology is designed to identify, monitor, and protect confidential data. By leveraging the unified content analysis of the TRITON solution, Websense Data Security Suite accurately prevents data loss, secures business processes, and helps organizations manage compliance and risk. Both, internally and externally initiated data loss scenarios are addressed. l Websense Advanced Classification Engine (ACE). An advanced composite content classification engine, ACE brings individual analytic services together to deliver truly unified content analysis. ACE is the “fusion” of all the different market-leading web, security, and DLP analytics Websense has to offer. l Websense ThreatSeeker® Network. Composed of a dedicated team of cutting-edge security researchers, a
collection of more than 50 million monitoring systems that parse over one billion pieces of content daily, and numerous automated analysis routines, the ThreatSeeker Network provides ACE with real-time intelligence about newly discovered threats. Websense TruHybrid™ deployment. The TRITON solution supports both on-premise deployment via Websense V-Series™ appliances and Cloud-based deployment. Websense TRITON Console. A comprehensive management solution, the TRITON Console unifies the configuration, monitoring, and reporting capabilities for
and the computing infrastructure in general are being used; and the benefit of being able to prevent the latest generation of blended threats and sophisticated, targeted attacks. l Achieves greater coverage. A comprehensive and completely consistent set of content security capabilities is available for mobile and remote users as well. l Reduces infrastructure complexity and administrative workload. Considerably fewer devices need to be implemented, integrated, and maintained. It has a single, web-based console that is accessible from anywhere.
Websense Web, email, and DLP technologies into a single, web-based interface. l Websense Global Technical Support. Top-quality support personnel with expertise spanning all lifecycle phases (e.g., plan, build, run) provide TRITON customers with technical assistance. The strengths and benefits of a unified content security solution: l Security risks are reduced through a combination of proactive (i.e., limiting user exposure in the first place) and reactive mechanisms (i.e., threat/attack filtering). l Compliance posture is improved, particularly with regard to meeting standards of due care for information security and maintaining the privacy of sensitive information. l Proprietary information is protected against unwanted exposure. l Liability protection is provided as unwary users are shielded from offensive content. l User productivity is improved as spam and nonwork related activities are curtailed. l Bandwidth and other computing resources are conserved, as traffic and nonessential usage is curtailed. For IT, the advantages of a unified content security solution are that it: l Provides significantly greater security effectiveness. CIOs gain greater visibility into how data, applications,
For business management, a unified content security solution: l Slashes TCO. The annualized TCO of Websense-hosted email security at a typical midsize company is less than one-third the cost of a comparable on-premise email security solution. l Enables innovation and growth without compromise. Organizations can fully leverage new communication, collaboration, and Web 2.0 tools. l Ensures compliance with regulatory requirements. Enterprise-class DLP and comprehensive content security coverage ensure superior threat prevention capabilities. For users, a unified content security solution: Enhances their computing experience. No matter where they are, users can be treated with the same, consistent set of policies. l Removes roadblocks to increased productivity. Users gain the freedom to find and take advantage of new sites, services, and tools. l
The Websense TRITON solution is the industry’s first and only solution that fully meets enterprises’ requirements by combining market-leading web, email, and data loss prevention security technologies into one unified architecture. The benefits of this approach are extensive and include comprehensive security coverage for today’s borderless enterprises.
Jaankari se jaagruti tak
- from awareness to alertness
Shobitha Hariharan CCA and CISO, Shoppers Stop Often, regulatory compliance fuels information security (info-sec) practices in organizations. In the absence of external pressures, the triggers could include – questions raised by internal/external auditors; client requirement; and quick fixes or inadequate, case-specific, one-time resolutions. These make it necessary to introduce global information security best practices into the organization. Recently, a few enterprises faced info-sec breaches. The reputational and financial damage they suffered highlights the need to focus on information security as an essential part of business. There is a need to stitch together a security approach and policy, which can be applied across enterprise functions. For large organizations, a common baseline for all the different business verticals is a good starting point. For a comprehensive info-sec implementation, people, process, and technology need to be aligned. People are the weakest link – not because they are unaware of data security requirements in general, but because of the gap between ‘jaankaari’ [awareness] and ‘jagruti’ [alertness]. An engaging and sustained awareness program helps them understand the need for appropriate security measures. However, this necessitates consistent effort over the long term. The reference point for security implementation is usually a suitable ISO standard/a more stringent set of controls. While these standards provide a list of ‘good to haves’, the rigidity in enforcement or the ‘must haves’ are industry-specific. Regulatory compulsion and the need to get and remain certified are business continuity requirements and
mandate all recommended controls. Therefore, it is vital to take a hard look at the business goals and the existing business processes before undertaking the actual implementation. Further, streamlining the critical processes across a few locations and teams helps define the ‘scope’ for applying the controls. This contains the flow of critical information, and facilitates concise documentation and review practices that are essential for evidencing the existence of periodic checks and balances. Security standards typically specify threshold levels for certification. Smaller companies, where certification may not be mandatory, need to diligently carry out periodic self-assessments and take remediation measures where required. Moreover, in the absence of external pressures, organizations may tilt more towards bringing about discipline and efficiencies in business processes and ensuring a high level of awareness of info-sec policies. Key learnings from my experience Engage expert consultants. At the onset, the right kind of assistance is crucial. A consultant who brings in domain-expertise and best practices, and blends them with the organizational culture, is essential for the success of the initiative. The Information Security leader is but a project coordinator across business verticals/functions. Of course, the security officer continues to drive the security program as part of the internal team. Engage with business users and application owners at the ground level. The implementations on the ground help the organization’s DNA imbibe info-sec best practices. Wherever possible, information security should be built into business processes. Making efforts to understand and appreciate the business users’ work encourages consultative interaction and keeps the security team informed. This in turn can infuse acceptable practices into the process. Compliance versus risk reduction. The information security function is regarded as the ‘enforcer’ who tells people what they ‘can’t’ do and is often viewed as an ‘auditor’ who is out of sync with the mundane requirements of running a business. It is important to communicate to business users and technology teams alike, and explain that adhering to globally-accepted
norms is less about compliance and more about reduction of avoidable risk. Collaboration between business users, the functional leads, and the technology team, enables user-friendly business processes that are less person dependent. Technology thus becomes the enabler of a well-integrated environment. Insecurity. Coordination between the technology and business operations teams, mediated by functional experts who are fully aligned to info-sec practices, helps bring down feelings of irritation and insecurity. Regular open dialogues and participation in business processes eliminate unnecessary restrictions under the guise of security best practices; this goes a long way in creating a better working environment for employees. Elucidating the value/benefit of the risk mitigation steps helps drive this home. As in any business process reengineering exercise, information gathering is an extremely crucial step
From the Team at SPKC
Take-aways: • Win friends and influence people across the organization; • Gather information extensively – in depth and breadth; • Appoint experts for implementation; • Engage with internal teams; • Create an environment of awareness coupled with alertness.
here, which leads to informed decision-making. Also, intuitively, one needs to know when to hold fast and when to let go, and have the conviction to see the program through. Winning friends and influencing people helps in building better collaborative relationships.
Communicate...engage…communicate is the mantra! Hello! As always, we are back with insightful stories in the field of security. We hope you’ve been able to glean take-ways from Evsalueserve’s foray into watertight security for the enterprise. Websense gives us a peek into TRITON and its unified security approach while Shobitha Hariharan elucidates regulatory security compliance. And if you’re still looking for more, do sign up for the interesting workshops offered by Websense. All in this issue! We look forward to your views. Keep writing in!
Tapan Garg Founder and CEO World CIO Council and CIO Association of India E: email@example.com | W: www.cioindia.org