|
Security in Patches, Not Advisable!
By Sonal Desai
Mumbai, Nov 11, 2008 1522 hrs IST
In an era where enterprises are consolidating data centers, networks and applications, and are focusing energies to drive compliance needs, content and application security has emerged as a major threat.
Users are getting globally distributed, the branch office growth is explosive, and plus employees are increasingly using mobiles and other devices to stay connected. Even as the security organization within an enterprise controls network access, deploys user lock-downs (to segment users as per their profiles (work/home/device), there is a need for predictable configuration. This stems from different needs in which a CEO and a user want anywhere anytime access by being device independent. The challenge for any IT organization is to balance the need.
Traditionally, the IT organization focuses on the network layer. 75 per cent of the investments are on firewalls. However, analysts across the globe said that more and more attacks are penetrating the applications, and thus opening up the crown jewel of confidential information, said Ratnesh Sharma, director, Product Management and Marketing, Citrix R&D, India.
He said that the attitude of the IT organizations has to change towards active security. For example, vendors issue a patch at regular intervals. By the time the IT organization updates the patch, the vendor releases a new one. And the cycle goes on. This is reactive attitude toward security. "The approach of the IT organization is not scalable, and attacks keep surfacing, penetrating more branches, partners, devices and now products and information on companies that have been acquired or merged. Practically, it is not possible for any IT department to support all applications and also update the patches regularly."
The need of the hour is "Secure by Design." It means consolidating all applications in one data center, control user access and critical demarcation of zones.
Even then, hackers can use cross site scripting or SQL injunctions to break into the TCPs and get confidential information. Here is how they do it.
Cross Site Scripting: You go to a legitimate website, and look at the sale site. There is an attack through a browser. You lose connection to the site, and there is a pop-up that asks you to login again. So you are re-entering the password.
SQL injunctions: Normally hackers take advantage of badly written code i.e. some thing network layer will not catch. This is at layer 7, Sharma said.
The trends in India are not too different. The profile of attackers and those being attacked is the same. People are using various devices to seek information. There is a lot of traction for encryption, SSL VPN security and application security in industries chiefly the banks, financial services and insurance companies. A lot many companies with a large branch office network are using access gateway solutions and encryption technology for protection.
Some of the emerging verticals are healthcare in which hospitals or doctors share confidential patient related information, industrial design where companies are circulating designs to be shared with partners. Besides, there is a lot of in-house demand, essentially for the HR (employee information) and sales (customer information) applications, Sharma said.
|
del.icio.us
Digg.com
MyWeb
Newsvine.com
Financial Crisis: An Opportunity for IT Industry