Cover Story
The opportunity in security
The IT security market offers a ray of hope for solution providers and VARs struggling to cope with the pressures of the recession. K R Nambiar talks to vendors and solution providers, and analyzes the emerging security landscape
 While the recession has disrupted the growth rates of most IT segments, one market that still promises to offer high double-digit growth rates is security. With increased awareness among not just the enterprise and SMB segments, but even SOHO and home users, security vendors and their partners continue to be upbeat about opportunities in the Indian IT marketplace.
According to a study, Global IT Security Market Forecast to 2012, commissioned by market research analysts RNCOS, the Indian IT security industry is moving strongly, and is expected to continue to grow at a CAGR of 44 percent year-on-year. The market, which was just about Rs 210 crore in 2006-07, is expected to touch Rs 1,958 crore by the end of 2010.
The report says that the SMB segment is projected to spend around 44-48 percent of the total IT expenditure in the country. The momentum of SMB investment in information technology which had fuelled the growth of the IT industry in the country is expected to carry on in areas such as security despite the global slowdown.
“Every year, new and innovative ways of attacking computer users emerge and continue to increase in volume and severity. One thing is very clear: that data is growing rapidly in spite of the economic downturn,” says Ajay Verma, Director, Channels & Alliances, Symantec India.
Growth drivers
Even in the face of the recession, IT and BPO industries continue to be the biggest investors in security, according to the RNCOS study. The report attributes this to the rising emphasis by Western clients on compliance with IS guidelines, as well as regulations such as the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOA). Agrees P J Nath, Executive President, Enterprise Solutions, Sify Technologies: “Regulatory compliance will be one of the important drivers for the growth of information security products and services in the enterprise. Through regulation and increased IT spending, the government will emerge as a key influence in enterprise security spending in 2009.”
Nath is among the many in the industry who subscribe to the view that the current global slowdown will act as a catalyst for security solutions, especially in the SMB space. “The economic downturn will encourage more SMBs to be cautious. They will look at security solutions to ensure that their data and infrastructure are secure.”
Verma provides yet another angle to the theory. “In 2009, it is easily predicted that the economic crisis will be the basis of new attacks. We expect to see an increase in e-mail promising easy-to-get mortgages or work opportunities. Unfortunately, the people already hit hard by the economy, who have lost jobs and have had homes foreclosed, will also become the primary prey of scams. For this reason, any business entity has to be more careful today while handling the data, protecting the data and determining what kind of asset protection plan is required. The downturn will mean that people will be focusing more strongly on some other product suites that we take to the market.”
Above all, the growth is largely attributed to increasing awareness about security threats by users in all segments. While enterprises across India had started investing in security solutions as early as a decade back, the SMB and even SOHO segments are increasingly aware of potential threats. “Awareness of most of the basic threats is increasing, and the media coverage of security threats is keeping both the enterprise and SMB segments on their toes. Segments such as banking, corporates and services definitely do not want to be in the news for the wrong reasons, so they are increasingly wary of security threats,” explains Prabhakar Kini, MD of Bangalore-based Kinfotech, a security solutions specialist.
Users are becoming more aware of threats because organized crime groups are increasingly getting active in cybercrime. “The world has changed. It is no more that teenage hacker who is taking an interest in your network or defacing your Web site. There are professionals out there who are looking at your network to launch attacks on their targets. There are malicious minds looking at stealing your data and profiting from it,” explains Steve Hannah, Distinguished Engineer with Juniper Networks.
Managed Security Services
Most respondents among vendors and solution providers (SPs) CRN spoke to felt that Managed Security Services (MSS) will be an area where both enterprises and SMBs will spend the most in the next two years.
MSS are, simply put, network security services that have been outsourced. They can encompass every aspect from identity management to installation and deployment. Deployment, installation and optimization topped the list of security services SPs are currently offering, followed by auditing.
Several factors are expected to boost MSS. One of the biggest is that the SMB, and to a certain extent some of the enterprise customers, have not invested considerably in in-house security solutions. “Hence, in many cases, the question of not outsourcing to protect existing investments does not arise. The SMB market for security solutions is largely untapped, and it becomes easier for them to take a decision to outsource especially in the current market scenario,” observes Satheesh G Nair, CEO of Unified Stickman Group India, Bangalore.
According to a PWC report, MSS have been growing at over 50 percent a year for the last two years. IDC estimates that the MSS segment is likely to grow close to 50 percent till 2012. Then there’s this report by Frost & Sullivan which says the MSS market in India has seen a CAGR of more than 80 percent between 2005 and 2007. The MSS business in the country crossed $50 million in 2007 as compared to $27.4 million in 2006.
“Service providers like us have already overcome traditional customer concerns related to the MSSP model, with clearly measurable service level agreements, and in terms of obtaining certifications such as ISO-27001, backed by adequate and demonstrable business continuity plans. We are seeing the trend of more customers getting aware and comfortable with managed security service models,” says Santhosh Koratt, Head of Consulting & Compliance at SecureSynergy, a Mumbai-headquartered security consulting company.
A number of systems integrators across the country are also adding MSS as a business practice in the coming days. “MSS is a service offering we have been actively considering, and have already laid out our plans,” informs Raunaq Singh, Vice President of Targus Technologies, a Delhi-based SI.
However, SPs are expected to face stiff competition from the larger national SIs such as Wipro, HCL or even a TCS which set up the practice a few years back.
SPs feel that the most common issue hampering the growth of MSS has more to do with the education of SMBs about the many benefits and cost savings. SPs also report that there is also a reluctance, especially among SMBs, to outsource services in a sensitive area.
“However, a few SMB decision-makers are aware that an organization opting for MSS can save as much as 75 percent compared to companies handling security on their own,” notes Kaushik Thakkar, Co-chairman of Syntensia, a security solutions specialist. “Another factor pushing the trend is the need for greater vendor accountability. With MSS, there’s no accountability gap, and MSPs are responsible for the infrastructure as well as the application. Buyers get a definite, single point of accountability for performance.”
Perimeter security
Perimeter security encompasses areas such as Universal Threat Management (UTM) solutions, firewalls and LAN security solutions. The majority of SPs CRN spoke to felt that the biggest SMB spend in the next two years is likely to be on UTM appliances. These appliances are essentially edge devices or firewalls which have many features in one box, including e-mail spam filtering, antivirus capability, an intrusion detection (or prevention) system (IDS or IPS), and World Wide Web content filtering, along with the traditional activities of a firewall.
The increasing business dependency on the Internet, along with bandwidth availability, has made it imperative for customers to look at UTM boxes.
Vendors have started offering one UTM solution or the other. In addition, specialized security vendors such as Cyberoam, Checkpoint, Sonicwall and Fortinet have been aggressive in wooing both customers and partners with their products. “Channels love UTM solutions, and most vendors are now offering the service in a box, which is customized to be sold by an SI very easily as a box. At the same time, the tier-1 vendors are trying to offer more inside a single box and differentiate their products,” explains Rajiv Unnikrishnan, Head, Westcon India.
“A UTM deployment helps reduce complexity because it is a single security solution, from a single vendor, with a single AMC, and with the avoidance of multiple software installation and maintenance. Similarly, its plug-and-play architecture, and Web-based GUI for easy management coupled with zero-hour protection without comprising on performance, translates into high ROI for both SMBs and enterprises,” says Tushar Sighat, VP, Cyberoam India.
Some of the cutting edge UTM solutions help organizations deploy IT policies which are compliant with standards such as SOA.
In addition, vendors are increasingly trying to include more features, and also spin off specialized appliances. “We want to maintain our performance innovation in terms of network security solutions while pushing for additional technologies to offer comprehensive security to companies. The recent launch of our FortiDB database security appliance and our FortiMail e-mail security solution are good examples of this strategy,” comments Vishak Raman, Regional Director, India & Saarc, Fortinet.
But partners say that perimeter solutions could face some challenging times as security vendors struggle to keep firewalls and other products fresh and competitive. There is also the threat to margins as vendors are increasingly trying to outdo competition and are lowering prices. “In some ways this is good, since more customers can actually afford a solution that is more than a firewall,”says Unnikrishnan of Westcon.
Antimalware
The biggest and most visible IT threat is still the computer virus. It affects the desktops of home users and servers of large corporations, and continues to be the biggest security threat.
One of the most interesting trends in the Indian market is that the number of licences of antiviral software outnumber the number of licences for operating systems. “It might sound ironic, but while many users still continue to pirate their Windows operating systems, they are buying and renewing their antivirus licences,” observes S Srinivasan, senior VP of K7 Computing, a Chennai-based antivirus vendor.
Since vendors such as Symantec, McAfee, K7 and Trend Micro, among others, have started their retail operations, the awareness about antivirus software is increasing even among end-users. “Anyone who’s had a major virus attack and has lost either data or productivity is likely to buy licensed antivirus software. Customers are seeing increased value in buying antivirus solutions,” adds Srinivasan.
While the enterprise segment has already ensured desktop-level security in most cases through volume licensing, the SMB market is increasingly adopting antiviral solutions for all PCs in their networks. Since most vendors offer yearly subscription-based licenses, channel partners in this space are looking at yearly revenues from a captive base. “The repeat revenues from the antimalware licensing business make a good business model for channel partners,” opines Peter Theobold, CEO of IT Secure. “One of our key messages to channel partners is to look at opportunities for recurring revenues in the security space,” says Govind Rammurthy, CEO of security vendor Microworld.
Apart from the common computer virus, its new avatars and cousins such as info-stealing keyloggers, fast flux botnets, trojans, zero-day exploits, spyware and rootkits are giving nightmares to the Indian SMB CIO. End-point security vendors such as Symantec and McAfee are therefore releasing all-in-one products that secure desktops from a multitude of threats.
End-point security
End-point security is more of an information security concept which basically means that each device (end-point) is responsible for its own security, and that implementation of end-point security is achieved through different ways depending on the vendor. “Depending on the vendor and the security architecture, there are different ways to deploy end-point security,” explains Rajesh Kumar, Head, Business, Inflow Technologies.
“End-point threats continue to increase rapidly. Unfortunately, so do the number of end-point security applications and management consoles required to stop them. Managing these multiple, disparate applications and consoles is a difficult challenge, and Check Point hopes to address this opportunity through our newly-released product Endpoint security,” says Bhaskar Bakthavatsalu, Country Manager, Check Point Software Technologies, India & Saarc. “Our solution does not require customers to implement multiple software on the desktop, and it can manage end-to-end security,” he adds.
While some UTM vendors echo the same thought, not everyone subscribes to the view. “It is a false sense of security to address all security threats through a single device,” opines Theobold.
Nevertheless, both enterprises and SMBs are keen to deploy end-point security, and are expected to invest in it in the next 12 months.
Data Loss Prevention
Data Loss Prevention (DLP) is a computer security term referring to systems that identify, monitor and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep content inspection and with a centralized management framework.
“To ensure risk mitigation and keep in step with the threat climate, enterprises must rethink their approaches to the Web, messaging and data security. Instead of thinking about technologies, organizations must think about data. It’s all about the data. How is it used? Who is using it? Where and when is it safe to use? Who can receive it? Which channels can safely send it?” says Manish Bansal, Marketing Manager, Websense Software Services India.
While DLP solutions are said to be the most in demand among SPs—according to a survey conducted by CRN’s US edition in the United States—in India SMB customers are just about beginning to take interest. This is attributed to the fact that unlike in the US, there is an absence here of regulatory laws such as SOA or HIPAA. That is perhaps the reason why it is predominantly the MNC customers, software exporters and BPO vendors who are taking an interest in DLP solutions.
“Since India does not have regulatory rules, at least SMBs will not be overtly worried about data loss presently,” observes Theobold.
“We saw an interest in DLP solutions early last year. However, actual business conversions are expected later this year. There are a number of niche vendors who are likely to make a strong presence in the market in 2009,” informs Kini of Kinfotech.
While most security threats are perceived to come from external sources, data loss threats are mostly internal. “A DLP threat can happen because of many reasons, from an angry employee in an organization to human errors,” explains Nair of Stickman. “The opportunity as far as DLP Solutions is concerned goes beyond mere selling any of the other niche products. There is definitely money in offering consulting services.”
Web Security
Web Security includes content filtering and implementing content access policies for Internet access within an organization. “This is a growing market, and more SMB customers are taking interest in implementing content filtering solutions from vendors such as Web Sense. Since Internet access is provided to all users in the network, the additional threat of users misusing the Internet during or after office hours is worrying CIOs,” points out Kumar of Inflow.
Apart from the fact that users spend productive hours accessing social networks, the surfing through unsafe Web sites also means that there could be threats as a result of malware getting downloaded on to a desktop and from there spreading across the network. “The Web is not a safe place even with the most cautious security checks. You have rootkits and spyware that can make use of security holes in your Web browser and take over your desktop through an image you are viewing,” explains Hannah.
According to SPs whom we spoke to, on the average, around 8 percent of the commercial spending of SMBs will be to buy content filtering solutions, while enterprises are expected to spend around 12 percent.
E-mail security
With the proliferation of spam and with viruses spreading faster through e-mail than ever before, e-mail security is of tremendous concern to SMBs and enterprises. “No one wants their e-mail to be read by someone else. And with the threat of viruses and spam, e-mail security is extremely important,” explains Theobold.
While most e-mail security involves the deployment of antivirus, antispam and antiphishing solutions, there is also the availability of e-mail appliances which are perceived to be fairly secure. “For example, IronPort (a Cisco company) is selling e-mail appliances that are extremely secure, and some enterprises are considering such solutions,” explains Kumar. “However, there is also a services angle, as customers are also open to a solution which provides spam removal and virus protection services, especially when they allow the solution provider to host e-mail.”
Comments Theobold: “In case you are hosting the e-mail server and maintaining it outside the customer’s premises, customers are open to availing e-mail security as an add-on service.”
Wireless security
Entry-level wireless access points are known to be insecure. Following the recent terror e-mail that have been sent allegedly through compromised unsecured access points, there is an increasing awareness of wireless security solutions.
“Wireless security has become a matter of concern following the news that terrorists have been hacking unsecure wireless ports. There are third-party solutions, including UTM boxes, which can be used to secure wireless ports,” says Theobold.
However, wireless vendors are recommending that it is better to use high-end secure wireless products rather than entry-level access points combined with a third-party solution. “If security is a concern then you are better off suggesting a wireless product that is truly secure and manageable, rather than using a third-party solution to secure your wireless network,” counsels Sudarshan Boosupalli, Country Head of Ruckus India.
Application security
While the SMB market is yet to look at it seriously, application security is a matter of concern to enterprise customers. One of the biggest threats is the lack of proper access-level control of applications. According to a study conducted by the Mumbai-based MIEL, the misuse of user rights ranks as one of the biggest risks which organizations face. “People are the weakest link when it comes to IT security risks, which every organization faces, and to ensure that this risk is mitigated it’s imperative that every program and every user of the system should operate using the least set of privileges necessary to complete his job,” advises Anuj Gupta, Sales Director of MIEL India.
Identity management is another critical aspect of application security. Application and platform vendors such as IBM, Sun Microsystems, Oracle and Microsoft have been advocating their own solutions for the platform.
“Identity management solutions such as Oracle Identity Management offer a top-down, centralized approach to monitoring and controlling what, where and with whom information can be stored, shared or disseminated. This solution allows IT managers to create access control policies in real time to ensure accurate and consistent security enforcement across the enterprise,” says Dhruv Singhal, Director, Sales Consulting, Fusion Middleware, Oracle India.
“Identity management and application security is important for enterprises. However, SMB customers are not likely to invest because of the prohibitive costs and complexities,” believes Theobold. |