Cover Story
Unlocking Potential
 There is huge potential in the security solutions market beyond antivirus and firewalls. The time for channel partners to grab it is now
By Tabrez Khan
The data security market in India is estimated at $500 million and growing at the rate of 20-30 percent. Gartner estimates the Indian security market will grow at a CAGR of 16.4 percent from 2008-2013, clocking a growth of 20 percent in 2010 itself. Driving this market are some obvious factors and some less obvious ones. The increasing use of IT, improved Internet penetration, and the realization among SMBs of the need to invest in security as their dependence on IT increases are some of the more obvious growth drivers for the data security market.
According to a recent survey by security vendor Symantec, small and mid-sized businesses are increasingly aware of the need to adopt a complete information protection strategy that goes beyond a basic antivirus solution. About 67 percent of the survey respondents cited data loss as a key concern area and 60 percent considered cyberattacks as a potential business risk.
Another survey conducted last year by the Data Security Council of India and KPMG revealed security to be the top IT priority for businesses across the spectrum, including SMBs.
Regulatory and compliance norms also seem to be driving the heightened adoption of security solutions as seen in the Indian outsourcing industry which has to comply with regulations such as the Sarbanes Oxley Act and HIPAA. At home, the RBI has prescribed strict guidelines for banks on the issue of data security; this is also driving higher adoption of security solutions such as encryption, two-factor authentication and data loss prevention (DLP).
Says Kartik Shahani, Country Manager, India and Saarc, RSA, “The security market is getting an additional push from the compliance and regulatory norms which most industries have started following. RBI guidelines for the banking sector and the rise in the number of network entry-points (notebooks, PCs, PDAs, etc) have also contributed to the growth in the demand for information security solutions.”
Traditional security solutions such as firewalls and antivirus are not the only products in demand. The fast-evolving information security market is leading to changing trends in the security solutions demanded. The newer ways in which IT is being consumed is in fact leading to changes in the security requirements of users as well.
The increased adoption of virtualization and cloud computing has made perimeters or gateways somewhat redundant. With virtual servers and cloud computing—which involve storage of data outside an organization’s periphery—it is becoming difficult to define the perimeter of a network.
So is perimeter security becoming redundant? “Perimeter security is definitely losing its importance as companies increasingly access data and applications from outsourced data centers or private data centers in the cloud. Any application or document required by a company executive is delivered to him—after applying due security policies—regardless of whether he is inside the organization’s network perimeter or not,” says Kamal Vahi, Director, Compton Computers.
Tushar Sighat, VP, Operations, Cyberoam, disagrees.
“I think both perimeter and data security are important in their own right. Today’s business environment requires an integrated approach to managing security. The purpose of perimeter security is to act as the main line of defense against unwanted or unauthorized access.”
The virtualized environment has certainly propelled the shift toward data-centric security. This is further accentuated by the increased sophistication of the ever-evolving threat landscape. It is also making it imperative for organizations to look at security as a whole and not as a patchwork of products.
“Organizations today are realizing the need for a holistic and comprehensive approach toward security. They are not looking for point solutions but a complete strategic approach which may include multiple products and solutions. A good security strategy would have DLP as its core with other access and data controls supporting it,” says Shahani.
Data loss prevention
According to a study conducted in 2008 by Pune-based consultancy India Forensic Consulting Services, data leaks by employees cause Indian organizations to lose as much as $40 billion or `1,60,000 crore every year. The study noted that employees pose the biggest threat to critical data inside an organization. Considering this, the importance of DLP solutions that allow enterprises to identify, monitor and protect their critical data cannot be overstated.
According to IDC, DLP accounted for less than 5 percent of the overall $310 million security solutions spent in 2008. The adoption of DLP solutions has picked up since, although reliable figures of the current market size are not available. A bit slow to pick up initially, with early success only in the IT/ITES and BFSI segments, DLP is slowly gaining acceptance among both government and private sector organizations and across various verticals.
The initial lukewarm response to DLP was due to low awareness and the perceived complexities of DLP deployment. However, a recent survey by Symantec points to the growing awareness among Indian organizations of its importance. According to the survey conducted across 100 enterprises of various sizes spread over different verticals, about 54 percent of Indian enterprises indicated that DLP is an effective safeguard of their business-critical data.
“DLP is moving to become a useful set of information security tools that can be used to achieve multiple security objectives,” says Shubhomoy Biswas, Country Director, India, SonicWall.
Adds Sighat, “The Indian government and its various agencies are arming themselves to handle the loss of sensitive data. Recent episodes of hacking by Pakistan and China-based cybercriminals have alerted them to the need to adopt DLP solutions. Security and law enforcement agencies are also using data recovery services to investigate cases where criminals have wiped off all traces of their electronic transactions. Many in the corporate world have also joined the list of adopters; prominent among them are banks, airlines and e-commerce portals.”
Vendors are trying to create the right conditions for the adoption of DLP because studies suggest that one out of three enterprises has not implemented DLP due to lack of sufficient funds. To tide over this, certain vendors have introduced affordable DLP solutions in the market that can be deployed by the SMB segment as well.
Sighat says that Cyberoam is targeting both enterprises and SMEs with its DLP solutions launched last year. “Unlike other vendors who target only enterprises, we are targeting the entire stack of segments—SMBs, SMEs and enterprises. Our team is engaging with tier-1 SIs for enterprises and tier-2 partners for SMEs. Smaller SIs and VARs will also be able to sell these solutions across their SOHO and SMB clientele.” Apart from being an opportunity for existing partners selling UTMs, DLP is a definite upsell for them, Sighat says.
Other challenges faced by DLP are being gradually sorted out. “DLP is very difficult to keep aligned with a dynamic business,” notes Amit Nath, Country Manager, Trend Micro. “Enterprises must share confidential data to be able to put the data to work as a corporate asset. However, at times, some enterprises are reluctant to share their confidential data.”
Points out Biswas: “Due to integration problems, companies using DLP sometimes face the issue of being unable to enforce the same security policies across their systems.” Shahani, however, feels these are minor hiccups. “It is important to understand that not all data in an organization is of equal importance from a security perspective. The first step in preventing enterprise data loss is to determine which data is most sensitive to your business. After this you can prioritize your efforts and define appropriate polices.”
Managed security services
The Asia-Pacific managed security services (MSS) market is forecast to exceed $4 billion by end-2015, with revenues rising at a CAGR of 19.7 percent for the next five years. According to Frost & Sullivan (F&S), the Asia-Pacific MSS market, covering 14 Asia-Pacific countries including Japan, grew at an estimated 15 percent in 2009, clocking revenues of just over $1.31 billion. As per F&S, MSS in India grew at a CAGR of 80 percent in 2005-07, touching $50 million at the end of 2007. By the end of 2010, F&S expects the overall MSS market in the Asia-Pacific to touch $1.55 billion, rising 18.2 percent over last year.
One of the reasons why MSS is catching the fancy of organizations in India is because the cost of owning and maintaining an integrated security solution shows a continuous uptrend. As IT budgets remain tight and the need to demonstrate better ROI increases, the focus of organizations is toward better management of costs.
Indian organizations are therefore warming up to the option of outsourcing the solution to service providers, and are increasingly using hosted secured e-mail security solutions, managed authentication solutions and compliance as services.
“Businesses, especially SMBs, want to reduce Capex and adopt a variable structure including the pay-as-you-use model,” remarks Biswas. “Solutions to such requirements are mainly coming out of the new technology architectures like SaaS. The momentum generated by vendor activity, the participation by telecom companies as partners, and the hype around cloud computing will be the main factors driving MSS.”
Experts believe that the inability of companies to attract and retain talent is another big driver for outsourcing security management. Even large organizations are today finding it difficult to retain security experts as they are not able to keep such experts engaged over a period of time as well as not able to pay the compensation demanded by these experts. What companies then turn to is real-time security monitoring and management options at a fraction of the cost of in-house solutions.
That’s not all. “The large number of geographically-distributed networks has led to the greater complexity of the infrastructure for enterprise security with the adoption of solutions such as intrusion prevention systems. The fact that branch offices and subsidiaries are not equipped with qualified personnel capable of immediately handling attacks is the main reason for the adoption of MSS,” explains Sighat. “Verticals such as health care, IT and manufacturing are the major adopters of MSS.”
The need to share information security risks is also propelling organizations toward MSS. By outsourcing selected MSS, organizations can share information security risks and business risks, plan better risk management and mitigation approaches, and get greater accountability from vendors for the solutions and services they use.
“One factor pushing the trend is the need for greater vendor accountability,” agrees Ravi Shankar, CEO of Mumbai-based network security vendor Nevales Networks. “With MSS, there’s no accountability gap because the providers are responsible for the infrastructure as well as the application. Buyers get a definite, single point of accountability for performance.”
Security appliances
Hardware appliances have been popular in the data security domain over the last 3-4 years. UTM appliances and other purpose-built security appliances (such as for e-mail filtering and content filtering) have caught the fancy of customers and have also made it easy for many tier-2 partners to provide security solutions.
According to industry analysts, the network security appliance market is growing at a CAGR of about 14.5 percent worldwide. With e-Governance and compliance requirements increasing, banks and telcos are expected to increasingly adopt network security infrastructure.
The other driver is the growing adoption among SMBs in tier-2 and tier-3 cities. Since integrated security appliances can cater to the multiple security needs of relatively small organizations, they are also becoming popular in the SOHO and SMB segment.
“Integrated security appliances are witnessing high penetration in tier-2 and tier-3 cities. They offer features such as firewall, VPN, antivirus, antispam, IDS and IPS. Besides, they have features such as content filtering, virtualization, URL filtering and routing,” says Biswas. UTMs are expected to grow at a CAGR of nearly 34 percent. The Asia-Pacific region is anticipated to account for the majority of the IT security solutions market by 2012.
According to analyst reports, UTM products, which passed the $1 billion mark in worldwide market size in 2007, could constitute up to 30 percent of the total network security market by 2012. In India, the market for UTM appliances stood at $42.25 million in 2009, $58 million in 2010 and is poised to keep growing at a CAGR of 30 percent over the next 3-4 years.
With the proliferation of UTM appliances, vendors are increasingly relying on channels to tap the sales opportunity. They expect large demand to come from small businesses and ROBOs (remote office branch offices) supporting less than 25 users.
Says Sighat, “Channel partners, including resellers and other solutions providers, are becoming aware of solutions designed around UTM products. They realize there are immense opportunities due to the rapid growth of the SMB sector. What’s more, B and C-class towns today represent enormous opportunities, and are expected to be growth drivers for UTMs.”
According to Sighat, to achieve its aim of mass expansion, Cyberoam has implemented a regional distributor model that will enable smaller resellers to deploy UTM solutions with small business customers. The company expects to expand its channel base and conducts regular free certification drives to train new partners in smaller cities.
SonicWall has an authorized training center (along with its distribution partner Westcon) to create SonicWall-certified sales and technical professionals. “We are seeing an increasing number of solutions providers eager to sell UTM solutions, and our training initiative is aimed at creating a large base of certified professionals who can deploy and manage UTM appliances and top it up with value-added services,” says Biswas.
Role of regulatory compliance
The changes introduced in the IT Amendment Act 2008 have shifted the focus toward data security rather than just the security of data repositories. The original IT Act called for penalties for damaging computers and computer systems, and unauthorized access to a computer, computer system or computer network was punishable with a fine of up to `1 crore. However, the amendment requires companies to pay compensation even to an aggrieved person whose personal data, including sensitive personal data, may have been compromised while under processing with the company if it were a result of the company’s lack of implementing or maintaining reasonable security practices. The stakes for companies in ensuring best-of-breed technology and a holistic approach to secure their critical data have therefore risen.
Words of wisdom
The security solutions market in India is a minefield of opportunities for channel partners. While certifications and implementation skills have traditionally been important in the security domain, the popularity of appliances has given partners without elaborate skills in the security domain a toe-hold in the market.
Says Satish Das, Chief Security Officer, Cognizant, “It is imperative that channel partners position themselves more as solutions providers and less as product sellers. The important task is to ensure that they keep pace with the changing security landscape and train their staff in new technologies. This has to be backed up with a good local support base which customers can rely on in case of major problems.”
According to Sighat, choosing a broad product portfolio and aligning with a growing vendor are the most important steps for channel partners to succeed in the security domain.
Concludes Ravi Shankar, “Channel partners in the security domain are being defined by their ability to meet the growing expectations for a monolithic end-to-end offering which integrates initial consulting services, appliance and product identification and installation, and monitoring and management.” |