The Hindu Business Line : 4 layers of security

“One should design and build each layer of the security under the assumption that every other layer has been breached and hence it needs to be strong enough.”

Sanjay Bahl

K.V. Kurmanath

Keeping cyberspace safe is a growing preoccupation. Incidents such as the Mumbai terror strikes and reports of data theft or virus attacks highlight the need to constantly keep one’s turf secure.

But how do companies and individuals keep the bad guys, who are determined to find a chink in the strongest armour, at bay?

Sanjay Bahl, Chief Security Officer at Microsoft India, warns that a casual approach could prove detrimental to business interests and feels security should be made a cultural aspect within organisations.

Bahl outlines four broad layers of security that will protect an organisation from intrusions of myriad kinds: The management layer comprises security vision, strategy and risk appetite, the technical layer involves a security model and controls, while the other two layers, operational and legal, take care of enforcement, incident handling and regulatory compliance.

A comprehensive security programme includes both the physical security of facilities, such as restricting access to buildings, and security of IT resources, by way of restricting access to sensitive data and identifying signs of suspicious activity, he points out.

Large enterprises face the additional challenge of protecting assets across centres in different locations, making traditional security strategies too cumbersome and costly.

“If one layer is compromised, it should not translate into your entire organisation being at risk. One should design and build each layer of the security under the assumption that every other layer has been breached and hence it needs to be strong enough,” Bahl argues.

‘Proactive approach must’

He agrees that organisations are increasingly understanding the importance of being and staying secure. “But the approach is mostly a reactive one based on incidents that they suffer rather than a comprehensive holistic, pro active, risk-based approach,” he observes.

“Just allocating some resources on acquiring security tools is not enough. It needs to be part of the organisation’s culture and everyone needs to understand that security is their responsibility,” he stresses.

How is Microsoft setting its own example? Bahl says the company uses its own technologies integrated with third party devices (CCTV, access control devices) for monitoring its physical facilities across the globe.

“Access control (physical and logical) is integrated into other elements of the technical environment,” he says.

In a traditional solution for physical access security, the process of creating new accounts, granting and maintaining user rights is both manual and separate from other HR and IT account-creation processes. These limitations make the process more cumbersome and also cause errors.

“We have developed a system for creating network accounts and issuing physical access cards. The system uses existing information to create the accounts as part of the process that adds the user to the HR system,” he explains.

When a manager hires a new employee, he or she adds the initial information into the HR system.

As soon as this is done, user accounts are automatically added to the Active Directory. The process of revoking access to user rights is also automated. “We have complete solutions for organisations that provide comprehensive protection,” he says.

kurmanath@thehindu.co.in

Related Stories:
Security biz gearing up to tap opportunities