Post image for Essar: Enhancing business opportunity while managing security risks

Essar: Enhancing business opportunity while managing security risks

by tapangarg on June 2, 2011

When your job entails heading the systems, network, and security of a large and diversified group, you can be sure there is never a dull day at work! From ensuring IT availability to battling threats resulting from an open internet culture, N. Jayantha Prabhu, Chief Technology Officer, Essar Group, tells us how he has managed it all for his enterprise.

As big as it gets

As one of India’s premier business houses, with diverse interests in steel, energy, power, communication, shipping and logistics, and construction, the Essar Group has rich and varied IT needs. The organization employs 30,000 people across the world and has a widespread presence, with operations in more than 20 countries in five continents, and remote offices across the country. The resulting IT infrastructure is naturally expansive and managing IT security then, a seemingly mammoth task!

Consolidating such wide-spread operations with a large user base and rich diversity, required a carefully drawn IT strategy. “Every group-company’s IT department is headed by a dedicated CIO, and in turn all these CIOs forward their business requirements to be driven by the corporate IT team. Catering to such vast scale of business, needed a waterfall approach i.e. top down consolidation methodology,” informs Jayantha, who heads the corporate IT team. One of the key objectives of Essar group was to provide secure web access to employees for business use, including mobile workers and ensure data security, meeting regulatory compliance.

Thus, the challenges were to secure the Internet access, address the organization’s risks pertaining to IT security and Internet policies, identify critical data in sensitive business units, monitor data movement, understand the nature of data leakage, and ensure secure access to data for large organization.

Reality check

As a large, distributed, and connected organization with the existing IT setup, Essar needed to look beyond, as a distributed network can be both, a boon and a bane for the IT team. Explains Jayantha, “There was sufficient exposure of sensitive information residing in the corporate network. As a business practice, we needed to control data leaks over the network and at the end points, but there were no forensics for data leaks and often, no tools for erasing moveable media. This exposed the enterprise to the risk of confidential information being open and untracked.”

Besides the end user, corporate information in any organization is virtually transparent to the Internet Service Provider (ISP). Organizations have no control over the integrity of people and processes at the ISP’s end, making it imperative to secure the privacy of the corporate information. Essar’s own web security too had limited capabilities – a basic web filtering mechanism was finding it difficult to secure thousands of users from the myriad web threats – the latest malware, phishing, and virus attacks. Additionally, pure keyword filtering was inadequate because it was not accompanied by true content filtering, and the manual maintenance of URL filtering lists for every location, was becoming next to impossible.

Essar group required a web and data security solution that would protect end-users against accessing inappropriate websites, and losing data or downloading malicious content via the web and other network protocols.

Websense: smooth and easy

The panacea lay in a single, centrally-managed solution (the Websense solution). The solution identified included Websense Web Security Gateway and Websense Data Security Suite. Websense Web Security Gateway would allow the enforcement of internet usage policies comprehensively. Real time scanning and categorization capabilities of the solution would further enable access to social networking and other Web 2.0 content, without compromising security or legal liability risks. Websense Data Security suite would help the enterprise discover, monitor, and protect the sensitive information. Both, network and endpoint DLP were identified, thereby ensuring the monitoring of all possible channels through which information could leak – email, web, and desktop/laptop.

“We needed a solution that would work well with our existing one. The old one could continue to handle the authorization, while content filtering could be handled by a complementary solution. We also felt the need for a centralized policy server, which would enable better compliance for us, as all Internet communication would go through a common gateway,” said Jayantha.

Critical data within sensitive business units was identified, along with the users who have access to that data. The team also analyzed the processes and channels, which allow the data to flow outside the network and then implemented data protection strategies for those business units. This included access to social networking and other Web 2.0 sites.

“Given our huge global footprint, we implemented the solution in a phased manner to ensure continuity. We carefully implemented, measured impact, and then rolled out at the next location, says Jayantha, “It was also important to segregate critical areas and treat them separately. For example, we had to have differing levels of user access, which we now use to good effect, to provide unrestricted, but safe, web access to our senior management.”

“The Websense solution deployment was very easy and the first one just took fifteen days,” says Jayantha, clearly thrilled with the seamless integration of Websense with other technologies (AD, network device, etc.)

Essar completed the entire project in 4 phases in for 4 different locations each lasting 10 days. The pilot took only 7 days to implement and measure the impact. The entire project was rolled out in 2 months from concept stage. Essar plans to continue deploying the solution as required, per the growing ranks.

The Websense advantage

The benefits have been varied and have positively impacted the group’s efficiency in very real terms. For starters, the solution has enhanced the enterprise’s ability to monitor and assess the risk of critical data getting leaked through corporate networks. Using the solution, Essar managed to reduce the less critical incidents to less than 5% of the total incidents captured. The solution has been deployed to prevent data leaks even when users are roaming.

With Websense Web Security Gateway solution, Essar has been able to enable social networking sites and Web 2.0 content for the employees, as it observed that more and more user communities within the organization wanted access to the sites for business use. “We have been further able to minimize security threats like botnets, phishing, and malware, etc. and provide protection from malicious threats at Edge Network, eliminating reaching endpoint,” says Jayantha.

Essar was able to deal with non-compliance to statutory or regulatory laws enforced by international regulatory bodies. “After the deployment, we didn’t observe any non-compliance during the recent audit done by our consultants with respect to data leaks,” say Jayantha.

Apart from helping create awareness amongst the employees, the solution boosted the productivity by controlling the user Internet behavior. “Where previously, it was difficult to gauge just how productive web usage was within the group, we now have detailed, authoritative reporting,” beams Jayantha, clearly pleased with Essar’s solution for the web security issues. “Our web usage is now secure, productive, and in line with corporate policy. This has ensured compliance as well, as errant users are now aware of their web usage.”

As an additional gain, Essar has saved almost Rs 50 lakh in bandwidth requirements alone, where earlier they were struggling under user demand. This has resulted from the boost in productivity as a result of better network utilization.

The solution further helped in obtaining forensic details in case of an incident. “We have a log retention for a specific period and can derive all forensic details to analyze specific incidents if required,” informs Jayantha.

Despite the apparent benefits, CIOs today perceive large transaction overheads such as data classification to segregate the sensitive and confidential data; and securing of buy-ins from the employees and top management. We are keen to know what advice Jayantha would like to offer to CIOs facing this dilemma, “Well, it is critical to analyse the impact before rolling out any security solution. Please anticipate and plan remedial actions against any post-implementation crisis. But at the end of the day, business continuity and benefits are paramount – if you have a solution ensuring that, why not go for it?”

Related Posts:

Previous post:

Next post: