Post image for Getting it right – at the Nucleus of content security

Getting it right – at the Nucleus of content security

by amarinder on July 28, 2011

It’s a catch-22 situation for many CIOs and Senior IT managers, who manage security today. Opening up their Internet access seems equivalent to inviting trouble in this ever competitive world, while limiting access amounts to a restrictive, even retrograde practice, which could affect hiring, marketing, and attrition levels. How then, does one achieve the elusive balance? Rajesh Garg, Vice President and Head – Information Systems Support, Nucleus Software, smiles through such questions. For he has found the answers to keep their global workforce happy and productive with restricted Internet access while reducing the number of security breaches by almost 95%; and these too are blocked. We ask him to tell us how he made it happen.

Taking the bull by the horns

Most businesses know that opening up Internet access is soon going to be an imperative; more so as it is linked to sales and marketing, recruitment, HR practices, and attrition. Companies therefore, need to be proactive about putting in place solutions that permit easy access without affecting their security policies. Rajesh Garg nods in agreement.

But just over a year ago, the story at Nucleus Software was similar to that of many other Indian IT products and services companies. As a key player in the lending software space, Nucleus financial software solutions are used by many leading global financial institutions across the world. The enterprise is in turn, responsible for handling sensitive and confidential information customers (read loans, credit cards, and cash management solutions from some of India’s most prominent banks.) With 1600 people across the globe, the enterprise needed strong, error-proof data leakage prevention strategies. This naturally meant no Internet access through laptops and desktops until data security could be assured.

Necessity spurs invention

However, closed access meant lost opportunities. Specially for the enterprise’s 10 sales and marketing offices in Singapore, Mumbai, US, UK, Dubai, Netherlands, and Korea.

The enterprise initially toyed with free access through laptops, using a proxy server to monitor their use. Laptop users had access to the Internet, but they also carried some amount of source code on their machines for customizations at customer sites, making it difficult for Nucleus to track the loss of the Intellectual Property (IP). The proxy logs were hardly simple or effective, and were at least 100 MB each in size; thus hindering their sanitization. It was almost impossible to restrict access based on department, employee profile, website content, or keywords. Says Rajesh, “Access at Nucleus was of a binary nature – you either had it or you didn’t. But everyday, we would get requests for Internet access for business reasons. Sooner or later, we knew that, even if we had no way of auditing the use, we would have to open up access,” he quips. But the IT strategist was not a man to give up easily.

Belling the cat

Before throwing open the doors, he decided to explore web and data security solutions. While the traditional anti-virus solutions existed and could be deployed to meet some needs, Nucleus wanted a water-tight solution to help the enterprise handle the security comprehensively. Through the evaluation emerged a solution that seemed like a perfect fit: Websense. Before he knew it, Garg had commissioned a Proof of Concept (PoC).

“Three months later, the enterprise had a detailed report of the security breaches and unplanned data sharing activities across the enterprise – data being posted on various sites, resumes being shared, carrying source code on the laptops, copying data to the USB, and what have you,” adds Garg who managed to get senior leadership approval in no time. “After the report came out, we got approvals to purchase the solution in few minutes!”

Bulls eye, and how!

The two-part Websense solution included pre-defined rules as well as customization features to ensure IPR (Intellectual Property Rights) protection for Nucleus. Based on 200 patterns of source code from Nucleus, Websense created a series of security patterns to be deployed at the gateway level. Further, all critical HR policies, financial documents and annual reports, and marketing collateral, were fingerprinted. This meant that the gateway would screen these documents and clear them for sharing via mail only after receiving relevant approvals.

Today, the same policies apply across the organization as well as when the users are mobile and not within the office premises. Each time the gateway blocks data and mails, a copy of it is quarantined, as well as sent to the department head for approval. Another copy is returned to the sender, while yet another one goes to the IT department. Within few minutes, an approval is sought and the document duly released, if approved.

The early bird…

Nucleus has been one of the early adopters of such a solution in the IT industry. We ask what has it brought them? Open – but restricted Internet access across the board, to begin with. Nucleus has also been able to free-up 35 computers that were exclusively marked as Internet browsing kiosks at their Noida development centre. The HR department has benefited largely while the marketing team now has access to the business-related social media they need. With the solution in place, Nucleus has been able to sanction the availability of certain sites, based on various internal functions.

Besides saving INR 10 lac by de-allocating computers from the Internet browsing kiosk, Nucleus now has 100% end-user Internet browsing. However, Garg is quick to add that the time people were spending on non-business sites has been restricted, thereby improving productivity and saving man-hours per employee.In terms of URL filtering, the enterprise has saved 30% of bandwidth.

Of course, the ISO had to deal with initial change management issues, but they were easily overcome. And, now, the solution “Has resulted in the non-compliant events reducing to 10-15 today, from 50-100 earlier; and these too are successfully blocked,” beams Garg. He claims that lack of acceptance of the procedure is only a mind-block in people who have not experienced it. His department, which had already been following the ISO 27001 standards for security, have now secured one of the most critical levels of control an IT team needs on the infrastructure; and this indeed, is a much-coveted feather in their cap!

Nothing ventured, nothing gained

Today, Garg’s advice to CIOs/CISOs is unambiguious where the quest for security is concerned, “Do not hesitate to take the risk, if at all you can call it that. Even if you haven’t explored it earlier, a solution provider can help you in technology innovation only if you take the first step.”

Truly, fortune favours the brave. And with an enterprise’s data security and policies at risk, there is indeed a lot to be gained by proactively seeking smart solutions.

Related Posts:

  • Ritamallick

    wow! that’s a great acheivement……all the best!

Previous post:

Next post: