|
Enterprise Apps Special: SecureSpace
Hero Honda bets on information security to maintain integrity
While drafting its new security policy, two-wheeler giant
Hero Honda ensured that its efforts to create a secure enterprise went beyond
IT security to encompass complete information security. Shipra Arora
reports
Enterprise security may not be as critical in a manufacturing
organisation as in the banking, financial services and insurance (BFSI) sector.
Nonetheless, it is important, especially when it comes to a manufacturing company
like Hero Honda, which is extremely dependent on its computer systems and networks
for its operations. A disruption in IT infrastructure could spell disruption
in business operations. Taking all this into consideration, the company has
been constantly evolving its information security set-up to keep pace with its
expanding IT infrastructure. Today enterprise security at Hero Honda has reached
one of the most critical junctures as the bike major has recently created a
comprehensive information security policy.
Information security as opposed to IT security
Enterprise security at Hero Honda goes beyond IT security
to encompass complete information security. The company identified the need
for complete information security with IT security as one of the aspects within
this whole concept. “IT security will take care of only some intrusions.
But for any organisation there is a need to have a clear identification of authorisations
through information classification,” explains S R Balasubramaninan, vice
president, Information Systems, Hero Honda Motors. The need was to find out
what type of information was there, who should access it and who should not
in order to ensure complete data integrity.
Information security policy
While the company had some documented policies relating
to various aspects, including IT security post-1999, they were not comprehensive
enough to cover all areas. Increasingly expanding connectivity warranted the
need for a complete policy, defining the security issues both from within and
outside the organisation. The company’s plans for connectivity with business
partners included rolling out the second phase of its supply chain solution,
allowing dealers and vendors to interactively do transactions with the company
on the Net. (It already provides dealers and vendors one-way access to the Web
server). Furthermore, it is also trying to allow employees access to applications
like instant messaging and SAP, especially for field staff and mobile workers.
In such a scenario, which required opening up its systems to partners, the need
for a robust policy was imminent.
 |
Every organisation needs to have a clear identification
of authorisations through information classification, says s r balasubramanian |
A few months ago, Hero Honda started working on its
new information security policy with HCL Comnet as the consultant. The policy
broadly covers around 17 domains. These domains include networking and telecommunication,
back-up, software purchase, use and maintenance, incident management, e-mail,
Internet, access control, password control, anti-virus, notebooks, information
disposal, acceptable use, system development, desktop, information classification,
training and physical security. HCL Comnet carried out the vulnerability assessments
and outlined the areas requiring improvement. These included recommendations
for patch upgradation on various operating systems and for networking devices
as well as physical security—specifically for the server room. The consultant
also recommended the removal of modems provided to users for directly accessing
the Net from their PCs. Though the connections had been removed, the modems
were left behind, which, the consultants pointed out, created vulnerability
as the users could plug them in and start using them. According to Balasubramanian,
based on the recommendations of the consultants, the company fixed up the loopholes
in its security set-up, including some recommendations regarding the firewalls
and the protection of servers. The company has already carried out pre-vulnerability
assessments, fixed the vulnerabilities and then conducted post-vulnerability
assessments.
On the other side, Hero Honda also worked on the information
classification part of its information security policy, which didn’t exist
earlier. This involves participation from the top management with user representation
from all the functional areas. The present exercise of classification of information
is being done depending on confidentiality, criticality and availability. Apart
from information classification, the access rights to various classes of people
are also being defined in the policy. The functional heads are made responsible
for their departments and endorse the classification of information being done.
Security set-up so far
The year 1999 was the inflection point for the entire
IT set-up at Hero Honda, including information security. The company undertook
a complete revamp of its IT infrastructure with a new architecture, expansion
of its network, IT assets and applications. The security approach has been evolutionary,
in line with these growing requirements. Connecting the entire organisation
during 1999, the company put its mailing system into place. This, however also
led to the import of viruses into the system, thereby warranting the need for
a complete anti-virus solution. Before this, there was anti-virus software installed
only on a few desktops. The company chose McAfee for its comprehensive features
and good installed base. Hero Honda has now implemented the complete suite,
covering the desktop, servers and mail gateway.
The company first deployed the Total Virus Defence
(TVD) system, which was later upgraded to the Active Virus Defence (AVD) system
around two years ago. Under AVD, Hero Honda is using Group Shield for Lotus
Notes mailing system, Netshield for NT and Window 2000 servers and Virus Scan
for end-user desktops. The AVD works under the ePolicy Orchestrator agent, which
is an agent installed on each and every desktop and delivers the means to control
the anti-virus applications. According to Balasubramanian, it gives the company
power to enforce its anti-virus policy, to update the policy on end-user desktops
and to monitor update progress through graphical reports. ePolicy has made it
easier to enforce any anti-virus policy in the company in just two hours in
all the offices.
As part of the AVD architecture, Hero Honda has three
AVD servers at the head office in Delhi, and the Gurgaon and Dharuhera plant.
The AVD server at Delhi takes care of all head office-based servers, desktops
and all zonal and area office desktops. Likewise, with the Gurgaon and the Dharuhera
AVD servers. All the three servers are connected to the McAfee Internet site
through the Net. As a result, whenever McAfee releases any new anti-virus DAT
files, all three AVD servers get synchronised with McAfee server and download
the DAT file (incremented) immediately, which are then distributed to all the
servers and desktops. In case of a virus attack on any of the servers and desktops,
the ePolicy agent updates the AVD server about this new virus.
Need for firewall
The need for further beefing up the security set-up
beyond an anti-virus solution was felt as the company further opened up its
systems to external access. Around a year-and-a-half ago, apart from providing
Internet access through the proxy server, the company also decided to provide
connectivity with dealers and vendors for information sharing, i.e. they could
directly log in to the Web server. This required the deployment of a firewall
to guard the systems from possible hackers and virus attacks. “This was
the first time that we were really connected to our partners. Earlier we only
had a mail gateway through which we exchanged mail. So, there really wasn’t
a need for a firewall at that time. But now, since we are allowing people to
log in and with people accessing the Internet there is the need for a firewall,”
explains Balasubramanian.
Firewalls deployed at Comsat Max: Hero Honda has a
perimeter firewall that serves as the Internet gateway for both the plants and
head office. It has chosen Checkpoint as its firewall, which runs on a Nokia
box and is managed and monitored by the service provider, Comsat Max. The company’s
IT security architecture divides the network into zones, based on the function
of the infrastructure contained therein. The zones created are:
- DMZ zone
- Third-party zone
- Application servers zone
- Critical servers zone
- Security management zone
- Network and system management zone
- LAN & WAN zone
Unauthorised Internet access
Restriction of access to unauthorised sites is taken
care through the proxy server, which was deployed around two years ago for Internet
access to internal users. The rules for access control have been defined in
the server itself. It defines factors like which PCs have access to the Internet,
the sites that can be accessed, time period during which only certain users
can access the Internet, etc.
The company has taken various measures to ensure data
integrity during internal access as well. It has deployed PGP software on the
critical desktops and notebooks within the organisation for encrypting data.
While the software was deployed around two-and-a-half years ago, it keeps on
identifying and adding critical notebooks and desktops. The information on the
desktops and notebooks is kept in a folder and is encrypted, which requires
a user name and password to access it.
Furthermore, Hero Honda has built in integrity in the
application itself, which is well documented with profiles for each user. Depending
on his/her profile, the user gets the rights for accessing the data. The authentication
is done through passwords.
Future plans
Now that Hero Honda is readying itself for the second
phase of its supply chain initiative of connecting with dealers and vendors,
it is planning to build more components on top of its existing security set-up.
While in the first phase, the company had allowed dealers and vendors only one-way
access, in the second phase it will allow them to interactively do transactions
with the company on the Net. Once the second phase starts rolling out in April
next year, the company plans to deploy additional features like an intrusion
detection system, user authentication and single-user sign-on.
As part of the new information security policy, the
company will be outsourcing the monitoring of all its external access, hacking
and intrusions to third-party service providers with SLAs. “We will outsource
primarily because the third-party service providers have the expertise and resources
to monitor 24x7,” explains Balasubramanian. Also, as a policy, Hero Honda
will initiate regular half-yearly audits to check compliance with the security
policy and also to check whether the policy needs a change.
- Number of servers – Over 35 servers
(All IBM)
- Proxy server – For providing Internet
access to internal users.
- Web server – For providing access
to dealers and vendors.
- Wide Area Network
Between Gurgaon plant and Dharuhera plant
– Primary link is a 2 Mbps leased line from Bharti with RF and VSAT
being secondary back-up links.
Between Gurgaon plant and Delhi head office
– 2 Mbps leased line as a primary link. Another 2 Mbps link from
Gurgaon plant to Comsat Max and then to the head office is a secondary
link.
- Connectivity for marketing offices with
plants and head offices – VPN connectivity between 20 locations
through 64 Kbps leased line with ISDN as a back-up.
Internet connectivity through leased line
from Comsat Max.
|
Hero Honda considers information as an important
asset of an organisation, like other business assets, and therefore something
that needs to be suitably protected. Protection for the company’s information
assets will be aligned with business needs and goals.
- More Security Measures (Technology + Process)
for more ‘Important Data’.
- Classification and operation of system
requires departmental compliance and support.
- Senior Management should take overall
responsibility that there should be a owner for every information asset.
Public: Suitable or approved for public distribution
Internal Use: Data pertaining to employee
records, policies, processes, etc.
Sensitive: Data pertaining to long and short
term strategies, mergers, acquisitions, etc.
|
Using the Internet inappropriately will be against
any company’s policy and should be strictly avoided. Inappropriate
use of the Internet could be determined on the following parameters:
- Engaging in illegal activities, including gambling.
- Accessing or downloading pornographic material.
- Solicitations for any purpose which are not expressly approved by
company management.
- Revealing or publicising proprietary or confidential information.
- Representing personal opinions as those of the company.
- Making or posting indecent remarks.
- “Flaming” (e.g. malicious written attacks directed at someone)
or similar written attacks.
- Uploading or downloading commercial software in violation of its
copyright.
- Downloading any software or electronic files without reasonable virus
protection measures in place.
- Intentionally interfering with the normal operation of Internet gateway.
- Entering into contractual agreements via the Internet on behalf of
the company.
- Use or possession of Internet scanning or security vulnerability
assessment tools, such as SATAN or ISS, without the permission of the
Hero Honda IT head..
- Use of company logos or company material in a Web page or Internet
posting unless the company management has approved it in advance.
- Attempt to inappropriately telnet to or port scan remote systems
on the Internet.
|
shipra@expresscomputeronline.com
|
