Data safety

The biggest threat to information security is from inside the company. Enterprises in the Middle East are quickly waking up to this fact, and are starting to deploy highly complex security solutions to encrypt critical data.

  • E-Mail
By  Abeer Saady Published  September 20, 2005

|~|PHOTO-1---Duca-BODY.jpg|~||~|A growing number of enterprises are making conscious decisions to invest in securing their sensitive information. Although there is greater awareness of the increasing dangers from hacking, malware and spyware, and the risks associated with not keeping critical corporate data secure, enterprises in the Middle East have not, until now, been doing enough to keep their sensitive data secure, according to industry experts.

Analyst firm IDC claims a large percentage of companies are only just waking up to the notion that they are playing with fire by not taking the necessary precautions with data security. “Corporations are realising the importance of their business-critical data and know that they cannot afford to cut corners when it comes to securing it,” states Heini Booysen, program manager for IDC in the Middle East and Africa, continuing: “Data protection is the main driver in spending and end user demand for additional capacity will only continue to heighten.”

The consequences of leaving data unsecured range from financial expense, such as losing revenue, incurring penalties or fines and paying out to cover the extra working hours needed for employees to undo the damage, to risking an enterprise’s reputation. By making the right investment in securing data storage, it is possible to sidestep all these risks.

The Financial Times (FT) turned to EMC Consulting to unlock the full potential of its IT infrastructure and storage investments. The FT needed to gain better control of its IT infrastructure costs and create a solution-focused IT organisation, which would allow the company
to better align business goals to IT projects for faster application development, thus achieving a quicker return-on-investment (ROI).

With 24TB of data in a Sun/Unix/Windows environment, the FT’s storage management was decentralised and unco-ordinated, and security levels needed to be addressed. The company’s new CIO was under pressure to cut costs by 20% but still grow the business. “We found many areas within our storage infrastructure that could be refined to deliver significant business benefits and cost savings,” explains Chris Hunter, head of services delivery at the Financial Times.

It is only logical that, as dependence on technology grows, enterprise systems will become more memory-hungry and in the Middle East in particular, the very nature of the emerging market means the swift growth that can be witnessed in many sectors is fuelling demand. Alexandru Duca, manager of IT at Salalah Port Services, says the streamlining of other business practices also leads to a burgeoning in storage security requirements.

“As more companies turn towards automating their systems, moving towards the paperless office ideal, the generation of data increases,” he states. “The improved systems allow better reporting and greater productivity.”||**|||~|PHOTO-2---Bassim-BODY.jpg|~||~|However, the growth in data is not necessarily being matched by an equal and parallel growth in deployments of secure storage infrastructures by organisations in the Middle East. After automating the business, the second phase to be tackled should be the securing of the newly generated, business-critical data. Tarek Abd Monem, general manager for Orascom Technology Solutions, says the region’s problem is that a lot of end users tend not to invest except following a major infrastructure crisis.

Disaster recovery (DR) strategies are only established after a business is subjected to problems and storage security needs are only addressed after the value of data is realised following a loss that causes major disruptions to business operations. "The end user has to think and have a vision to build a strategy before a breach — waiting until after the worst has happened is too late. Anything related to security should be seen as investment to protect the company's future," Abd Monem adds.

The ideal storage system is not only one that provides faster storage and retrieval of information or one that scales to more terabytes, but is also one that will ensure that today’s data will still be available tomorrow, data is not available to an un-authorised person. Previously, the uptake of this type of technology in the Middle East has been relatively slow. However, according to EMC Egypt’s country and channel manager, Mohamed Abo Allil, "The Middle East used to have five years lag with usual technology coming from initiative companies."

Historically, security has been focused on the perimeter and keeping the bad guys out. Over the past few years, however, the focus has shifted to the intranet and internal security. Statistically, the biggest threat to an organisation’s security usually comes from internal sources. As most companies are primarily concerned with implementing security solutions to target external attacks they tend to neglect those that originate from within.

"There are companies that spend thousands of dollars on firewalls, contest filtering, antivirus and other security tools only to then have an employee destroy all of this by downloading a virus,” says Mohamed Omar, manager of Computer Associates (CA) Egypt. “This is the backdoor. The company needs to have internal security tools to detect who was responsible for this damage,” he adds.

Indeed, while the vast majority of employees are trustworthy and strive to contribute to the overall success of an organisation, the actions of one wayward employee can wreak havoc on corporate strategy and image. In addition, there are individuals and companies that seek personal gain from the exploitation of information gained from seemingly legitimate business relationships. It is for this reason that Sun Microsystems sees the primary concern of most of its customers to be centred around data access authorisation. ||**|||~|PHOTO-3---IBM-BODY.jpg|~||~|Whether the people concerned are the company’s own employees, or suppliers that have access to the organisation’s systems via portals, managing changes in user access as roles change or when employees leave the organisation, is the biggest challenge, especially where a customer has multiple systems to protect, according to van Antwerpen.

"Data security requires a combination of features, encryption being one of them. However, access by an organisation’s own people is increasingly the thing which needs to be managed," he says

Ahmed Samy, managing director of HP Egypt, affirms that it is important to understand internal threats not only refer to malicious intentional attacks, but also include non-intentional human errors that result in data loss. He believes a good security policy must seriously consider both possibilities, as it is almost impossible to anticipate where the next threat will come from.

“The awareness of the possible threats and accordingly the adoption curve of emerging storage security technologies are higher in other regions of the world," Samy says. "In the near future I would not be surprised to see government regulations forcing the use of cryptography in specific data storage security applications especially those involving offsite storage of tapes," he adds.

Enterprises in the Middle East have only recently started to put security on their storage agenda and now the vendor is seeing greater growth in the region than in the European market. The combined Europe, Middle East and Africa (EMEA) region is quick to recognise the need for storage security.

As Gerard van Antwerpen, data management architect for Sun Microsystems states, in light of financial disasters such as those of Enron and WorldCom, and the efforts of many industry bodies to introduce regulations such as the Basel II directive that governs the financial sector’s data retention priorities, regional enterprises are coming to accept the need to protect vital data.

“Legislation such as Basel II, and the recent wave of incidents involving organisations having their back-up tapes lost or stolen, have changed many organisations’ approaches to security as it pertains to the data protection process,” says Tony Prigmore, senior analyst at the Enterprise Strategy Group.

According to Oracle, its customers that are tackling encryption are primarily those that will be affected by new regulations, such as those specialising in highly secure operations such as civil defence, or carrying out critical transactions on the web. Indeed, the financial services industry is a prime example of the criticality of data integrity as there is now worldwide scrutiny of financial systems and severe penalties in place for companies that do not meet the international standards.

In the name of operational transparency, legislation across all verticals means corporations are required to store vast quantities of information for longer periods, often in high-availability environments and as it strives to open its doors to foreign investment, and with developments such as the Bahrain Financial Harbour and Dubai International Financial Centre, the Middle East is now starting to feel the pressure to conform to these industry regulations increasingly strongly. ||**|||~|PHOTO-4---Esmat-BODY.jpg|~||~|Oracle server technology’s principal product manager, Mohamed Al Ojaaimi, anticipates that more organisations will be forced to implement data security procedures to bring state-of-the-art capabilities to address rapidly emerging requirements in the areas of privacy, regulatory compliance and data consolidation. In the insurance sector, securing storage is considered to be of vital importance.

For more than 12 years, Technical Business Application Systems (TBAS) has been working with companies in the insurance market to provide customised security solutions. "On issuing a life insurance policy, data is not kept for a limited period, a physical year for example, but it may extend for 25 years," says Yasser ElAntil, managing director of TBAS. "Just imagine the crisis that may happen if this data was lost, and you would know how important secure storage for insurance sector is," he adds.

For the telecommunications industry too, booming business means that ever more data is being produced by telcos. With technology no longer a key differentiating factor, the price, service quality and overall customer experience are critical and operators are forced to make more productive use of customer data.

“Deregulation is driving huge investment on the part of telcos in the region,” says Bashar Kilani, manager of IBM software business in the Middle East, Egypt and Pakistan. “They are investing in a variety of technologies to help them cope with the more competitive market — upgrading their storage infrastructures, improving their networks and streamlining their business practices. It is certainly a time of major investment for the industry,” he adds.

Part of this major IT investment is being spent on secure storage. For telcos, the fact that all call detail records (CDRs) have to be stored for up to five years, and because twice-yearly audits, data consolidation and unification are must. However, operators face a particular problem. The issues of knowing what data is critical, which records need to be retained, and at what level of accessibility, are compounded by the evolving landscape of the industry.

In Kuwait, the number of mobile phone call minutes per month is one of the highest in the region and, as a result, the capacity required by Wataniya Telecom to store call records for all its customers is an ongoing challenge. “In our field the legislation [pertaining to] all the various documentation and data we collect could change at any time and then we may find we need immediate access to something we do not have or have to search for,” says Fawaz Bassim, IT infrastructure, operations and support manager for Wataniya Telecom.

“We have to store everything, just in case and as our customer base continues to grow this is proving to be problematic — we have to add to the system on a daily basis just to keep up,” he adds.||**|||~|PHOTO-5---El-Arousy-BODY.jpg|~||~|Bassim describes his organisation’s current infrastructure as disparate, with services having been quickly launched without a long-term vision. He also says, however, like most businesses, the focus is now on data, storage and server consolidation.

The telco is currently in the process of drawing up an effective roadmap for information lifecycle management (ILM), an approach to managing the flow of an information system's data and associated metadata from creation and initial storage to the time when it becomes obsolete and is deleted.

“ILM is the foundation of a flexible and secure infrastructure — one that can be tiered, share and provide intelligent movement of information — and that is the type of environment where virtualisation can be most successfully leveraged,” says Mohammed Amin, regional manager for EMC Middle East.

Wataniya believes an ILM architecture will contribute considerably to its storage security, while at the same time enabling it to gain better insight into the use of its resources. It is also hoped that by taking a more centralised approach and shifting to one standardised, single capacity storage area network (SAN) the architecture will be easier to provision.

However, Wataniya cannot afford to have any down time and has to make its migration from database to file system slowly and on a step-by-step basis. Ultimately though, this should prove to be a worthwhile move: “Overheads will be lowered by 20% and we will be able to achieve consistency across our different services,” Bassim predicts.

Hesham Zaki, CIO of Qarun, says for an oil company, securing sensitive data is a top priority. He says the company’s adoption of CA's security solutions was essential, especially for intrusion detection for its databases and networks. "We exchange important data across our work location sites on- and off-shore. Encrypting this data is a must in order to avoid theft or violation of it. Encryption leaves no room for any dangerous possibilities,” says Zaki.

Security has always been a major problem when implementing mission-critical information systems, where data represents sensitive and valuable assets, including integrity and confidentiality. As some of the United Nation's World Health Organisation’s (WHO) missions are in areas of extreme difficulty such as Iraq and Somalia, it is an organisation in need of secure storage and exchange of data. In addition, if the field office is in a place where there is an epidemic disease there must be security solutions that can keep data centres up and running 24/7.

"This is why our concern is not only accessing data, but also having data recovery plan to restore data. There are three levels of data access that make up truly secure data," says Ahmed El-Arousy, national professional officer at the Eastern Mediterranean Regional Office of the WHO. "Firstly it needs to be secured on a strong network; secondly it must be available all the time to only those users who are authorised to have access to it, and thirdly in has to be safe even if the building is burnt down," he states.||**|||~||~||~|While data encryption should not be used as a substitute for access control, storing data that has been encrypted provides an additional layer of protection on storage media. This helps protect sensitive data such as credit card numbers in the event of theft, which can occur due to poor physical security, operating system configuration or back-up processes. "I would recommend enterprises secure data on disk against any storage attack," advises Oracle’s Al Ojaaimi.

Storage security comprises a set of long-term processes that require a comprehensive understanding on the part of enterprises, their IT departments and solution providers of each organisation’s specific needs and priorities. This understanding, however, also needs to extend to the culture of the Middle East region, as Ayman Esmat, Internet Security Systems (ISS) Middle East emphasises.

"We have a culture in the Middle East that is based on trust. As a result of mixing with others from different cultures, the cautious approach of other cultures is starting to spread to our own, bringing an understanding of the importance of processes such as encrypting data," he explains.

It is important for CIOs to remember even the most secure storage architecture will not automatically provide a blanket resolution.

A robust technology may use up too much of a company’s budget while not providing the necessary level of accessibility and availability to the users, proving to be an inefficient and expensive investment that offers little ROI, as Dr Sherif El Kassass, senior security consultant for Raya Integration, points out.

“Encryption can be a double-edged sword. It is an important tool, but it must be controlled and managed carefully or it can do more harm than good," he warns. "Encrypting data is just part of the security issue. Security is formed of different components, not products. No one is 100% secure, but a company has to try to reach 99.9%," he concludes.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code