No holds barred

With some 20 companies covering the gamut of commercial sectors, Dubai Holding has security high on its priority list; but any implementation has to support an agile business model and ensure it delivers.

  • E-Mail
By  Colin Edwards Published  February 27, 2006

|~|alazazi200.jpg|~|Al-Azazi: Security practitioners have a lot to learn about business.|~|When it comes to spending on security, Dubai Holding has virtually adopted an open chequebook approach to ensuring its information assets are secure.

According to Sabri Al-Azazi, CIO, Dubai Holding, which operates in the fields of media, healthcare, technology, finance, real estate, research, education, tourism, energy, communication, industry, hospitality and human welfare, the group's security team can implement any security solution providing it can prove it is needed and has been subjected to an ROI (return on investment) study.

"We have an open budget for the security guys, as long as they can prove it," says Al-Azazi. "There is no open space for them. They need to apply network security by having firewalls and IDS; they need to apply application security; they need to apply encryption and links security.

"However, they cannot just say we need everything at the same time. They need to take it gradually. You ask him: before you need encryption parts, what have you done to protect the application? You must keep challenging them. If they come up with a very good business case, we approve it," he adds.

Al-Azazi spoke to ACN after a security roundtable held in Dubai. This was organised by Cisco Systems and attended by 15 senior CIOs and security managers from governments, Dubai Naturalisation and Residency Department, DIFC, Etisalat, Emirates, Pepsi, and academic institutions.

The concept of security having to deliver an ROI was alien to some of the delegates at the roundtable. "This was one of the controversial issues at the roundtable. A lot of people object to the word ROI when you associate it with security. I still believe that the security practitioners have got a lot to learn about business. They have got to prove to business leaders the value of implementing an asset," says Al-Azazi.

The roundtable did concur however on the need for security to be aligned with the business, saying they realised security is becoming part of their business processes and that they needed strong alignment between security and business. There is a need, however for greater communication between IT and business.

"Sometimes businesses go ahead and launch a service, maybe even a website, without consulting the security team, that attracts a lot of hackers/attackers on the organisation and put it at risk. Alignment means talking the same language; being in agreement; having the same kind of thoughts; and not going ahead of one another or lagging behind," says Al-Azazi.

Dubai Holding, as a company expanding within the region and globally, is focusing on making security very flexible and adaptive to support the agility of the organisation. For example it does bar user services such email downloads to PDAs because of the potential security risks. Instead it does a risk assessment and analysis; highlights the risk and then puts in the right infrastructure to support it and minimise the risk and mitigate any threat.

"Dubai Holding is no different than any other organisation in terms of applying security architectures. What is different is the dynamism; the speed of implementation has got to be there and in terms of virtualisation, that doesn't have a boundary. We apply security on the systems more than on the perimeter - there is no access control, we cannot because the of the nature of Dubai Holding as a business.

"It is a true virtual organisation, or extended enterprise. Our offices are dispersed physically, in Dubai, London, and other parts of the world. These offices need to communicate with each other; they need to have a unique security policy that sometimes there is a standard corporate policy that applies to everybody, and then maybe there is a part of it that can be flexible that exists for an entity somewhere else. You cannot say that this is my perimeter, you cannot access from this point. Even mobility is very hard at Dubai Holding. We have a lot of staff travelling everywhere and they need to be connected to the organisation wherever they are."

While there is a growing movement within the security vendor sector to aim for a one-stop solution, Dubai Holding has opted for a mix and match approach.

"We don't go one brand. The reason is to confuse the attackers. This is an old technique. Like the old proverb, don't put all your eggs in one basket. Within the technology, you have to mix between the layers. Sometimes you go through a Layer 7 firewall; sometimes you go to a network layer firewall. In the case of IPS (intrusion protection system) appliances, sometimes you use them because you have remote offices; sometimes you apply a software-based IPS at your central office. Whatever the case is, it's the architecture you have to build," he says.

As an added security measure, the group is currently looking at implementing tokens as a means of network access control. Solutions are being studied in the company's labs to see if they provide enhanced security to current password based access security.

The next layer of secure access is seen as the use of biometrics. Staff are already being encouraged to use biometric facilities provided by notebook vendors such as IBM, but Al-Azazi foresees larger biometrics solutions being implemented by the organisation to provide physical access control to facilities such as data centres.

While VoIP and the growing concerns over security issues were not discussed at the roundtable, delegates did talk about talk about voice, video and data convergence and how security is no longer just about data.

"When voice is mixed with data people become paranoid and they don't want to use it. Anything over IP will need to be secure: that is the key. Whether it is voice, video, video-on-demand - once you go over IP, security will need to be applied. At Dubai Holding we apply the same security measures that we need for any security infrastructure," he says.

"When we talk about VoIP, there are no two different infrastructures. They are all integrated. But you have to be more careful; you have to protect the wires from being accessed by anybody, and the PABXs, if you are using VoIP, or a call manager if you are using IP telephony. You have to protect all of them," he concludes.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code