Web wise

With a lack of interest in standards and legislation industry players believe enterprises are confining themselves to be forever behind mature markets in terms of e-transactional security. Some others though, see it as an untapped opportunity.

  • E-Mail
By  Sathya Mithra Ashok Published  June 6, 2007

|~|faisal200.gif|~|Faisal Khan, senior security consultant for McAfee in the Middle East |~|Online transactions are a new kid on the block as far as business interactions with customers go in the Middle East. As the booming economies of the region open up to doing more business with international firms, internet interactions and online consumer oriented practices are on the rise. With this comes the need for securing transactions over the net. “Transacting with a large number of people on the web creates its own specific problems. To ensure that this happens smoothly enterprises will have to put in place the right security solutions,” points out Tim Packard, area VP – international marketing at RSA Security, now part of EMC. “The Middle East is starting to adopt online practices that are similar to the ones in mature markets like North America and Europe. More and more businesses are beginning to interact on the web. Online businesses need to take their transactions seriously and work on protecting them as best as possible,” says Neil Batstone, territory manager for VeriSign. Vendors state that even as the market for web transactions grows, regional enterprises display a contrast, in that they adopt certain technologies and practices while leaving others untouched. In a rapidly evolving market, these holes have to be closed very soon for enterprises to leap to the next stage much faster and with much fewer hassles. Technology decisions “There are two parts to transacting on the internet. One is the process of letting the good people in. This we call secure business enablement. The other involves keeping the bad people out. This you can term infrastructure protection. Key to both processes is identification. Not only do enterprises have to identify who is trying to access their networks, but end users have to know for sure that it is the right firm to which they are providing personal information,” says John Pescatore, VP distinguished analyst in infrastructure protection at research firm Gartner. The common method of username and password is the base level of authentication when working on the internet. Vendors and analysts state that Middle East enterprises with a strong online presence should push beyond and put in place more authentication tiers. “There are several higher levels of authentication methods available for the internet. These include secure ID cards, PKI cards or other smart cards. These have been used by more mature markets more often but I would say in another six to seven months we will see more of this usage in the region as well,” says Chris Woods, business manager for Middle East, Europe and Africa for Thales e-Security. “Likewise, customers need to be sure that they are interacting with the right service provider when on the net. Phishing has grown to be a true menace these days and it is crucial for end users to know what to watch out for when they are providing information on the net,” says Batstone. According to him, enterprises should educate customers on the things to watch out for when they are on the internet, including looking out for proper SSL certification. Packard advices firms to put elements in their sites, like digital watermarking, by which customers can be extra sure that they are entering information on the right portal. “In order to make sure that businesses keep the bad guys out of their networks they would need to look at security from many angles. This includes putting products and practices for protecting the servers, the network and the application level. Attacks are getting more sophisticated by the day and enterprises need to be on their toes to make sure they don’t become the vicitim one fine day,” says Gartner’s Pescatore. Technologies for these would include firewalls, IPS and IDS as well as various spyware and malware programs along with additional application level security solutions. The other side of the coin Security, like much else in the world of IT, does not function in a watertight technology compartment. There needs to be supportive practices implemented by the enterprise to ensure that the technology works for business benefit. “It is a combination of hardware, software, people and processes. You need to have the right people on board to formulate and implement the right security policies for a company’s infrastructure, whether it is internal or external, on the internet. These policies need to be implemented with the right combination of hardware and software as well as the people to manage it correctly so that the interests of the enterprise are well looked after,” says Bashar Bashaireh, regional manager for Fortinet. Faisal Khan, senior security consultant for McAfee in the Middle East agrees, saying: “Security is governed by three core components which have to complement each other. Organisations need to have security risk management processes in place to effectively keep up with the current security threats and proactively address them. People are the fundamental base tying up all the components, and the least focused on by enterprises. Organisations need to invest in security specialists and have certified people on board in order to ensure that their security solutions are being handled by the right qualified security personnel. “Technology is highly focused upon by most organisations but is often backed by null or outdated policies, and non-security professionals. The most important aspect is to effectively place and use the security technologies to address the organisation’s needs and business interests,” adds Khan. Rinaldo Ribeiro, senior manager for IT security at the Commercial Bank of Dubai echoes this view when he states that the bank constantly assesses risks and identifies the right controls to protect the business as a continuous and consistent process. “We implement information security programs in such a way that existing controls are permanently reviewed and risks are mitigated. Security projects and controls at the bank have the primary goal of supporting the organisation’s business objectives,” he says. “For example, if our business objective includes a new enterprise internet portal, the corresponding security plan would include all necessary measures to support it. “In our case, this would include strong identification and authentication (two-factor), web security gateways (web application firewalls), vulnerability management process and independent security reviews. By analysing risks and defining minimum security requirements, a baseline would be created to allow secure access to the bank’s resources. The whole process is constantly monitored and improved,” Ribeiro adds. ||**|||~|neil200.gif|~|Neil Batstone, territory manager for VeriSign|~|The state of the market A neat coming together of technology and process can determine the success or failure of a business’s efforts on the internet. Unfortunately, most industry players state, that many Middle East enterprise still lag behind in putting in not only the right technology but also the best practices that are needed for assuring a good security foundation. “I have seen a high level of concern over security in the region. But as far as practices go, there are some areas that are not on par with the rest of the world. This includes use of IPS and IDS systems as well as application level security. But there are other areas, like in the areas of identifying and registering authenticated users, that Middle East enterprises beat many of their counterparts in more mature markets,” says Gartner’s Pescatore. “There is not enough interest in the region of the benefits that application level security can bring. Most tend to look at internet security in terms of the hardware. Lets take application firewalls for instance. Most websites do not have that in place and it is a relatively new technology. Yet it is crucial for ensuring security over the internet,” says Reshma Naik, ANG system engineer at Citrix. According to Naik, there has been a 90% decrease in virus level attacks and a 75% increase in attacks which look to rob sensitive data from enterprise networks. She claims that traditional firewalls and IDSs are not capable of handling these attacks and that application level protection is necessary to prevent important information from leaking out. “Moreover, most enterprises in the region do not tend to pay enough attention to building their applications based on international standards. They do not follow many of the practices that ought to be followed in developing these programs. That leaves a lot of vulnerabilities in the program itself that are open to attack by hackers,” Naik adds. While general security measures of Middle East enterprise on the internet follow the basic patterns discussed earlier, it is true that companies across certain verticals implement and apply security more rigidly than others. These are pushing a trend towards better awareness among other vertical sectors. First among equals “Any sector providing an online service that deals with confidential information, whether it is of personal or financial nature, needs to be extra careful about protecting online information,” says Dharmendra Parmar, regional marketing manager at FVC. That being so, not all companies in the Middle East which work online put the same security measures in place. Banking and financial services lead the pack in implementing and following international technology and practices to ensure the highest levels of safety for customers who transact on the internet. “Banking institutions follow the strictest of measures for ensuring security on the internet. This is because of the sensitivity of the information they handle from their end users. Moreover, most banks run on a platform of trust from their customers. This trust and reputation would take a huge hit, which is sometimes unrectifiable, if there is a major data loss or the security layers of the bank is breached by hackers or phishing scams manage to lure customers into giving information on false sites,” points out Batstone. “Nowadays, travel agents, online booking agents and airline carriers are also looking at security in a new light and putting in measures to ensure security. Carriers like Air Arabia, which do a lot of customer interactions on the web, cannot afford to lose data or have their systems corrupted. They stand to lose a lot of money and customer confidence,” he adds. The adoption of security practices by these industries results in slow but sure knowledge transfer down the line to other industries. Many in the industry believe that precise and comprehensive government regulation and legislation would go a long way in pushing awareness and ensuring faster implementation of security measures. “The Middle East is still in its infancy as far as the legalities and laws that are related to cyber activity are concerned; although the process has been initiated we have a long road before execution is seen,” says McAfee’s Khan. However, there are others who believe that government legislation could actually hamper the process. “We have found that government regulations in many countries can often inhibit businesses in their core process of selling more on the net. In general it is better and more effective when standards are put in place by industry bodies. This would include baselines set down by the payment card industry. These outline what companies should have to transact online and have been put together as a collaborative effort between major players like Mastercard and Amex. It will be rolled out in July across Europe followed by Asia,” says Pescatore. He emphasises the increasing e-governance practices as a good sign for promoting security awareness among enterprises in general. “We have seen that one major benefit when there is a strong e-governance practice in countries is that it pushes up confidence levels of end consumers and it also provides for strong authentication for enterprises working over the internet. When the government provides smart cards to consumers, this can be used across other sites and acts as a great enabler of secure e-transactions,” states Pescatore. The knocking opportunity The few, mostly from the banking and financial sector, along with certain governments in the region, are pushing awareness on internet security which is aimed at creating a snowball effect. The process though, could prove to be too slow for the Middle East, even as the rest of the world races towards higher security and best practices on the internet. With a lack of legislation controlling e-practices, there are some who believe that regional enterprises might be stuck with constantly lagging behind mature markets as far as transactional security goes. Others though, see this as a phase of opportunity for the Middle East. “There is an opportunity in the Middle East. Enterprises can learn from the mistakes made in more mature markets and do it much better than it ever was there. They can start off by building more secure applications and a much stronger foundation, which means that they would have to spend less money and effort on building security layers on top of programs. The idea is to build quality applications, with fewer vulnerabilities, rather than include more security elements to keep protecting them,” concludes Pescatore. One would have to wait a bit though to see how many enterprises turn the present situation into an opportunity and how many fail on the way to a secure internet future. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code