Web of risk

As Middle East enterprises become more global, the internet is used for connectivity and communication between partners and customers. In such an ecosystem, only one link has to give way to create complete chaos.

  • E-Mail
By  Sathya Mithra Ashok Published  January 6, 2008

In an increasingly digital world, security is no longer about how well you protect your desktop or even your internal network. It is about how well you can defend against the potentially malicious connections that will come by way of the firm when it connects with people outside its protected network.

In the last few years, enterprises in the region have been increasingly spreading their wings and becoming bigger global players. And this number is only set to grow.

Before a company can start to look at solutions it is important to look at the information asset that it is trying to protect.

"In general, the adoption level of e-commerce might be somewhat lower in the Middle East in terms of the population but it certainly does happen and certainly in B2B environments. It is pretty common and certainly many business enterprises that operate in the region are global businesses and they participate in global B2B internet relationships," says Tom Scholtz, research VP at analyst firm Gartner.

While this is all very good for enterprises in the region, the broadening of the perimeter to customers, partners and remote employees opens up a hornet's nest of security issues. For when an enterprise becomes an extended enterprise, then it has to not only protect its own network but also undertake measures to ensure its entire ecosystem - or the parts which logs into its network - are secure as well.

"This is a very important subject. Businesses always work around collaboration. Earlier it was by fax and e-mail. Now it is more in the electronic realm. This introduces more efficiency in doing business and reduces cost and headcount for the enterprise. But it is also extremely important to mitigate the associated risks," says Bashar Bashaireh, regional manager for Fortinet.

As an enterprise improves its connectivity to partners, suppliers and customers - within and outside the Middle East - it is essential to improve security as well since an attack from any of these apparently trusted sources can cause immense harm in terms of data and information loss as well as reputation in the market.

Two to tango

Security in an extended enterprise often starts at home.

"Most organisations start to mitigate risk once they start to define what they are trying to protect. Before a company can start to look at solutions it is important to look at the information asset that it is trying to protect - what is the value of the asset, what is the recovery time for applications which are down, how soon can we get it up and running and can we quantify this risk in insured dollar terms that this is what it will cost the business. Once that framework is in place, it becomes very easy for organisations to define that this is what we want to spend to protect our enterprise from this particular area of IT risk," says Vikram Suri, country manager for the Gulf states at Symantec.

"On a more practical level, protection depends on the nature of the web-based applications and especially information and data resources that is associated with them. If these are financial transactions then obviously you want to protect the integrity of the information. If enterprises are sharing intellectual property such as blueprints and strategy documents, that warrants heightened security measures as well," points out Scholtz.

Defining what is at risk is almost half the work done, according to most industry experts. Another part of the solution lies in the actual technology used to defend enterprise-wide networks.

"Both parties need to trust each other and the infrastructure in order to feel safe enough to do the transaction. You have client authentication for the enterprise where the organisation has to know that the customer or the partner is who they claim they are. On the other side, the customer or the supplier needs to be sure who they are getting in touch with. This involves server authentication," points out Fortinet's Bashaireh.

"Enterprises have to implement security controls at the various levels of the application and transaction spectrum. Firms would need to have user based controls in being able to identify and authenticate the identity of the individuals working on your applications and should also put in place strong perimeter security. It will also prove worthwhile to increase the number of people focusing on security at the data and application levels. This would include people implementing things like encryption of the data and who are involved in improving the general quality and security of web-based applications," says Scholtz.

He adds that regular vulnerability assessments and penetration testing, combined with internal and external audits are essential elements to keep an organisation on its toes. Most organisations with a large web presence, probably do at least four fairly detailed vulnerability tests a year supported by more-or-less formal internal and external audits, according to Scholtz.

The company would also need to put in place comprehensive yet flexible policy structures defining behaviour patterns for employees - local and remote - as well as authentication and transaction parameters for partners and customers.

However, implementing policy remains a problem globally, and Middle East enterprises are no better or worse than their counterparts in letting policies fall behind in actual working environments, states Scholtz.

Reaching beyond the perimeter

An enterprise might even have effective policies and the best in technology to address security but if it fails in conveying the message of security to its external clientele and partners then it faces the threat of a carefully planned system falling on its face.

"There have been only a few enterprises in the region which have taken any steps and done their homework in this area. They can implement technology and train their own staff but there is still the other party - the seller or customer who introduces a major element of risk in the web chain," points out Bashaireh.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code