Safe as houses
Attacks on government IT departments have been among the most high profile hacks in the Middle East region.
More pics ›
Due to the variety of organisational function, locations, type and sensitivity of data collected by official organisations, there is a very wide range of approaches to security and to the levels of protection put in place and vendors reflect that diversity with the range of their offerings.
"We offer several types of security measures and technologies specifically aimed at government customers. Typically to gain entry into a system you will have several different layers of authentication. These include biometrics which could act as the first level with the second being a solution such as a smart card reader. In addition they could also do full disk encryption hard drives. This means that the hard drive becomes inaccessible to others," says Raad Nimri, client marketing manager, Dell.
TagStone specialises in wireless technologies which are used to monitor and identify locations, people and assets. "We use technologies like RFID, biometrics, GPS and related technologies to monitor and identify things people care about. In fact the most active area of wireless business intelligence is in asset management. It is equally important in datacentres and there you have the issue of diversion or theft together with having to be able to monitor normal business processes," explains Mike Meranda, CEO of TagStone.
Meranda and his team do much work within the government sector in the Middle East and Meranda says that they are most often contracted to secure facilities and officials. "We also do a lot of work in supporting identification identity in cases like who enters the datacentre and so on," Meranda says.
Identity identification gives the IT team the ability to interdict when a theft is taking place. If an unauthorised individual walks into a datacentre the IT staff is immediately alerted and can intervene in the case of an attempted theft, be it of physical assets or data.
Security services aimed at the government sector are increasingly influenced by compliance and regulation. Many vendors and solutions providers now offer specific services aimed at meeting the latest international standards.
"We have security frameworks developed internally based on ISO 27001 and many other best practices. Our services in security consulting cover the Global Information Security Standard (ISO:IEC 27001:2005) with the holistic approach to implement secure business practices," says Ahmed Baig, security consulting manager, EHDF.
Baig also advise users to make use of their security assessment service and auditing. EHDF recommends the government sector protect itself through penetration testing and vulnerability assessment in order to be able to identify the technology weaknesses in customer infrastructure and applications.
What is being done?
Government institutions are constantly engaged in upgrading and protecting their systems with each one instituting different policies and structures.
"We see that the level of detailed security or framework that is being built clearly depends on the type of organisation. Many government and e-government entities have been far more advanced in the security implementation programs as opposed to those government areas which are more judiciary or more non-consumer facing organisations," says Guru Prasad, general manager networking, FVC.
Prasad points out that in some government organisations the level of security is limited to simple product deployment as opposed to framework. According to Prasad, while there is a very good level of implementation on primary security when it comes to solutions such as firewalls and intrusion prevention there is less so in terms of the web security or a security framework.
Bulent Teksoz, regional technology manager, Symantec MENA has seen data loss prevention coupled with endpoint protection become hot topics for governments. "Government organisations have been moving from a stand alone antivirus solution to a more comprehensive endpoint security suite. In addition I have also seen central log and incident management also emerge on the priority list of the organisation."
Although difficult to get many details regarding security measures in place in government Meranda and his team recently completed a major project in the region.
"Within the UAE we have just completed an implementation for a military and defence organisation. We have biometrically registered all the workers in the organisation and at the same time tagged all of the weapons and ammunition and simply matched the two," says Meranda.
"We can do things like secure the armoury and when the users need to get in to it we can unlock it and record each individual weapon and so the organisation knows who has what," continues Miranda.
Working with government and its affiliated branches and organisations is not without its hiccups and specific challenges. From privacy through to the relatively large size and increased layers of approval required, many obstacles need to be negotiated.
"We have found the main challenge when offering services to government departments is providing knowledge of the client environment and the overall government infrastructure as there is a lot of interdependencies and connectivity as risk points - especially, connectivity to central bodies or other departments," says Baig of EHDF.
"Sharing the internal information is a challenge. Rightfully, government organisations are very concerned about how much information they can share with the vendors, as they work with many. Similarly, this internal information could include security policies in place. Logs files to travel across boundaries if needed may also become an issue," agrees Bulent Tescoz.
Costin Raiu is the chief security expert at the EEMEA Research Centre for security major Kaspersky Lab. He has on occasion seen that cost can be an important factor.
"Often times projects are put out to tender and the cheapest solution taken. However security is a complex process and the costs associated with high quality protection are not small. That means that the cheapest product is not necessarily the best and when it comes to security, quality is essential," he says.
Guru Prasad of FVC has been involved in providing security solutions in the region for many years and he has noted a few key challenges when it comes to governments and security.
"There can be issues of mandate. Security as a need is understood but does not get the proper executive approval. The traditional security systems are part of the budget but when it is down to the serious stuff like laying the frameworks there is not much support," says Prasad.
"The second thing is the various understanding of the severity of the many threats. That is something that will change with education and experience. For example if you look at web application threats and web application security there is not a lot of understanding in that area," he continues.
Balancing the books
When it comes to spending of budgets and raiding the national coffers the government IT manager needs to make a decision as to how much importance he or she places on security. In most cases all agree that to put an exact number on it can prove to be a quandary.
"We always try to get them to set aside a minimum of 10% of the overall IT budget and in some cases they do and in some organisation they will set aside almost 15% of their budget for security. This, in my opinion, means they really take it seriously but to be honest there are not that many who put that money in and it's very difficult to put an actual number to it," says Prasad.
"The difficulty arises that in the case of an entity like the army a case could be made for spending 90% of the budget while another department may require much less. It is definitely situation specific," says Meranda.
Security within the IT departments of government organisations is of crucial importance because by their very nature they hold a wider, and more sensitive range of data than any private organisation - making it essential that IT professionals stay up to date with threats, and lead their organisations to higher levels of security.