Shaping the shield
Orascom Telecom's IT security team is working on everything from a disaster recovery plan to the implementation of a uniform defence policy to move the organisation's protection standard to a higher plane
The situation that Orascom Telecom found itself in recently is one that will ring familiar to many IT managers across the region.
With more than 80 million subscribers as of the end of March this year, Egypt-based Orascom is among the largest and most diversified network operators in the Middle East, Africa and Asia. At the organisation all the information exchanged between the corporate headquarters, its subsidiaries and associated vendors is communicated by e-mail. E-mail is therefore a mission-critical business application on which all corporate employees and executives rely. This was the reason that the IT security team found it imperative to find a solution for a problem that was fast becoming a menace - spam.
"90% of the 1.5 million daily e-mails received in our headquarters is spam. It was therefore critical for us to implement an enterprise-class security solution to maintain efficient business communications," says Mina Samir, IT security manager at Orascom Telecom.
In order to tackle the issue, the security team at Orascom deployed a software-based solution in 2004. However, with the growth of the organisation over the years they increasingly found the solution to be inadequate for their needs.
"By 2007, we had decided that we needed a new appliance-based approach for the antispam solution. The evaluation process for the solution was started in June 2007 and by the end of the year we had already selected the vendor and started testing the hardware elements involved," says Samir.
Evaluation of the various solutions on offer was based on the relative accuracy of each of them, along with the product's availability and transparency. Based on these parameters, Fortinet's FortiMail e-mail security platform was chosen by the organisation.
"We tested the appliances in our back-up site. In March 2008, we deployed two of these appliances. Since we moved to FortiMail, our management and employees have appreciated a huge decrease in the quantity of spam e-mails they receive. From an IT perspective, FortiMail is definitely an enterprise-class e-mail security solution, which provides us with a superior level of protection, reliability, management and reporting. We have not added to our current appliances yet, but we are in the process of looking into adding more," says Samir.
The FortiMail solution now filters the entire inbound e-mail traffic going through Orascom's corporate servers with minimal downtime. The organisation also subscribed to the FortiGuard antispam and anti-virus services to get automatic and continuous updates, and to ensure its FortiMail platforms are kept up to date to help protect against the latest threats.
In addition, Orascom uses FortiMail's detailed logging and customised reporting functionalities to get granular information on all malicious e-mails received, blocked and quarantined.
"We are very happy with the Fortinet solution and we are planning on adding at least one more appliance by the end of the year. This will be deployed at our back-up site. We will also encourage our subsidiaries to adopt the Fortinet solution in the future," states Samir.
Solving defence issues
While spam was one of the biggest problems facing the IT team, there were other internal and external defence mechanisms that they were constantly looking into in order to improve their security standards.
Recently, keeping in mind the sensitivity of some of the information being handled by the different departments within the organisation, the security team implemented two-factor authentication for accessing and working on certain applications by using RSA's token solution.
"We wanted to restrict access of an application to certain employees. For two-factor authentication we evaluated several vendors and chose RSA based on their references, support factors and integration elements. After selecting the solution, we tested it in our production environment before deploying it," says Samir.
The evaluation process started in June 2008, followed by a process of customisation of the solution for Orascom's specific needs. The solution went live in the first quarter of 2009. Apart from security solutions, the IT team has also put in place financial consolidation systems, unified communications and a web conferencing solution in the recent past.
"As a security team, we are constantly required to do more with less. This is why we insist on multi-vendor security within Orascom to ensure that even when an external attack happens they don't find a relatively easy homogeneous environment. We also ensure that we select the best vendor for any particular solution area after having done a proof of concept. These basic processes help us maintain a higher level of security," says Samir.
Budgets for IT security are decided following a lengthy process, which involves meetings with business teams and understanding the projects that are absolutely critical to the organisation.
"The process starts with ideas. We sit with business leaders to know exactly what they need. We give shape to the project and put down the exact objectives of the particular solution. Then we start consulting different vendors to find out how we can achieve this objective. After this, we put forward a proposal and make a presentation with our findings and estimated budgets," explains Samir.
This is done as an annual process. More recently, one of the major projects that Samir and his team have been busy with is the creation of a proper disaster recovery plan for the organisation which involves the setting up of an appropriate site.
"Our back-up site currently mirrors only the processes and data related to one particular crucial application. We have been working on a fully-fledged disaster recovery plan. This we are in great need of because from 2000, when the current back-up site was established, we have added lots of applications and services, especially in the last three years. We need to re-assess the business objectives, the services that are essential to us, the recovery time and point objectives such that we can have a proper disaster recovery site," says Samir.
According to him, the assessment should be finished by next month and a technical design for the site will be done. He hopes to have the disaster recovery site, which will operate in a different city from the location of the headquarters, up and functioning sometime in 2010.
Most critical services at Orascom will be moved to the disaster recovery site once it is operational. This will include services running on all three of the organisation's data centres, all of which function out of the current headquarters.
Apart from the massive disaster recovery project, Samir is also working on implementing a standardisation across the various subsidiaries of Orascom.
"We had started to standardise a couple of years back. Since we have limited resources we started with the elements that we considered to be the most important, like the firewall and the intrusion prevention systems (IPS). With these solutions, the subsidiaries can choose between only two vendors based on the local support that is available," says Samir.
He adds, "We will soon do this for the antispam filters as well. Currently, all of our subsidiaries have their own appliances, chosen at different times based on their specific needs. Due to this situation it is difficult to move to a standard immediately. However, when any of them need to replace an appliance, we can insist that they choose only between two vendors as is the case with other solutions now."
Samir agrees that much of the issues surrounding different products used at different locations can be solved, and a uniform level of operation made true, by the development and deployment of a single security policy.
"So far we do not have a centralised IT policy and so we do not insist on similar purchases at the seven subsidiaries. If we make an agreement and we benefit out of it, we try and push the solution among the subsidiaries as well. In the coming year, I also plan to rectify this gap by creating a security policy.
We find this especially essential now since we need to accommodate the usage patterns of an increasing base of travelling employees. We need to make our systems flexible for them, while at the same time reducing risk for the corporate network. It is a very tough project and requires tight collaboration between the systems, applications and security team. We will probably start the process of the formation of a security policy with that project," states Samir.
Like many others in the Middle East, Orascom Telecom is moving carefully and cautiously in security measures they implement to ensure that their choices work for them in the most efficient manner, with minimal possibility of encroachment. Slow and steady it might seem now, but the organisation is likely to win the race with higher security and increased business productivity, led, as they are, by an efficient IT and security team.