Encrypted comms pose risk to government security
Governments need to be aware of the risk from security threats that originate within the organisation, and the need for monitoring even encrypted communications, writes Glen Ogden of A10 Networks
The Middle East has some very specific threats facing government entities. These come from regimes opposed to our politics as well as those wishing to benefit from industrial espionage. Meeting these concerns is a difficult task and one which requires a multi-level approach to security, which provides strength in depth. At the perimeter securing services with DNS Firewall and ‘Volumetric Attack Prevention’ is critical; internal threats are more difficult to counter.
As many attacks occur from inside an organisation, it’s necessary to ensure that all traffic is screened at both the ingress and egress points within a government. The proliferation of SSL has enabled many malicious applications to effectively hide their existence once activated, bypassing existing security methods such as internet filters etc because SSL traffic is encrypted and can’t be inspected.
Governments need to enter into discussions with security vendors that have countered this threat by developing highly scalable SSL Intercept technology which allows Government entities to intercept all SSL communication destined for the internet, originating from inside an organisation and strip off the encryption, to allow existing security products to fully monitor the payload before re-encrypting the data and sending it to the final destination, assuming that it should pass internal security checks.
Existing security products that inspect payload aren’t suited for this task due to the high volume of SSL encryption/decryption required. Therefore a best of breed technology in this space that can scale regardless of SSL key strength is an absolute requirement if government is to avoid service impact due to performance problems.
A security strategy should always be fully encompassing, dealing with both physical and logical security. Typically, governments in our region have a high level of physical security in place already. Unfortunately, modern threats tend to favour logical security breaches rather than physical penetration of a government entity meaning that new strategies are required to cope.
Critical infrastructure and data are often in some ways synonymous, since they both require logical protection, albeit of a very different kind. You can’t protect data if you don’t adequately protect the perimeter, therefore a solution that offers both perimeter protection of firewalls, DNS infrastructure must be mirrored by internal protections of applications via WAF and importantly, the ability to inspect all communication destined for the internet regardless of whether it’s encrypted or not.
Historically, such protection has proved very expensive to procure due to vendors licensing all features on an appliance; this has limited governments, specifically, from enjoying the same level of protection as their commercial counterparts. However some vendors do not have any licensing, allowing any customer to enjoy all the acceleration and security features for a fixed ‘capital’ and ‘operational’ expenditure perspective.
Unfortunately, Government spending on security, beyond Firewalls and AV, tends to be viewed in the same way as disaster recovery, i.e. only spend after a breach or a failure. In an increasingly connected world, security should be a very high priority for Government as E-Government is on the rise and both inter-government and citizens mandate their data is both secure and protected. Most CTO’s understand this requirement and we are expecting spending on security to increase especially as many government departments are wishing to adopt Cloud services.
UAE, Federal Decree No3 (2012) was a clear indication that ‘cyber threats’ need to be taken seriously and the UAE’s National Electronic Security Authority (NESA) inception, clearly, shows how important a credible and properly regulated defence against cyber attacks is to any region’s national security. Whilst entities, like NESA, help to raise the profile of threat defence, each Government or Ministry still needs to take action to ensure the region as a whole is fully protected top to bottom. So while entities are of clear importance, that shouldn’t be at the expense of individual government departments ensuring they are adequately protected against the very real threats that our region faces daily.
As attacks increase, a governing body is essential to ensure all relevant parties have somewhere to obtain information. Moreover, any entity that helps define protection standards is typically welcomed by those departments that aren’t able to execute their own due diligence in security matters. It is likely that we will see each state have their own entity and this should be considered welcome by the community as a whole.
There are a range of security products available from multiple vendors, however the critical component of security is often that it’s ‘affordable’; protection is a difficult cost code to justify, given that when things are working properly nothing happens so there is no immediate visible benefit. Vendors have traditionally licensed their security features and sometimes even appliance throughput, making it a very expensive proposition for government to invest in where no clear ROI appears visible. What entities should look at when evaluating vendors are ‘licence free’ solutions that allow customers to enjoy protection at scale for fixed CAPEX/OPEX.
Glen Ogden is regional sales director, Middle East at A10 Networks.