Taking safety measures

The rush to deliver online government services is being equalled by rapid investment in making sure these services are secure — especially in matters of national security

  • E-Mail
By  Published  September 29, 2006

Given the criticality of some of its services and the sensitivity of the information involved, governments in the Middle East are not taking chances and are investing more in improving the security and authentication tools of their online services.

“In the market here, the trend is going to be investing more in securing the e-government services given that, across the region, the governments’ goal is to have a higher percentage of services online. Actually now, if you look at the UAE and specifically Dubai, we are looking at getting 90% of the services up on the web in the coming year,” says Ashraf Sheet, senior security consultant for Alpha Data.

“There are more concerns with the e-government services. Information is more sensitive for e-government, such as those involving national security,”he points out.

“Most of the governments have specific teams looking at placing their identity management and security strategies in place and deploying that as a service to all divisions or departments within the government per platform for them to implement in current services or future services that they will deploy,” says Jamie Bliss, software sales manager, Sun Microsystems Middle East and North Africa MENA).

“There are advanced services out there that they are delivering.”

Abdul Mulla, a Tivoli security technical pre-sales specialist for IBM Middle East, says that there are various means of authentication, which can be applied, depending on the requirements of the service involved.

“It depends on the type of service and how business critical it is to the end user and the governments themselves,” Mulla explains. What we have noticed is that depending on the type of service provided, the criticality of the service, they can step up the authentication or step down. Most governments are using two-factor authentication and some services require user ID and password authentication, where the password goes along the wire and encrypted.”

“Governments are deploying different solutions for different services,” says Basher Kilani software group manager, IBM Middle East, Egypt and Pakistan (pictured right).

Kilani says there are three types of authentication predominantly being used in the region: the one-factor authentication, two-factor authentication and the three-factor authentication.

“The one-factor authentication is basically a simple user ID. This is the first and most primitive version of authentication, and for many of the services, this is enough,” Kilani explains.

“The second type of authentication mechanism is the two-factor authentication, which means that you have to provide a user ID and a password.”

“Here, you can have different levels. You can have a simple one-time password; you can force people to change their passwords every three months, every month or every week. You can also give them a token, for example, that has a changing password every minute. That is more secure because you have something that changes every minute and you can only log in when you have that particular device or token,” he continues.

“The third level is the three-factor authentication. It depends on physical things that are very much with that user. It could be a fingerprint or biometric thing that they can actually use inauthentication,” Kilani says.

“Most of them are, when we talk about services, that have money involved, using two-factor authentication.”

Issam Mohamed Ali, senior manager, eSolutions practice at systems integrator Itqan, says authentication tools will become more comprehensive.

“We are talking about client authentication, secure connections, Liberty Alliance initiatives, and certification. All that, plus the big names in IT are heavily involved and are coming up with new initiatives in this regard,” he says.

Sheet says one such technology, biometrics, will be considered if required by the service.

“Current services do not require biometric authentication.”

“However, if they want to implement something like passport renewal, these types of services, will require biometric technology. Other services may require multiple layers of authen- tication, which have highly confidential information,” he notes.

Hans Ydema, senior vice president and managing director of Entrust Europe, Middle East and Africa, says he is also seeing governments gradually moving away from just having a username and password type of authentication.

“What we do see is that governments are more and more moving to a real two-factor world where username and password is not enough anymore.

“It is definitely not enough anymore and it started with the simple phishing and it is going to farming and spoofing available nowadays to attack simple user name and password,” he says.

“We see a different kind of two-factor or multifactor authentication method that can be very simple or paperless, where you need to add an additional number as a one-time SMS password, smartcards, or smart tokens. We definitely see that everybody is looking for more than username and password,” Ydema elaborates.

Smart moves

Interest in ID cards and smart-card based solutions, Ydema notes, is definitely rising.

“We see a trend that for certain communities they have USB token solutions. There are also very advanced soft token approaches where you work with software Java applets, download them in your machine every time when you are entering a web server,” he says.

“And I definitely see that the Middle East countries will definitely invest more in solutions to detect fraud in an early stage, and that is the next wave of technology investment. We will see over the next two years so-called e-fraud solutions which will detect the behaviour ofthe people who are on the web and profile their behaviour and use that to detect and defend against fraud,” Ydema adds.

However sophisticated the authentication tools are, though, that there is one basic consideration that governments must not overlook, and that is ease of use.

“Authentication and security is sort of a two-edged sword in terms of take-up of e-services,” says Chris Parker, managing director at gov3, a UK based consultancy firm. “Clearly, citizens and businesses want to know that their data is secure and they want to know that they are able to trust that service.”

“On the other hand, some of the things you need to do, in terms of security and online services, can be actually difficult online experiences. And there is a lot of evidence that people will just drop out if the process of authenticating them online is too difficult. They will not bother with the online service,” Parker says.

“The key really is to balance those two issues and, in particular, make sure that you are taking an approach to online authentication, which is risk-based so you are not requiring lots of authentication when really you don’t need to, and which provides a seamless customer experience for the use,.” he continues.

“Technology-wise, you can make everything secure nowadays. But it needs to be easy for the end user to use it,” agrees Ydema. “You don’t want to have fingerprint readers or smartcard readers everywhere to have the highest security levels.”

“The technology was always there, but it was simply a matter of convincing the end users to use it and to use it in an easy way. You cannot bring up too many hurdles for multifactor authentication,” Parker concludes.

“Governments are deploying different solutions for different services."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code