Secure delivery

In his most recent visit to the Middle East, Guy Rosefelt, manager, app firewall international technical operations, applications network group at Citrix Systems, discussed the ramifications of the PCI DSS compliance standard, and how enterprises can get more from their web application firewalls.

What is your take on the Middle East market when it comes to web application security in enterprises?

The interesting thing is that up until the last couple of years the Middle East had absolutely no knowledge of web security. They had infrastructure issues to worry about and they had taken the approach of traditional security, which is worrying about the network layer, worrying about infrastructure and wanting these taken care of.

 

These traditional security folks have not quite understood that the big hole in that structure is that they have nothing protecting the apps. They don't think about whether the apps are secure because traditional security issues do not deal with the apps, it is not something that generally occurs to them. If they get into apps, it never occurs to them that the thing they are protecting has a problem at all.

Now we are beginning to find out that because of millions of credit cards used in web applications and the amount of identity theft that is happening via apps, these are very big issues worldwide. The incidence of hacking has increased significantly over the years. And the biggest problem is that most organisations don't realise that the biggest vulnerability is the point that is not protected - the enterprise's all-important apps.

It is not just necessarily web apps, it is all the apps in an enterprise. But web apps are getting the most visibility now, because they are the most public facing apps. You have to still protect internal apps. In the US, FBI studies have shown that 75% of all information based attacks on an organisation still come from the inside.

With web apps becoming more prolific, the level of awareness is just starting to increase. The desire to do something about it though, is still very low. This is actually very interesting. I started web apps firewalls in the dark ages of the internet, way back in 1995. Those days you couldn't get a Fortune 1000 company to spend US$25,000 to $50,000 on a network firewall to put in front of the organisation to protect it from the internet.

Why? ‘Nobody is ever going to attack me, why would they attack me? I am a Fortune 1000 company. No one will want to attack me, nobody wants my info. I don't want to spend the money on that, the risks are low.' Now, you cannot imagine anybody, without any kind of firewall. Because you know it is dangerous - you want to lock up computers at home because you want to ensure that nobody can get access to your machine.

We have the same issue now. ‘I've got the network firewall, I've got IDS, I've got IPS, I think I am protected, I don't need an app firewall because I have all this infrastructure.' They don't understand that it is not something that is just nice to have, it is something you have to spend money on.

Do you find it difficult to convince people to invest in web app firewalls, even with the PCI DSS (Payment Card Industry's Data Security Standard) requirements?

Yes. Honestly, one of the biggest problems in the Middle East is that you have a lot of banks that have a lot of money. They make a lot of money. And because of the amount of money they have, the sanctions that are going to be levied by the credit card companies are inconsequential. Banks here find it easier to be non-compliant for a period of time, and pay the fine, than to go out and try to meet compliance right away, when they have other more pressing issues to deal with.

Many of the banks here will admit to you that they are working on infrastructure issues because they have not done anything in several years to upgrade the security, to upgrade the policy and procedures to make them more 21st century available or aware. This includes web apps, but there are other things beside that. So if you look at all the things on the list to take care of, PCI DSS might not be very high.

If Mastercard says, if you are not compliant in a few months we are going to shut off your credit cards, there is no guarantee that it will go and do that. It is easier for large banks to pay the money. The $50,000 fine per month - they can easily pay that for six months or even a year, without having to worry about it.

How do you approach and convince these customers about the validity of web application firewalls?

We can't do much for customers who don't want to be compliant and are willing to take the hit. They have things that are more important. We can go and talk to people responsible for risk management and try to convince them that that is where they need to go. But then again, unless somebody forces the manager handling risk to push it higher up the list, nobody is going to do that because they have other things to worry about.

At that point, you are waiting for an accident to happen. There is really nothing you will be able to do. A breach will occur and then you will respond to that. Unfortunately, there is very little we can do about that.

That is not just in the Middle East, that particular mentality is common everywhere in the world. ‘I don't need to fix something because I am buying insurance until it actually happens.' And you really cannot do much about that mentality. The funny thing is that the moment they get breached, they are the first people to call me up and say I need to buy something smart.