UAE offers secure governance

28.07.2005
Von Kavitha Rajasekhar

Good governance is not only about the effective management of country. Today, in the digital economy, it is also about how well as a government, you can protect your people?s information. As the government departments in the Middle East move strongly towards offering increased e-services, United Arab Emirates has a strong sense of awareness and commitment to IT security. Not only are these departments investing in the best technology, but also see awareness creation both within and in the general market as very important to their business. Besides investing in best fit technologies to ensure information security, setting internal policies and enabling data availability and protection have emerged as top priorities.

The right technology first

Across the Middle East, the importance of IT security varies from country to country, with awareness levels particularly noticeable in UAE, Saudi Arabia, Qatar and Kuwait. With most of these countries having already invested in technology as a first step, this sector is in the midst of an interesting build up of issues related to security policies; certification and a close look at ensuring data center security.

?Many departments have taken the approach of technology first. This has been due to pressure from operational side to ensure that basic security is in place. So Firewalls, Intrusion Detection and Antivirus infrastructures have already been put in place. Now these departments are re-visiting the security area and trying to see if the technologies they have deployed are a good fit, while trying to formulate security policies, data protection and business continuity policies,? says CA?s Business technologist for the Arab Countries Abdul Karim Riyaz.

Government officials agree. Take HH The Rulers Court, Government of Dubai as a standing example. Having carved out a special IT security-focused team three years ago, the first step in the IT security department took was to invest in enabling technologies to secure the inflows and outflows of information. Having done that, the department is now looking to scale up its plans including putting in a security (policy framework based on the BS7799 framework) that will look at all angles of risk assessment and security.

?In our department at HH The Rulers Court we have extensive connectivity services linking to 35 local government departments through the GIN (Government Information Network). So all kinds of information flows are taking place internally and externally. In terms of the ensuring security we have in place layered security architecture complete with IDS/IPSs, firewalls and gateway security products. Now policies and frameworks will be the key focus,? says the department?s Information Security Officer Ibrahim Awad.

Government entities, with a highly mixed IT environment are also proving to be strong grounds for sharing best practices, both within the country and in the region. According to security technology player Trend Micro?s Technical Manager Samir Kirouani, he was seeing an increased interest in collaborative and shared awareness activities among government departments.

?In terms of increased investment in technology, government is one of the most progressive industry sectors in the adoption of new security solutions,? says Kirouani.

Among these very departments, there is also a strong sense of realization that security is not just about a point product, but something that needs to be integrated into the infrastructure and business processes as well to be able to meet the public sector"s most pressing security needs, namely protecting government and citizen information, responding immediately to threats, complying with regulations and improving productivity, says Eyad Al Qadi, Regional Sales Manager Public Sector and Enterprise, Cisco Systems Middle East. ?Our advise to government departments is clearly to no look at infosec as a product driven activity, but as a business and technology practice that can address their needs both locally and regionally,? adds Al Qadi.

The business of security

Information security no longer is that part of the business left to technical teams to handle. Across government departments, IT decision makers are now saying that this segment calls for absolute integration to the overall business initiatives and strategies as well.

The two major law keeping departments in the UAE -- The Dubai Police and Abu Dhabi Police both agree that information security needs to be treated as a very strategic business issue. Both players say that they are increasingly moving toward greater integration of information security strategies into the overall enterprise technology plans.

?Security has clearly become a business issue and should be treated as such. IT security is one of the top priorities in the department because of the importance and dependence upon its assets, information and employees,? says Major Saeed Al-Dashti, Head Of Security Section, General Department Of E-Services at the Dubai Police HQ.

In the department at Dubai Police, the focus is currently on the development and enforcement of security policies and the supporting mechanisms. ?Ensuring IT security is part of the move to ensuring data confidentiality, integrity and availability of that data,? says Maj. Al Dashti.

?Information security by its nature is the common factor between the IT department different sections. Security requirements has become mandatory requirements during software development, networks design and systems configuration. This nature of the information security placed it as an umbrella sheltering other sections and processes within the IT department and raised its importance and effectiveness,? adds Abu Dhabi Police Information Security Consultant Manhal Musameh. According to Musameh, ensuring information security should be seen as a process that integrates with all other business processes.

The fact that most government departments are steering towards offering more e-services has also made information security a primary concern.

?Infosec has clearly become a key priority the moment with most government bodies moving toward transaction-based web-site solutions or even simple web pages gathering public data. As e-government is gaining strong momentum in the whole ME region so is security. Indeed those governments could be easy targets for web defacement (changing content & publishing inappropriate contents) or hackers trying to steal confidential information by exploiting OS or Application vulnerabilities,? says Patrick Hayati, Regional Director McAfee.

?The rising prominence of e-Government is founded upon tight security -- people would not be willing to access government facilities online if they thought the information they provided was vulnerable,? says Sun Microsystems Software Solutions Sales Manager Jamie Bliss.

The Dubai eGovernment?s focus on ensuring IT security is a perfect example of this realization within the department. At the department, IT security is considered one of the top priorities. ?As a matter of fact, one of the key reasons for slow adoption of services even in the commercial sector can be attributed to security concerns and trust. The Government considers information security as a key driver that ensures stability and confidence in conducting transactions through the virtual government. Citizens, residents, and businesses demand that assurance of security and that information exchanged on-line or off-line with the Government will be protected and kept private,? says Dubai eGovernment?s Acting IT Manager Fadi Hindi.

Get that policy first

While investments in the right technology remain an undisputed component of a sound security strategy, IT security today has a lot to do with the right security and usage policies. Government departments in the UAE are certainly pushing on this front and also see policy frameworks as a strong Best Practice for risk and vulnerability management.

Rashed Mohd AlJeziri, Head of the IT Section, Meteorological Unit, Ministry of Presidential Affairs priorities IT security above all else. ?IT security should be always prioritized over other issues, simply because the less security measures enforced, the more risk against your assets. So, prioritize all of the security factors if and only if you really care about your assets,? AlJeziri says.

As the IT decision maker in his department, he believes organizations need to look at three key areas -- a security policy, on-line security and data recovery as the top three issues.? Although they are not sufficient for powering the entire IT department, according to what?s going on in the region, the mentioned three points should be taken care of before any other security issue. A security policy will force some discipline on the internal network while an on-line security will guard the perimeter and will inspect all incoming and outgoing traffic for any suspicious threat. Data Recovery will be your rescuer in case of any data loss incidental or due to an external hack attack on your mission critical servers,? he adds.

Dubai eGovernment?s Hindi looks at a security policy document from the best practices perspective and says that a good policy must be comprehensive enough to cover all details right from passwords to protection of key information that may jeopardize systems" security. ?Covering both on-line and off-line topics to ensure that employees are made aware of all risks they create when the policy is not followed must be made clear,? says Hindi.

Putting a policy driven framework in place is a key agenda at the infosec department at the The Rulers Court, Government of Dubai. With 35 other departments linked in via the GIN and close to 30,000 overall users of IT, an ISMS (an information security management system) was found to be imperative to their security strategy.

?We are in the process of getting the BS7799 certification, which will enable us to standardize and validate the security policies, assess risk levels, classify security levels and put in effective monitoring into the system,? says the departments Awad. He also adds that this policy driven framework will also enable them to focus on the top priority areas -- its data center, data protection, availability and confidentiality.

It?s as much a people issue

The first step towards a comprehensive security strategy lies in the realization that infosec is not just a technology issue, but is very much a people driven or enabled function. Even in a market with a constantly changing threat landscape, experts maintain that the weakest link in the IT security chain is the human element. Policies and technology will not deliver results, unless the people it is meant to secure take it seriously.

Technology vendors advise that government departments need to look at this specific human element closely while planning and implementing an IT security framework. The enforcement of information access policies will play a key role in this.

?A cohesive security policy framework will lay down which users can and cannot access information, where they can access the information from, and which segments of information are accessible and which are not. On-line security is as much a human as a technological challenge,? says Sun?s Bliss.

A security management framework almost works like a matrix. ?The most important area is to have an Information Security Management Framework that orchestrates the whole matrix of information security. The framework itself is the necessary infrastructure on which all security policies, procedures, people or even technologies operate,? says Ahmed Etman, Senior Territory Technical Manager for the Gulf, ISS Middle East.

Judging by the industry comments, it is clear that technology itself is just one out of three factors.? Security relies on three factors: people, process and technology. And it is also obvious that technology is the least worrying part of it as it is only deployed to help enforce the controls that are mandated by the management framework or the security policy,? says Etman.

As most people that interface with the security domain will know, it all revolves around the three well known major objectives: Confidentiality, Integrity and Availability; however, the importance of each of the CIA objectives varying from one organization to another.

Abu Dhabi?s Police?s Musameh says the critical factor is the awareness in the organization that a single gap in the overall security design can jeopardize the whole security setup for an organization.

Awareness is key

Effective protection is a product of a concerted effort on the part of technology and people. The meeting point therefore truly lies in creating awareness. Interestingly, among leading enterprises and government departments in the region, IT security awareness is almost as important as corporate social responsibility.

?Employee awareness is crucial to the success of the security program. All employees should understand the underlying significance of security and specific security related requirements expected of them. At Dubai Police we look at a mix of training workshops and directing useful awareness information and news,? says Maj Al Dashti.

It can also be an important component in the hiring process itself, like at Dubai eGovernment. ? We typically discuss these issues with our employees at hiring time and encourage them to secure all critical information physically, besides also making them completely aware of the policies and best practices to follow,? says Hindi.

AlJeziri at the UAE Ministry of Presidential Affairs adds that he uses more than a single method to deliver infosec awareness to employees. ? I usually send my employees to security training courses, in addition to the in-house conducted ones by the knowledgeable staff. Security Policy is already in place to satisfy the business requirements of the entire department. Many security scanning, auditing, and enforcing applications and tools are being used in the department,? he says.

Other recent initiatives announced include deals such as the Dubai Department of Economic Development (DED) departments implementation of the Symantec Security Awareness Program, demonstrate that government departments are also willing to bring in experts to offer focused programs rather than managing it in house.

Having implemented a bilingual corporate security awareness program from Symantec, this program will be delivered as a web-enabled e-learning initiative. ? The aim at the department is to show our keenness to empower all employees to play an active role in the protection of their organization"s resources,? says Ali Ibrahim, Deputy Director General for Executive Affairs, DED.

With the industry clearly geared towards gaining better control of the their own organizational security, one can sense the fact that organizations across sectors are clearly looking at infosec as the art of maintain a fine balance between technology, people and policies. With one aspect intrinsically linked to the other, industry players must understand that security is something achieved in an ecosystem and not just by technology alone.

?People, policies and technology -- this is the solid tri-stand upon which security can be placed. A missing arm would fail the balance,? says Musameh of Abu Dhabi Police.

Afterall, what then is the value of technology if an employee does not appreciate the importance of keeping the secrecy of his password, and what is the value of policies if technology limitations retard their implementation?