Clear and Present Danger

A Head-to-Head feature with phion AG and VASCO

Security threats are coming from all angles and organisations need to on the front foot in the battle against the hackers and thieves. Two industry experts sit down with Business Management to discuss the salient issues for IT security today.

“Those who believe that protecting against spam mails and defending against virus and phishing attacks is enough, are wrong”
-Klaus Gheri

The experts:
Klaus Gheri is the CTO and co-founder of phion AG.
Roger Vandeplas is the VP of Sales & Marketing at VASCO Data Security.

BM. Protecting information and confidential data is paramount today. What challenges are organisations facing when it comes to security and are there any differences in the Middle East?
Klaus Gheri. As the digital world does not know any borders other than those barriers organisations put up as safeguards for themselves, one would strongly suspect that the ‘threatscape’ in the Middle East is the same as everywhere else. The vast and rapid economic growth that many areas in the Middle East have seen over the past years also means that an abundance of prosperous businesses there make interesting targets for criminals.

Roger Vandeplas. An important security challenge for many enterprises is caused by ‘de-perimeterisation’, which refers to the blurring of the company network’s boundary. The boundaries of networks disappear more and more through the use of smart phones, laptops, wireless network connections, USB-devices and the use of web services for business partners. ‘De-perimeterisation’ implies that security mechanisms must not only be implemented at the network boundary (e.g. using a firewall) but that there is a need for distributed security including authentication, encryption, etc.

A second challenge is referred to as identity and access management. Employees of a company need to use multiple applications, and therefore different usernames and authentication mechanisms. These applications require authentication mechanisms with varying strength. Identity and access management is required to allow employees efficient but also secure access to confidential resources.

Finally the growing importance of electronic information has caused governments around the world to enact legislation with respect to its retention, use and destruction. This legislation, ranging from Sarbanes-Oxley (US) to the Bundes-Datenschutz-Gesetz (Germany), requires companies to increase efforts regarding legal compliance. These challenges are visible at a global level, including also the Middle East.

BM. How has technology evolved in the past few years to ensure information and systems secure and keep the criminals at bay?
KG. Those who believe that protecting against spam mails and defending against virus and phishing attacks is enough, are wrong. Content such as SSL-encrypted data traffic, XML web services or RSS feeds pose real threats that are extremely difficult to monitor at all with conventional security solutions. There are also other security-relevant areas that have to be addressed with the same caution in order to stop the transfer of damaging contents from the outset. These include cross-location networks using VPN or wireless LANs. One single remote access from an unprotected PC or laptop is often all that it takes to open the famous backdoor into a company’s network. Another important complication is posed by access control and identity management system. The question has to be answered here as to who is permitted to access which data in the company network and how to ensure that only this person has access. Availability of the IT infrastructure is a prerequisite for smooth business processes. The optimum utilisation of available lines and bandwidths is of essential significance when transferring contents securely.

RV. In the area of ‘de-perimeterisation’, end-point security technology has emerged. This technology allows performing a health-check on end-points (e.g. desktops, laptops, smart phones) to verify whether their security status is in line with corporate security policies. Trustworthy computing, the idea of which is to allow proving that the hardware and software of a certain computer have not been tampered with, can be seen as a type of end-point security technology.

In the area of identity and access management, key technology providers take efforts to standardise identity management systems (e.g. Liberty Alliance, Shibboleth). At the same time, other companies specialise in providing strong authentication mechanisms in different form factors including dedicated hardware devices, smart card readers and mobile phones. In the area of legal compliance, vendors come up with software that can be used as a ‘control layer’, allowing monitoring compliance of the company’s infrastructure with legal requirements.

BM. As workforces become more mobile and devices get smaller and more sophisticated how can companies best protect defences?
KG. With the advent of novel technologies work habits have changed dramatically throughout the past years. The portable laptop, vast amounts of data easily portable on a small USB stick, intelligent phones, ubiquitous wireless network access, personal area networking all have attributed to the fact that endpoints in corporate networks have become an increasingly hard to control hazard.

Effective endpoint security today extends far beyond historical personal firewall and antivirus concepts. It still entails protection of an endpoint against network threats using a host firewall and malware detection software, but extends the protection concept by adding the new dimension of policy governed network access control.

An efficient solution broadens existing network protection concepts by adding enforcement and validation of security policies that are specific to the identity of the device, the user, its location and current posture. It enforces policy compliance, facilitates network access control, and nicely helps to close existing and potential future security holes.

RV. In order to prevent unauthorised access to company assets, companies need to follow a ‘defence-in-depth’ approach, consisting of multiple protection mechanisms. Firstly, companies should install strong authentication technology for establishing the identity of end-users requesting access to company resources. Additionally, companies can implement end-point security technology as well as authorisation and audit mechanisms.

BM. A breach in security or loss of confidential data can be catastrophic – not only the potential financial loss but also the knock-on effect of damage to reputations and the brand. What advice would you offer for a quick recovery and for ensuring lessons are learned.
KG. Attacks on web applications such as online banking services and e-commerce businesses are not coincidental, but targeted and on the increase.  The systematic protection of web applications and services is therefore unavoidable.  Only a mature solution that combines different security measures can identify even hitherto unknown attack methods early and prevent them, this guaranteeing sustainable protection.

Similar to with physical security measures at an airport, where tickets, passport, luggage and passengers are checked before they can board an airplane, it is crucial for web applications security to answer these questions in advance – that is, who someone is and secondly, what they are doing?  In the case of a web application or environment with registered users the focus should be on this preceding authentication.  However, for publicly accessible web applications and pages the most important aspect is the filtering of protocols, requests and data.  Since current web applications usually include both, there is a demand for technical solutions that cover both issues efficiently and comprehensively.

RV. Because prevention is still the best cure, an ongoing security awareness and training program needs to be part of any company’s overall security strategy.

When a security incident does occur, it is of utmost importance that the incident is managed adequately in order to ensure that lessons are learnt. This means that responsibilities regarding security have to be established clearly within the company. The people that are responsible should be empowered appropriately to allow them to take measures to prevent future security incidents as much as possible. Responding to security incidents starts with having a proper organisation and procedures in place.

BM. How are your products and services helping your clients today?
KG. Enterprises are confronted with an increasing need for efficient, highly integrated security and connectivity solutions. By using phion products, multinational corporations and large to medium size companies are provided with an integrated protection platform covering all needs for comprehensive and compliant network security, secure web access, access control, WAN protection and optimisation, web application security and central management.

RV. VASCO Data Security develops and sells hardware and software solutions for strong user authentication.

Worldwide millions of e-banking end users and more than 7000 companies, including over 1000 financial institutions, already use the VASCO solutions to secure access to their networks (local and remote) and/or applications (including SaaS environments). Virtually all these customers rely on the DIGIPASS by VASCO strong user authentication solution offering. Deploying a DIGIPASS by VASCO solution brings our customers and their users: convenience, ease of use, flexibility and higher security levels.