ArabianBusiness.com - Middle East Business News
Friday, 05 September 2008 | 12:35 UAE time

YOUR DIRECTORY /

Print this page Print this page | Email this to a friend Email this to a friend | Discuss this article (0 Comments) |

Secure delivery

by Sathya Mithra Ashok on Sunday, 20 July 2008

In his most recent visit to the Middle East, Guy Rosefelt, manager, app firewall international technical operations, applications network group at Citrix Systems, discussed the ramifications of the PCI DSS compliance standard, and how enterprises can get more from their web application firewalls.

 What is your take on the Middle East market when it comes to web application security in enterprises?

The interesting thing is that up until the last couple of years the Middle East had absolutely no knowledge of web security. They had infrastructure issues to worry about and they had taken the approach of traditional security, which is worrying about the network layer, worrying about infrastructure and wanting these taken care of.

Story continues below
advertisement

The problem in the Middle East is that you have a lot of banks, that have a lot of money. For them, sanctions levied by credit card firms are inconsequential.

These traditional security folks have not quite understood that the big hole in that structure is that they have nothing protecting the apps. They don't think about whether the apps are secure because traditional security issues do not deal with the apps, it is not something that generally occurs to them. If they get into apps, it never occurs to them that the thing they are protecting has a problem at all.

Now we are beginning to find out that because of millions of credit cards used in web applications and the amount of identity theft that is happening via apps, these are very big issues worldwide. The incidence of hacking has increased significantly over the years. And the biggest problem is that most organisations don't realise that the biggest vulnerability is the point that is not protected - the enterprise's all-important apps.

It is not just necessarily web apps, it is all the apps in an enterprise. But web apps are getting the most visibility now, because they are the most public facing apps. You have to still protect internal apps. In the US, FBI studies have shown that 75% of all information based attacks on an organisation still come from the inside.

With web apps becoming more prolific, the level of awareness is just starting to increase. The desire to do something about it though, is still very low. This is actually very interesting. I started web apps firewalls in the dark ages of the internet, way back in 1995. Those days you couldn't get a Fortune 1000 company to spend US$25,000 to $50,000 on a network firewall to put in front of the organisation to protect it from the internet.

Why? ‘Nobody is ever going to attack me, why would they attack me? I am a Fortune 1000 company. No one will want to attack me, nobody wants my info. I don't want to spend the money on that, the risks are low.' Now, you cannot imagine anybody, without any kind of firewall. Because you know it is dangerous - you want to lock up computers at home because you want to ensure that nobody can get access to your machine.

We have the same issue now. ‘I've got the network firewall, I've got IDS, I've got IPS, I think I am protected, I don't need an app firewall because I have all this infrastructure.' They don't understand that it is not something that is just nice to have, it is something you have to spend money on.

Do you find it difficult to convince people to invest in web app firewalls, even with the PCI DSS (Payment Card Industry's Data Security Standard) requirements?

Yes. Honestly, one of the biggest problems in the Middle East is that you have a lot of banks that have a lot of money. They make a lot of money. And because of the amount of money they have, the sanctions that are going to be levied by the credit card companies are inconsequential. Banks here find it easier to be non-compliant for a period of time, and pay the fine, than to go out and try to meet compliance right away, when they have other more pressing issues to deal with.

Many of the banks here will admit to you that they are working on infrastructure issues because they have not done anything in several years to upgrade the security, to upgrade the policy and procedures to make them more 21st century available or aware. This includes web apps, but there are other things beside that. So if you look at all the things on the list to take care of, PCI DSS might not be very high.

If Mastercard says, if you are not compliant in a few months we are going to shut off your credit cards, there is no guarantee that it will go and do that. It is easier for large banks to pay the money. The $50,000 fine per month - they can easily pay that for six months or even a year, without having to worry about it.

How do you approach and convince these customers about the validity of web application firewalls?

We can't do much for customers who don't want to be compliant and are willing to take the hit. They have things that are more important. We can go and talk to people responsible for risk management and try to convince them that that is where they need to go. But then again, unless somebody forces the manager handling risk to push it higher up the list, nobody is going to do that because they have other things to worry about.

At that point, you are waiting for an accident to happen. There is really nothing you will be able to do. A breach will occur and then you will respond to that. Unfortunately, there is very little we can do about that.

That is not just in the Middle East, that particular mentality is common everywhere in the world. ‘I don't need to fix something because I am buying insurance until it actually happens.' And you really cannot do much about that mentality. The funny thing is that the moment they get breached, they are the first people to call me up and say I need to buy something smart.


next page »
Page 1 of 3

Print Print | Email Email | Discuss this article |


TOP IN MIDDLE EAST TECHNOLOGY

  1. New crackdown launched on satellite TV dishes
  2. Saudi to ease food crisis with investment
  3. ME internet traffic growth world's 2nd fastest - report
  4. Firms rush to exploit Middle East IT opportunities
  5. $68mn DuBiotech lab 'to open in December'

TOP MIDDLE EAST BUSINESS STORIES

  1. Emirates unveils T3 transfer plan
  2. UAE link to high-tech financial fraud probe
  3. Qatar thwarts major drug trafficking op
  4. A380 grounded in Dubai, weeks after launch
  5. Hydra Properties eyes debt for expansion

ALSO IN MIDDLE EAST TECHNOLOGY

  1. UAE link to high-tech financial fraud probe
  2. Chrome grabs one percent of market in 24 hours
  3. Oman MVNO set for Q4 launch
  4. Oracle extends SOA strategy with ClearApp buy
  5. Mobile triumphs over fixed line in GCC

LATEST MIDDLE EAST BUSINESS INTERVIEWS

  1. Transportation: Low-cost king
  2. Travel & Hospitality: Food and faith
  3. Travel & Hospitality: The man with a grand plan
  4. Construction & Industry: Frosty facilities
  5. Travel & Hospitality: Water wonder

USER COMMENTS (0 COMMENTS)

CLICK HERE TO POST A COMMENT

Add your Comment
All posts are sent to the administrator for review and are published only after approval. ArabianBusiness.com reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic.
Name *
Remember me on this computer
Email *
(Your email address will not be published)
City
Country
Subject *
Comment *
Notify me of further comments
Security Code * Code


Please click post only once - your comment will not be published immediately.
From  Current Issue

RELATED STORIES

Citrix Systems
| 3 stories
  1. Speed secrets of application performance
    11 Aug '08 | Features
  2. End users vs vendors
    13 Jul '08 | Interviews

 EMAIL ALERTS

  1. Citrix Systems

  2. Technology


« previous article in this section
On call
next article in this section »
Low-cost king

MOST POPULAR TECHNOLOGY STORIES

BUSINESS FEATURES

Mergers ahead for Middle East telcos

For many regional telecom operators, making acquisitions or merging could be the key to their survival.

The cheapest laptop in the world

Taiwanese vendor Carapelli's Impulse NPX-9000 stakes a claim to the low-end of the netbook market.

The deal closer

CRM products are notoriously difficult to differentiate in terms of functionality, so ACN's here to help.

ArabianBusiness.com/Jobs - Middle East Jobs Search
  1. Assistant Executive System Engineer
    Industry: IT & Telecoms
    Location: Dubai, UAE
  2. Creative Director
    Industry: IT & Telecoms
    Location: Dubai, UAE
Browse all jobs »

BUSINESS INTERVIEWS

Sanyo's green ambition

Sanyo Middle East's chief regional officer, Takashi Hirao, on the company's plans to go green.

Roman’s empire

Dubai-based firm Aroma Software is bringing e-prescribing software support to the medical market.

Crossing borders

PalTel has implemented Nortel soft switches as the first step of a major organisation transformation.

MORE FROM ARABIANBUSINESS.COM

JOBS

Jobs

SPECIAL REPORTS

Special Reports

SURVEYS & REPORTS

Research

PROPERTY

property