We noticed you're blocking ads.

Keep supporting great journalism by turning off your ad blocker.

Questions about why you are seeing this? Contact us

Font Size

- Aa +

Wed 6 Jan 2010 04:00 AM

Font Size

- Aa +

Security check

Securing remote offices to prevent threats from entering the firm's connected network has not really been top of the priority list for Middle East enterprises. However, it is about time for them to wake up and start defending their expanding borders.

Security check
Middle East enterprises should consider branch security right from the start. - Bulent Teksoz, Symantec security expert.
Security check
Many large organisations secure headquarters first. - Nigel Hawthorn, VP EMEA marketing at Blue Coat Systems.
Security check
Branch offices often have different responsibilities and challenges to main offices. - Hamed Diab, Middle East regional director at McAfee.
Security check
Branch level security in the Middle East is often deployed as a patchwork of devices that usually don’t work together. - Tarek Abbas, senior systems engineering manager for enterprise at Juniper Networks.

Securing remote offices to prevent threats from entering the firm's connected network has not really been top of the priority list for Middle East enterprises. However, it is about time for them to wake up and start defending their expanding borders.

If a chain is only as strong as its weakest link, then the security of an enterprise network is only as strong as its most unprotected remote location.

"Many large organisations secure headquarters first and training, technologies and concern for smaller branch threats comes second. However, threats are the same and the interconnected organisation needs to ensure that all assets are safeguarded, as one problem in a regional office laptop can make data and systems vulnerable worldwide," says Nigel Hawthorn, VP EMEA marketing at Blue Coat Systems.

"Branch offices often have different responsibilities and challenges to main offices or headquarters and consequently many have a history of lower levels of security spending. The main reason for this is the focus of branch offices on operations and sales," states Hamed Diab, Middle East regional director at McAfee.

Come together

Tarek Abbas, senior systems engineering manager of enterprise at Juniper Networks adds: "Branch level security in the Middle East is often deployed as a patchwork of devices that usually don't work together or share information at an inter- or intra-site level. As attacks targeting enterprises have become more sophisticated, cyber-criminals specifically target weak links such as branch outposts, satellite locations and mobile end users.

As a result, cyber criminals are often successful as they fall "between the cracks" of traditional point security products. Compounding the security challenge is an access issue of how to support a wider, more diverse audience (including employees, partners, subcontractors and offshore facilities) that all require access to specific critical data."

In spite of being of obvious importance, the security of remote locations is, sadly, often overlooked by regional enterprises.

Diab points out: "One thing that our experience in the Middle East has shown is that branch offices often have lower security standards than headquarters. This could be due to the fact that branch offices are usually focused on regional operations and sales.  However, with this focus comes a need to maximise productivity and uptime, and to protect valuable data. Sales data is a fundamental asset to any organisation of this time, so this, and the systems on which is resides, are assets that must be protected."

Bulent Teksoz, Symantec security expert agrees, stating: "Unfortunately defence measures at branches are not on the same level as headquarters security measures. The branches or remote offices generally represent the weakest link in the corporate security structure."

Cause and effect

While most people might know that in a connected universe protecting the branch or remote location is as crucial as the headquarters, the reasons for why defence measures still get ignored are not always willingly examined.

"Branch offices usually connect directly to headquarters using either a private WAN link or a VPN over the internet, or they deploy VPN over the private WAN link. As more branch offices connect directly to the internet-rather than backhauling internet traffic to headquarters-this trend introduces a new set of security, performance, connectivity, and reliability challenges. Many enterprises have not scaled up their branch security to meet this new trend," says Abbas.

He continues: "Traditionally, IT resources were located in the headquarters, and investment in additional resources to cover the branches was limited. There was limited investment as well in IT devices for the branch and in centralised systems that allow effective management from the headquarters and which mitigate any human error."

Diab explains: "There are a number of reasons why branch-level security may be lower than elsewhere. First, there is often a perception that an organisation's most important assets are located at the head office.  While this may at times be true, there is a need to take into account the increased integration across their branches.

"Second, it is not unusual for there to be less qualified security personnel in branch offices. As branch offices tend to focus on regional operations and sales, the importance of qualified security personnel is often overlooked," he adds.

"Third, there may - often as a result of being fewer trained staff on-site - be reduced security awareness amongst employees. Although security spending has been constantly increasing in the Middle East region, it is still relatively young and therefore inexperienced compared to some other territories. Security awareness remains low among individuals in the region, and this has an impact on vulnerability to threats," says Diab.

Starting point

There are many reasons for branch-level security flagging among regional enterprises. However, the most important among them remains an almost unshakeable concept that holds the headquarters to be the first for defence measures, while branches come a far second.

However, in today's world, where borders are fast disappearing and remote offices are becoming road warriors, enterprises are required to up their protective measures for a distributed reality.

"Middle East enterprises should consider branch security right from the start. It should be designed in when the idea of opening a branch is introduced," states Teksoz.

Abbas says: "Success in securing all locations is not impossible, and it doesn't have to be expensive. Distributed enterprise solutions deliver a consistent, secure, high-performance foundation that meets the unique infrastructure challenges of the high-value distributed enterprise. By adopting a solution-based distributed enterprise approach, the limitations of the business no longer need to be dictated by the network."

He continues: "A co-operative adaptive threat management solution, where each security element can operate on a single operating system and co-operates with others at various locations is the only approach that can enable a trusted and available network. Through this coordinated approach, businesses can deliver high-quality access to essential data and applications, and provide secure productivity and communications services."

Any enterprise that attempts to provide security to its remote location also needs to consider elements of a central management system. Technology consolidation

"The two main approaches that can be taken in order to enhance branch-level security are technology consolidation and operation centralisation. Consolidating technology means that all branch offices would have the same standard of technical advancement. This is an important practice as it ensures the absence of a weak link in the enterprises' security systems.

With the centralisation of operations, an organisation's policies, guidelines and practices come from the same central source. This ensures that policies are implemented and that security practices meet the business' global standards," says Diab.

He continues: "Combining consolidated protection with centralised management is security best practice, according to leading analysts and security experts. This combination is critical in order to proactively identify potential risks and stem loss of time and revenue. It also gives companies the greatest visibility into compliance status, while lowering costs by as much as 50% per cent compared to a point-product approach."

Importance of awareness

Symantec's Teksoz agrees on the importance of compliance, stating: "Compliance is a big factor in securing the branches. You want to make sure a laptop in a remote location is as secure and compliant with internal policies as the one in the headquarters. Additionally, you want to have a suite of solutions that can cover major entrypoints.

If I am the CSO, I want to know what's going on in my company, everywhere, not only in the main office. If an attack is underway in one of my remote branches, I need to be able to get alerted and then mitigate that attack immediately."

True, today's technology options enable branch office security like never before, but enterprises should also know what they should be looking for in order to obtain the most from them.

"IT defences are being delivered most cost-effectively. As each year passes, smaller and lower-priced options appear for the smaller offices. Organisations need to ensure that they are buying defences from companies that have a range of pricing options to deliver a complete solution," says Hawthorn.

Solution-based approach

"Fundamentally, organisations should consider a solution-based approach that leverages industry-leading adaptive threat management technologies. All devices and sites must cooperate in rooting out sophisticated polymorphic threats that may attack multiple locations at the same time, or attacks that are sophisticated and fly below the radar of point security products.

Such adaptive detection and threat management services should include critical elements such as signature and non-signature-based detection, granular access control, and security zoning policies, while ensuring that the organisation meets compliance criteria," says Abbas.

While Diab encourages the use of a central solution (to reducecosts as well as improve security) and UTM appliances across remote locations, he also advocates the need for enterprises to take the basic non-technology related processes seriously.

"Many of the major challenges faced by organisations trying to ensure branch security relate primarily to the visibility of the network and endpoint security, and the cost of applying the same level of security at branch offices. Branch offices can also make up for a smaller number of qualified personnel by deploying centrally managed security software," he says.

Educating staff

Diab continues, "It is vital that enterprises work to educate their staff regarding internet security threats and how they can be avoided, and should allocate resources to IT training in order to increase employees' knowledge of security threats and how to avoid them."

An appropriate mixture of technology, training and awareness can go a long way in improving security levels at enterprise branches, thereby adding strength to the firm's network. While there is no doubt that the future will bring with it increasing efforts to protect the distributed arms of an enterprise, the question remains on whether this endeavour will happen sooner rather than later among Middle East enterprises.

Design right

Branch office security can be improved with some of these design recommendations:

1. A scalable routing design

2. Redundant links with no single point of failure. Head and regional offices have more than one connection to the public and private networks

3. Route summarisation should be performed whenever possible

4. Centralised management at the headquarters

5. Remote sites can be connected behind NAT (network address translation) devices

6. Reduced complexity of the configuration

7. Link-failure detection mechanisms need to be in place

8. UTM features and firewalls need to be enabled at branches

Courtesy: Juniper Networks

Arabian Business: why we're going behind a paywall