In an interview with Bank Info Security, Dr. Jassim Haji – director of IT and Security at early cloud-adopters Gulf Air – speaks about defense mechanisms in protecting data, best data practices for security and governance controls, and bridging the cloud security skills gap in the region.With aviation being quite a unique area in its tight security requirements, choosing and perfecting the right solutions is key. “Every security control impacts operations and sales, the core business in this industry.” As such, tasks can include securing traffic between aircraft and on-ground infrastructure, securing passenger data in transit and in storage, and compliance with regional and airline-specific regulations.
Addressing these challenges required a multi-faceted strategy with steps including:
- implementation of a mobile device management strategy
- implementation of the right security tunnel between the aircraft and the data center
- Implementation based on PCI DSS compliance
With only a recent cloud deployment, a unique strategy was required to deal with the aviation industry’s challenges. Due to legacy applications – common in the aviation industry but not necessarily compatible with cloud technology – Gulf Air adopted a hybrid cloud and created a split between critical applications stored on the private cloud but connected to the public cloud through advanced security and connectivity.
One defense mechanism was moving from a network-centric approach to a more data-specific approach. “Controls are [now] implemented … like controls on a Word file, ensuring the file can only be read and not forwarded or printed.” This also meant that a move from the traditional ‘perimeter defense’ strategies to protecting ‘in-transit’ data has been required due to the remote access requirements of cloud computing.
Dr. Haji also covers best practice in the industry, suggesting “A phased approach to … best practices.” A first step towards this would be to make a checklist:
Know your critical and sensitive data
This should be followed by selecting the right cloud service provider – a service provider that can meet your stringent requirements. And then finally to have your security teams put through third-party audits and qualify for security certification like ISO 27001-2013. Once this has been achieved it is important that periodic monitoring of the security of the services provided is carried out to ensure continued compliance.
- Classify data and services to be moved to the cloud
- Perform risk management on moving the data and services to the cloud
- Identify the regional and industry compliance regulations
- Involve top management in the decision to move to the cloud
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”
