Cloud Security in the Gulf
Increasingly, the Middle East is adopting cloud computing and this is creating new challenges in security. Security needs are being handled with new and innovative risk management protocols. In the aviation industry in particular, there has been a key challenge in securing passenger information through mobility while still maintaining all-important compliance with the required regional and industry regulations.
Gulf-Air-Security-CloudIn an interview with Bank Info Security, Dr. Jassim Haji – director of IT and Security at early cloud-adopters Gulf Air – speaks about defense mechanisms in protecting data, best data practices for security and governance controls, and bridging the cloud security skills gap in the region.
With aviation being quite a unique area in its tight security requirements, choosing and perfecting the right solutions is key. “Every security control impacts operations and sales, the core business in this industry.” As such, tasks can include securing traffic between aircraft and on-ground infrastructure, securing passenger data in transit and in storage, and compliance with regional and airline-specific regulations.
Addressing these challenges required a multi-faceted strategy with steps including:

  • implementation of a mobile device management strategy
  • implementation of the right security tunnel between the aircraft and the data center
  • Implementation based on PCI DSS compliance

With only a recent cloud deployment, a unique strategy was required to deal with the aviation industry’s challenges. Due to legacy applications – common in the aviation industry but not necessarily compatible with cloud technology – Gulf Air adopted a hybrid cloud and created a split between critical applications stored on the private cloud but connected to the public cloud through advanced security and connectivity.
One defense mechanism was moving from a network-centric approach to a more data-specific approach. “Controls are [now] implemented … like controls on a Word file, ensuring the file can only be read and not forwarded or printed.” This also meant that a move from the traditional ‘perimeter defense’ strategies to protecting ‘in-transit’ data has been required due to the remote access requirements of cloud computing.
Dr. Haji also covers best practice in the industry, suggesting “A phased approach to … best practices.” A first step towards this would be to make a checklist:
Know your critical and sensitive data
This should be followed by selecting the right cloud service provider – a service provider that can meet your stringent requirements. And then finally to have your security teams put through third-party audits and qualify for security certification like ISO 27001-2013. Once this has been achieved it is important that periodic monitoring of the security of the services provided is carried out to ensure continued compliance.

  • Classify data and services to be moved to the cloud
  • Perform risk management on moving the data and services to the cloud
  • Identify the regional and industry compliance regulations
  • Involve top management in the decision to move to the cloud

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”

Related Posts

Ignore Bad Data… Sort Of

Ignore Bad Data… Sort Of

In George Orwell's classic Animal Farm there is a well-known quote that sums up the issues tackled in the book: "All...