Audit , CISO Trainings , Governance & Risk Management
Aviation: Cloud Security ChallengesGulf Air's Haji on Protecting Data in the Cloud
The Middle East region increasingly sees industries embracing cloud computing. Among the early adopters: Bahrain-based Gulf Air, the aviation group, which deployed a hybrid cloud model to host its mission-critical and legacy applications.
See Also: Webinar | How the SASE Architecture Enables Remote Work
Dr. Jassim Haji, director of IT and Security, Gulf Air, says the aviation sector has unique security requirements that impact financial information, trade secrets and customer data.
"The key challenge has been securing passenger information through mobility and maintaining compliance against the required regional and industry regulations," he says.
Haji has employed a three-pronged approach to secure data in the cloud by placing tight controls and critical parameters on selecting the cloud service provider.
In an exclusive interview with Information Security Media Group at the GISEC event in Dubai, Haji discusses how to handle security needs with new risk management protocols. He also shares insights on:
- Defense mechanism in protecting data;
- Best data practices for security and governance controls;
- Bridging the cloud security skills gap.
Haji began his career with Sprint Telecommunications in London before joining Gulf Air in 1985 as a network engineer, and moved to Sabre - an airline IT Solutions Company - to which Gulf Air outsourced its IT services. Moving to EDS, another American IT solutions company, when Gulf Air moved its outsourcing services, he grew within the ranks to become its executive director. When Gulf Air brought its IT services back in-house, Haji returned, becoming head of information technology infrastructure in 2008.
Aviation Security Challenges
GEETHA NANDIKOTKUR: What are the security challenges of the aviation sector? As IT and security head of Gulf Air, what are your constraints?
Dr. JASSIM HAJI: Aviation is quite unique in its security requirements, as it covers many security facets like security of financial information, trade secrets, customers' personal information and staff information, all directly affecting the financial and reputational assets of airlines and rigorous regulatory compliance requirements. Every security control impacts operations and sales, the core business in this industry.
Therefore, choosing the right solution and approach is always key.
Another key element nowadays is securing passenger information through mobility and maintaining compliance against required regional and industry regulations. Besides, specific tasks include:
- Securing traffic between aircraft and on-ground infrastructure;
- Securing passenger data in transit and in storage;
- Compliance with regional and airline specific regulations.
Response to Challenges
NANDIKOTKUR: How have you addressed these challenges?
HAJI: The team uses a multi-pronged strategy. Some steps we follow include:
- Implementing a mobile device management strategy on the company's direction;
- Implementing the right security tunnel between aircraft and data center alongside mobile device management;
- Implementing required security measures and controls based on PCI DSS compliance.
Cloud Security Challenges
NANDIKOTKUR: You deployed a cloud framework recently. What is your strategy to protect data in a cloud environment? How do you see cloud adoption in this sector?
HAJI: While cloud is gaining momentum, penetration of public cloud is not common in the airline industry, because some critical airline information systems comprise cloud-unfriendly legacy applications. Therefore, Gulf Air adapted a hybrid (private and public) cloud where critical (and legacy) applications are hosted on a Gulf Air on-premises private cloud connected to the public cloud through advanced security and connectivity.
As a defense mechanism to protect data, the approach is to move from network-centric approach to a data-specific approach, where the controls are implemented more on the data along the perimeter. Thus, data protection is ensured on the data itself - like controls on a word file ensuring the file can only be read, not forwarded or printed. This greatly enhances data security.
Earlier, most organizations concentrated their IT security efforts on perimeter defense - resources were largely channeled toward blocking threats before they could enter the network. However, the evolution of cloud environment and the need for accessing them remotely on untrusted network have necessitated data security that protects data in motion and stored data. Therefore, we decided to implement the right management solutions and data loss prevention systems on our private cloud.
Best Security Practices
NANDIKOTKUR: Can you provide insights into the best data security practices and governance controls for a cloud environment?
HAJI: I'd suggest a phased approach to rope in the best practices. As a first step, security teams must make a checklist:
- Know your critical and sensitive data;
- Classify data and services to be moved to cloud;
- Perform risk management on moving the data and services to cloud;
- Identify the regional and industry compliance regulations;
- Involve top management in the decision to move to cloud.
The second step is to select the cloud service provider based on the data classification, risk management, compliance requirements and availability requirements. Identify the controls implemented by the cloud service provider and ensure the completeness and adequacy of the controls implemented by adding security clauses in the contract with detailed roles and responsibilities.
As a third step, security teams should implement third=party audits (like SOC1 and SOC2) and security certifications like ISO 27001-2013, PCI-DSS and CSA-CCM - good starting points to monitor the completeness and effectiveness. Periodic monitoring of the security of the cloud services is critical.
NANDIKOTKUR: Are there sufficient skills sets to handle threats arising from cloud computing? Do you have a plan for building capacity?
HAJI: Yes, finding the right security personnel is a challenge for some organizations. We bridge the gap by clearly defining a set of requirements for security personnel in their job descriptions, including experience requirements and educational certifications. On-the-job training keeps them abreast of the latest cloud security trends and risks. We encourage self-study and attending security conferences and seminars.