Etisalat Secures Growth

This international telecommunications and Internet services provider is rapidly expanding, and it needed to optimize its IT infrastructure security and risk management program to continue to support the business.

For more than 30 years, Etisalat has provided telecommunications services from its headquarters in the United Arab Emirates, and it continues its development and growth. In 2007, Etisalat reported annual Net Revenues of US $5,815 billion. Today, Etisalat operates throughout sixteen markets in the Middle East, Africa, and Asia.

During its three decades in business, Etisalat has provided innovative and reliable services through its state-of-the-art telecom infrastructure. Consider the penetration of its mobile phone service: its growth exceeded 152 percent last November and its internet and broadband services surpassed 60 percent.

To support its vast array of communication services - which include specialized e-Government offerings, traditional e-mail, hosting, and domain name systems (DNS) management services - requires hundreds of applications, a healthy mix of operating systems, and an extensive array of network segments all supported by roughly 120 operational engineers and an IT security team. "Keeping this modern telecom infrastructure secure is paramount for us," says Yaser Khamis Haggag, manager of security performance, security operations, and maintenance for Etisalat's Internet operations. Another important goal he sought was a way to address more effectively its required Payment Card Industry Data Security Standard (PCI DSS) compliance for the company's payment gateways.

Facing the Challenges of Implementing a Continuous Risk Management Program

The need to optimize the security program is especially vital, considering Etisalat’s recent and projected expansion. For years, Etisalat’s security teams relied heavily on open source security tools to identify vulnerabilities, as well as many of the benchmarking tools and checklists provided by The SANS Institute and The CERT Coordination Center, in addition to customized checklists to help them quantify and manage their IT risks.

"Etisalat also installed all of the basic technological defenses one would expect: anti-malware, firewalls, intrusion prevention systems, and good access controls," explains Haggag. To ensure those systems ran securely, he and his team periodically would conduct manual auditing of all the company's applications and operating systems, while an in-house penetration team would conduct ongoing assessments of all of their Internet-facing services, such as those that support e-government, e-commerce services, and credit card payment gateways.

"When you are a provider of critical telecommunication services, your security needs to be world class," says Haggag. To get there, he knew he needed to automate as much of the network discovery, security assessments, and remediation activities as possible. "No matter how big your company you'll always have resource constraints. It's not only difficult finding qualified auditors, but the infrastructure is always expanding as the business needs to add more services and new technologies. You need a way to help you keep up," he explains.

To stay ahead of any risks that could arise, Haggag wanted a way to make sure he could delegate and track vulnerability assessments performed by each independent operational group, such as those that manage mail servers, DNS servers, Web hosting infrastructure, e-government, and payment services. "Manually tracking who was assessing what assets, when they were last assessed, and how the remediation processes were proceeding, was very time consuming," he says.

Qualys: Do More with Existing Resources

Etisalat selected Qualys, thus enabling the IT security team to automate and streamline control of its entire vulnerability management life cycle - from networked asset discovery to vulnerability assessments to tracking security fixes - and to demonstrate PCI DSS compliance more easily. Without requiring any servers or software to deploy and manage, Qualys was installed quickly and enabled Etisalat to reduce its risks rapidly and combine many aspects of its security and regulatory compliance management into a single platform.

"It's no exaggeration to say that Qualys saves me weeks out of the year," says Haggag. "Qualys is essentially a point and click service. If we needed to add a large block of IP addresses, we could be ready to audit that group in much less than an hour," he adds. Haggag immediately started using Qualys to evaluate roughly 600 separate IP-connected devices; and using Qualys’ ability to group devices into business groups, he categorized each of Etisalat's operational teams so that each group's infrastructure could be scheduled, assessed, and mapped, and remediative actions tracked independently. "I now can generate reports and show management how each IT team is progressing, and management can understand quickly what level of resources is needed to keep the infrastructure well managed," he says.

Today, because of Qualys’ ability to provide automation and manage IT assets in correlation with their business use, Haggag and the security team has much more control over Etisalat's vulnerability and risk management program. "We now have schedules that operation teams must adhere to, and remediation tickets can be established, based on asset values and vulnerability risks. And they can be tracked from inception through validation, with all actions fully audited. Additionally, each business group can evaluate its systems whenever there is a change, such as the addition of a new server, for optimal security, despite network growth.

In addition, Qualys’ accuracy compared to the open source solutions Etisalat previously used reduce false positives dramatically, and its detail reports all work together to help Etisalat do more with less. "There is no doubt because of its ease of use and management, accuray, and automation, Qualys lets us do more assessments, reach more IP addresses, and quickly fix any vulnerabilities that arise," he says.

When it came to regulatory compliance, Qualys has helped Etisalat manage all of its payment gateways that fall under PCI DSS, which mandates that all systems that touch the payment process and related data must be held to struct levels of security. Merchants and service providers that fail to comply face steep fines, and even could lose their privilege to process credit card transactions altogether. "When it comes to PCI, Qualys provides us the only report our departments need to send to other banks that link to us. When they see the Qualys reports and our certification, everyone is reassured that our security and compliance levels are high," he says.

In a matter of months, the deployment of Qualys has helped Etisalat improve its security operations - through automation, accuracy, insightful reporting, and ability to manage many IT operations teams, which all has helped Haggag and his team move away from a hodgepodge of security tools to more centralized control over its security and vulnerability management efforts.

"We need to be secure and avilable to our customers; that's our reputation. And because our infrastructure is expanding, scalability of our security program becomes a challenge. Qualys has helped us manage our way through all of those challenges."