BUSINESS: du provides fixed-line and mobile communications services to more than seven million customers in the United Arab Emirates.
SIZE: 2,000+ employees
BUSINESS CHALLENGE: Managing security across its complex network was time-consuming and costly for du. More importantly, manual certification processes were causing delays in bringing new revenue-generating services to market.
- Qualys Private Cloud Platform
- Qualys PC
- Qualys VM
- Qualys WAS
WHY THEY CHOSE QUALYS:
- Provides a clear picture of vulnerabilities across a complex infrastructure
- Reduces by 80% the cost of configuration audits and frees up time
- Cuts time to market for new services by 80% through automation
- Improves security postures throughout rapid expansion of network and client services
du Uses Continuous Security Monitoring to Reduce Auditing Costs by 80% and Accelerate the Launch of New Services
To protect a national mobile, fixed-line and IPTV network, and provide managed security services to clients, du deployed a comprehensive vulnerability scanning solution to help ensure that its infrastructure is patched, compliant with internal policies and international security standards, free from security vulnerabilities and protected against web-borne threats.
Based in Dubai, The Emirates Integrated Telecommunications Company (du) offers mobile and fixed telephony, broadband connectivity, IPTV and managed services to consumers and businesses all over the United Arab Emirates. The company employs 2,000 people and also provides carrier services, a data hub, internet exchange facilities and satellite services for broadcasters, generating annual revenues of more than AED 10 billion (USD 2.7 billion).
More than 70 full-time, highly skilled security professionals at du run a 24/7 cyber security centre that analyses 2 billion network events daily across more than 10,000 network switches/routers and 3,000 servers. These run many different operating systems, including proprietary telecoms and network systems from vendors such as Cisco, Juniper, Alcatel Lucent and Huawei.
Speaking at the Qualys Security Conference (QSC15) in Dubai, Roshan Daluwakgoda, Senior Director of Managed Services at du, explains the scale of the security challenge: “We have an enormous, complex and highly diverse landscape, encompassing our own IT and telecoms infrastructure as well as the last-mile network infrastructure for many customers. Within this landscape, we run mobile and voice services, broadband, IPTV, hosted private branch exchange (PBX) phone lines and hosted web services for personal and business customers. Clearly, we must defend our own infrastructure to ensure continuity of service, but we must also protect our customers’ networks against DDoS, web-borne attacks, enterprise PBX hacking and so on. If a customer network becomes compromised, there is a secondary threat to many other services.”
“Automated compliance and vulnerability scanning through the Qualys Private Cloud Platform have helped us to improve our time to market capabilities by 80 percent by ensuring all security compliances are addressed in a timely fashion. This is strategically very important, because one of our primary KPIs is to achieve time to market with compliance.”
Senior Director, Managed Services, du
Dynamic Threat Profile
Without a single, comprehensive solution for security vulnerability scanning and policy compliance, du was committing significant amounts of time, energy and money into manual exercises to understand how threat agents, probe, scan, and compromise the security of networks. Frequently du security was using internal and external resources to scan different elements of the infrastructure or to carry out compliance validation and manual configuration audits on selected technical platforms.
“In addition to being diverse, our infrastructure is also very dynamic, and constantly evolving,” says Daluwakgoda. “Combined with constant evolution in the external threat landscape, this means that security targets are always moving. Traditional manual auditing and configuration review approaches were becoming increasingly unsustainable and unable to provide an overall picture of vulnerabilities.”
To find a cloud platform for running vulnerability scanning and enforcing policy compliance, du ran an evaluation of the leading global security software vendors.
“We ran a full proof of concept for the three leading contenders and estimated the three-year TCO,” recalls Daluwakgoda. “On factors such as completeness of security vulnerability IDs, false-positive rates, reporting capabilities and multi-tenancy capabilities, we found the Qualys Private Cloud Platform to be technically superior. Also impressive were the workflow capabilities: we planned to run scans in our central security team, then assign the remediation tasks to multiple different operational teams, so it was important to be able to track this work to completion. Finally, the Qualys Private Cloud Platform not only ensured that we could keep all data within national borders, which is an important consideration for many of our corporate clients, but also delivered state-of-the-art data protection by natively employing strong encryption both for data at rest and data in transit.”
The fact that the Qualys offering runs entirely in the cloud, with no local physical infrastructure, was also a plus point for du. The company planned to package, productize and launch its own managed vulnerability scanning service, offering the benefits of the Qualys platform, but fully configured and operated by du’s managed security services personnel from its 24/7 security operation center in Dubai.
“The Qualys solution was extremely attractive in both technical and commercial terms, even before we considered the potential of offering it as a paid product to our customers,” says Daluwakgoda. “The modular nature of the solution fitted with our deployment plans, enabling us to start with the Vulnerability Management solution and then add further modules as required.”
Establishing Comprehensive Protection
du initially implemented Qualys’ Vulnerability Management (VM) solution for 2,000 IP addresses, then added Policy Compliance (PC) and Web Application Scanning (WAS) solutions. As its virtual server landscape continues to grow rapidly, the company expects to add a further 10,000 IP addresses in the near future.
Using Qualys VM, du runs a combination of weekly and monthly infrastructure scans. These generate both a top-level dashboard for executive management, showing them the overall security posture, and more detailed reports for technical teams in IT operations and network operations. The central security team at du uses workflows in Qualys VM to track the remediation of identified vulnerabilities by the operational teams.
For policy compliance, du created a number of security blueprints based on NIST and CIS standards, and mapped these to templates in Qualys PC. Using these templates to scan network resources effectively replaces the previous manual configuration audit, ensuring compliance and saving time and money. Daluwakgoda states: “The removal of manual work also frees up skilled security staff to focus on other tasks such as penetration testing.”
du uses Qualys WAS for both its own environments and customer environments, typically scanning twice weekly. Qualys WAS is also an integral part of the company’s security lifecycle management process. “The checklist for launching any new platform now includes integration with the Qualys Private Cloud Platform for VM and PC,” comments Daluwakgoda. “This helps us to achieve security certification much faster—which is one of our KPIs in the security team—and helps ensure shorter time to market for new service offerings.”
Enabling New Revenue Streams
The Qualys Private Cloud Platform is at the heart of a new offer from du: hosted private cloud as a service, with integrated security assurance to meet the Cloud Security Alliance (CSA) standards. This offering is built on the Cisco FlexPod “cloud in a box” architecture: an integrated computing, networking and storage solution based on Cisco UCS servers, Cisco Nexus switches, VMware virtualization and NetApp storage systems.
“Rather than just providing a basic Cisco FlexPod solution to our customers, we use the Qualys Private Cloud Platform together with other security controls to provide multiple layers of defence: load balancing, layer-7 content filtering, DDOS protection, intrusion prevention, firewall security, security monitoring, vulnerability management, policy compliance and web application scanning,” says Daluwakgoda.
To benchmark this new offering against the CSA Cloud Control Matrix (CCM) standard, du took each layer of the stack—automation and orchestration layer, hypervisor, operating system, network layer, security layer, storage and so on—and created a policy compliance template in Qualys PC. It then set up automated, scheduled Qualys VM and WAS scanning to cover all the different technologies. “The Qualys Private Cloud Platform powers a dashboard view that enables us to understand the security level, in terms of CSA CCM standards, of the complete private cloud stack,” says Daluwakgoda. “At this time, the CSA is still defining the standards, but we understand that the top level—CSA STAR Continuous Monitoring—will depend on the use of automated tools to generate CCM standards and publish those to the customer. We are already doing this today, and so we expect to achieve the CSA Star level 3 certification.”
Cost Savings and Speed to Market
By dramatically reducing the time taken to validate security compliance at du, the Qualys Private Cloud Platform enables the company to focus resources on mitigating vulnerabilities rather than discovering them. “We can now spend more time protecting the network precisely because we no longer need to spend so much time finding the vulnerabilities,” says Daluwakgoda. “Manual effort has been drastically reduced, and we are saving perhaps 80% of our previous annual audit cost thanks to automated policy compliance.”
Beyond improved security—and the enhanced ability to demonstrate compliance to internal and external auditors—du can now bring new products and services to market much faster than before. “Automated compliance and vulnerability scanning through the Qualys Private Cloud Platform have helped us to improve our time to market capabilities by 80 percent by ensuring all security compliances are addressed in a timely fashion,” says Daluwakgoda. “This is strategically very important, because one of our primary KPIs is to achieve time to market with compliance.”
Not only does the Qualys Private Cloud Platform improve security and reduce costs at du, but also it is a source of new revenues: the company uses it to offer fully managed or self-service security services to customers. “Because we chose Qualys Private Cloud Platform, all data resides in the UAE, which is very important for our corporate customers,” says Daluwakgoda. “The ability to offer fully integrated vulnerability management, policy compliance and web application scanning services within any of our service offerings is a major competitive differentiator. Customers can get everything they need from us, packaged with state-of-the-art scanning and policy compliance services, for a single monthly fee.”