Specifics of IT security in Mongolia

I want to address this post to my IT collegues. Last years in all my IT trainings i try to attract attention to lopsided approach to IT security in our country. In my opinion the most of us try to embrace as much as possible new IT technologies without at least understanding of basic classic conceptions. Almost all new solutions ignore and sacrifice security aspects for functionality. For example i don’t know any homebred business solution which supports Microsoft Active Directory integration, each solution uses own database user list, no windows logins (at least as an option if requested). Without this it’s too problematic and expensive :

  1. for real system integration (not only bare hardware system integration which suggested by mainstream players in Mongolia). It’s common place when each employee are forced to remember and change multiple passwords for multiple IT systems. Each solution becomes stand-alone with own list of users/passwords, own security settings, no enterprise wide single strong security.
  2. to improve/guarantee existence of security. Any used in Mongolia SQL authentication is based on passwords, and there is no such system supports (except Vasco in Mongolian banks) as two or multi-factor authentication. Especially it’s true and actual for state organizations (for example MTA with their aka “digital signature keys”), where traditionally IT more care only about edge perimeter. When it becomes so easy to capture and steal any strong password using software/hardware keyloggers, it’s very unwise to trust and build all own systems on only password based platforms.

I just wanna bring out this problem for discussion and more research. I’m very confused that each time when IT security forums happen in UB,  later it ends just by promotion of ready solutions from fortigate, cisco, Kasperski for lazy IT engineers or better to say IT managers or decision makers. Yes, it’s easier and cheaper than to invest into higher competence of own national IT resources. Surely all these products are very actual and demanded, but on one hand security is too exaggerated to only push purchases and at the same time too simplified to leave sysadmins without proper skills, experience and awareness of all problems. Basic conceptions of IT security for business and state are distorted, i don’t know deliberately or not. The other problem is that our developers, sysadmins, IT managers even don’t understand that they should integrate own solutions with LDAP or for example Microsoft Active Directory and so on. Nobody demands it from them. Why i talk so many about Microsoft Active Directory – because more than 95 percent of Mongolian companies and state organizations are based on windows platform.