Home Blog Page 70

du Pay hits half a million app downloads and AED500m in transactions

  • Mission is to drive inclusion and support underserved communities with the tools they need to thrive in a digital economy.

The digital payment arm of Dubai-based telecom operator du – du Pay – has hit half a million downloads across iOS and Android platforms and facilitated half a billion dirhams in financial transactions.

It includes international money transfer, local transfers, bill payments, card transactions, peer-to-peer (P2P) transfers.

As part of its commitment to financial empowerment, du Pay also rolled out financial literacy initiatives across labour communities, aiming to increase awareness and access to digital financial tools. These efforts align with du Pay’s broader mission to drive inclusion and support underserved communities with the tools they need to thrive in a digital economy.

“Our first year has been incredibly rewarding and it highlights our commitment to transforming the digital payments landscape in the UAE. The milestones we achieved, from the half a million app downloads to joining forces with multiple partners have brought us closer to strengthening digital inclusion and financial empowerment in the UAE,” Fahad Al Hassawi, Chairman of du Pay, said.

According to data and analytics company GlobalData, UAE’s card payments market is set to surpass $150 billion in 2025, representing a 10.6 per cent growth rate.

The rising prominence of card payments is evident in the substantial 13.3 per cent growth observed in 2024, reaching AED511.4 billion ($139.3 billion). This growth can be attributed, in part, to initiatives such as the “Wage Protection System,” which mandates electronic wage payments through authorised financial institutions.

GlobalData projecting a compound annual growth rate (CAGR) of 9.6 per cent between 2025 and 2029, leading to an estimated AED 814.7 billion ($221.8 billion) in card payments by 2029.

7 best practices for effective Machine Identity Management

  • As organisations are facing challenges with increasing complexities in the digital ecosystem, effective management of machine identity has become more compelling than ever.
  • Such investments will not only protect key data but also boost business continuity, operational efficiency, and compliance, thereby laying a solid foundation for the ongoing digital transformation initiatives of today’s enterprise as there would be numerous cyberthreats.

With the explosion in devices (server and IoT) growth and applications, organisations need to implement Machine Identity Management (MIM) to mitigate risks and secure communications between entities. Compromised machine identity is responsible for most breaches. So, MIM must be in place for sensitive data protection and keeping system integrity.

Here are the seven MIM best practices.

  1. Enforce Strong Authentication Protocols: Strong authentication mechanisms are the crux of MIM. At the same time, there could be added recognition through the use of multi-factor authentication (MFA) and cryptography mechanisms like RSA (2048 bit or higher), ECC, and quantum-resistant cryptography. Using such an approach minimises unauthorised access. Establish policies for minimum key lengths and secure hashing algorithms.
  2. Centralise Certificate Management: Organisations must have a single system dealing with all machine identities through a specific certificate authority. This makes provisions for issuing, renewal, and revocation of digital certificates smooth, increases security, and reduces administrative load.
  3. Automate Lifecycle Management for Identity: The automation of lifecycle events, such as provisioning, updating, or decommissioning machine identities, plays a key role in the efficiency of machine identities management. This is done to keep human error at bay and to ensure repeatable compliance to security policies.
  4. Conduct Regular Audits and Monitor Identities: Secure and maintain machine identities with access rights through audits in a periodical manner. Use monitoring tools that provide visibility into identity usage with real-time notifications on possible anomalies or unauthorised changes.
  5. Least Privilege Access Enforcement: A least privilege access model enables machines to be granted only those permissions which have been necessary for their distinct functions. This reduces the attack surface area and minimises the damages in case of the security breach event.
  6. Sensitise Staff: Employee awareness is extremely valuable in understanding issues surrounding MIM. Encourage regular training on best practices with threats identified, compliance requirements, and the needed culture toward security within the organisation.
  7. Point Incident Response Protocol: An effective incident response plan for security breaches related to machine identities needs to be pronounced. Organisations should clearly define their documentation on detection, containment, and recovery, so that they can act quickly to mitigate any fallout.

As mobile device usage increases, so do the risks and threats associated with them. To overcome these challenges, an organisation must embrace an integrated Mobile Device Management (MDM), which secures devices, but manages the identities associated with them. This intersection of MDM and MIM is critical to building strong security.

Incorporating MIM into MDM strategy will increase security measures by ensuring that only complete authenticated devices can access corporate resources. Still, the need for secure mobile access is increased because companies shift to cloud services and remote workspaces.

In this way, organisations will secure mobile devices, protect machine-to-machine communications, and support a Sero Trust approach to security through the embedding of MDM strategies into MIM.

Tips for implementation

1. Choose the Right Tools: Use MDM and MIM tools designed to work together, such as Microsoft Intune, Jamf, or Workspace ONE, with a certificate management tool like Venafi or DigiCert.

2. Think Automation: Reduce the human touch with automated workflows for certificate provisioning and renewal.

3. Policy Testing: Frequently test MDM policies to ensure that MIM works properly and does not interfere with business.

Examples of MIM

As organisations are turning more and more towards automation and IoTs; so, these entities will also have to be authenticated and authorised all alone by the machines.

One of the major examples is the incorporation of Public Key Infrastructure (PKI) in organisations. PKI comprises managing digital certificates that facilitate secure communications between machines. For example, a manufacturing facility uses PKI to authenticate various machines on the production line so that they can communicate securely while sharing sensitive operational data without interception.

Another example can be realised in M2M authentication within IoT ecosystems; for example, smart home devices, such as thermostats and security cameras, interact with each other and/or with cloud services so that they can operate as intended. These devices are able to make sure that only trusted machines are allowed to access or control their functionalities by using MIM solutions leveraging OAuth 2.0 or the likes of it. This not only heightens security but also improves the user’s trust in connected technologies.

Cloud service providers have showcased effective MIM. Such services are AWS IoT Core, which covers MIM by issuing different credentials to each device that connects to the platform. These credentials can be dynamically rotated and managed to ensure that devices can access the cloud resources securely without exposing sensitive information. This level of management prevents impersonation attacks where attackers use compromised identities for unauthorised access.

Organisations have ushered in machine identity as a service (MIaaS), which helps organise and manage machine identities over disparate environments. For example, a financial institution may use a MIaaS platform for ATM identification, online banking servers, and mobile applications. This unified system makes it simpler for the financial institution to comply with regulatory requirements while enhancing its overall security posture.

Machine Identity Management certification

MIM certification programs have been launched by several organisations, catering to both technical professionals and executive leaders. The aim is to give knowledge on framing strong programmed machine identities towards industry standards and regulatory requirements.

Having a MIM certification brings many advantages with it. For professionals, it improves their skill sets such that they become much more appealing to the job market as far as the chances of landing a job are concerned and also increases chances for better salary. Organisations, on the other hand, would ensure that their team members are well-trained in the latest security protocols, thus cutting the chances of identity-related vulnerabilities.

Seven key differences between HITRUST vs HIPAA

  • Though HITRUST and HIPAA both work to safeguard healthcare-related data, they relate to separate practices and scope of applicability.
  • Organisations will be in a better position to harness the strength of both frameworks into a more extensive and stronger strategy for information security in terms of legal compliance and even finer security for sensitive health information.

The protection and privacy of patient information have always been paramount in the health care compliance field. Major frameworks under this include the Health Information Trust Alliance (HITRUST) and the Health Insurance Portability and Accountability Act (HIPAA). Ironically, though, while both have the same goal of protecting sensitive health information, they have many ways in which they differ.

Below are some of the seven crucial areas in which HITRUST and HIPAA differ:

  1. Purpose and Scope: HIPAA is a federal law that protects the privacy and the security of healthcare information from August 21, 1996, onwards. It provides standards and rights for electronic data interchange for health information and the rights of patients on their data. In contrast, HITRUST, formed in 2007, is a certifiable framework that rolls up all compliance requirements, such as HIPAA into one framework to which organisations handling sensitive health information can adhere. HITRUST is far broader than HIPAA and allows for additional standards and controls.
  2. Regulatory Compliance: It is, indeed, an enforcement agency by the Health and Human Services (HHS) of the federal government to administer the implementation of the HIPAA laws along with other regulatory authorities so that it is possible to administer the penalty mechanisms for non-tolerance or violation of the laws. By contrast, HITRUST operates as a private organisation, and while it provides guidance and a certification process, it has little or no legal power in regulating compliance. Its certification is voluntary but it can help you build trust with your clients and stakeholders.
  3. Certification: According to HITRUST, organisations have the option of certification towards demonstrating their compliance with a broad range of security and privacy standards. This certification comprises a rigorous and detailed assessment of the organisation’s controls against the HITRUST Common Security Framework (CSF). HIPAA does not have a certification process, but requires compliance to be evidenced by audit evaluations and inspections administered by regulatory agencies.
  4.  Complexity and Customisation:  The HITRUST Common Security Framework is scalable and customisable so that it can accommodate organisations of any size or complexity. Besides, merging with several existing compliance requirements, it becomes adaptable to different operating environments. On the contrary, HIPAA specifies more of a one-size-fits-all framework that may not serve the particular needs of each organisation equally.
  5. Control Requirements:  A Complete set of HITRUST controls includes many controls issued against legislative requirements, existing industry standards, and best practices. Certification against the HITRUST framework must fulfil these prescribed controls. Whereas HIPAA states privacy and security rules, the law does not require such detailed controls and allows organisations the discretion on how to determine compliance mechanisms.
  6. Global Applicability:  HIPAA, in contrast, refers mainly to the business associates of covered entities within the borders of the US. HITRUST, however, has received the recognition globally and thus can be applied to any organisation that is headquartered or doing business globally. This makes it very enticing for multinational enterprises regarding quite a lot of compliance issues, including those that refer to data protection and privacy regulations.
  7. Risk Management Focus: HITRUST does advocate a risk-based approach to compliance with those organisations that conduct risk assessments and implement controls tailored to their threats and vulnerabilities. HIPAA has a risk management component, but it is prescriptive in a way that tends to get organisations to implement controls based more on compliance than on wide-ranging risk analysis.

HITRUST framework

It contains bits and pieces from other regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the National Institute of Standards and Technology (NIST) Cyber Security Framework, among others, which make it easier to comply with the requirements by the healthcare organisation as it has bundled up all those into one requirement.

One of the best features of HITRUST Framework is that it is flexible. Organisations can modify their control requirements based on their environments, risks, and business requirements.

This flexibility avails even the largest organisations-from extensive hospitals to smaller practices, and virtually all catchment areas in between, the ability to carry effective information security practice without resource overload.

On top of this, HITRUST continues to develop more of such collections of assessment frameworks and certification schemes that build and develop an infrastructure around organisations to achieve compliance and improve security measures overall. Such resources include guidance on risk assessments, security controls, and best practices to manage data privacy.

HITRUST requirements

For seeking HITRUST certification, organisations must undergo a thorough and rigorous assessment process. Self-assessment initially follows to be validated through audits performed by external assessors who are certified by HITRUST. The current security practices of the organisation are evaluated and measured against HITRUST CSF requirements. A good score at this assessment gives the organisation an HITRUST certification valid for two years, after which compliance efforts must be ongoing and self-assessments done yearly to sustain standards.

HITRUST does not end with saying that good security controls must be established; rather, it also goes further to state that the need for risk management and constant monitoring must be there. Organisations are also required to review and update their security practices regularly to counter any new threats or vulnerabilities.

HIPAA framework

The Privacy Rule is the core of HIPAA that limits the dispositions and uses of PHI in the absence of patient consent. This rule enables patients to have rights over their health information, such as accessing their records and requesting changes. It also encourages healthcare providers to implement strict safeguards that minimise the possibility of disclosing PHI as it ensures that patient information is disclosed only to those who are authorised and for legitimate purposes.

The HIPAA Security Rule resembles the Privacy Rule, which deals with ePHI (electronic PHI) protection. The rule specifies how technical, administrative, and physical fortifications ensure that hospitals, clinics, and other covered entities offer protection against unauthorised access to and data breaches of ePHI. The Security Rule bolsters the resilience of health care infrastructure in the face of an increasing threat from cyberattacks through risk assessments and the implementation of strong security measures.

In addition, HIPAA contains provisions for enforcement of the regulations. The Department of Health and Human Services has oversight authority and can impose penalties on entities that do not comply with HIPAA.

HIPAA requirements

HIPAA requires strict administrative, physical, and technical specifications from health care providers, health plans, and business associates to prevent unauthorised access, use, or disclosure of PHI.

HIPAA gives rights to patients in connection with their health information. The rights involve being able to access one’s medical records, ask for corrections of inaccuracies, and an accounting of disclosures made by the healthcare provider. This transparency fosters trust between patients and healthcare entities while encouraging individual responsibility in their healthcare decision-making.

Therefore, HIPAA allows provisions for breach notifications. In case of data breaches that affect PHI, covered entities must notify affected individuals, the HHS Office of Civil Rights, and sometimes local media.

The role of MDM

As healthcare organisations move through the maze of HITRUST and HIPAA regulations, Master Data Management structures the whole and self-information. Through effective data governance, access controls, and integrity measures, MDM cannot only mitigate risks but also support organisations in attaining and maintaining compliance with regulatory obligations. Effectively, leveraging MDM is an all-out strategy for healthcare organisations aiming at upholding the strictest measures possible regarding data security and patient privacy.

Remote lock and wipe

The incorporation of remote lock and wipe capabilities is beyond a technical enhancement to the organisation; it becomes an integral part in complying with both the HIPAA and HITRUST standards because it enables healthcare organisations to mitigate risks related to mobile device security in the preservation of patient data integrity and the trust that is so vital in the health care system.

Such mechanisms assume increased importance in the face of advancing cyber threats and will continue to be so for securing health information in a digital era.

How can you build a honeypot to strengthen network security?

While honeypots come with some deployment and management challenges, their tangible benefits – ranging from improved threat-detection capabilities to enhanced incident response – provide compelling arguments for an organisation to build up its security framework.

Designed appropriately, a honeypot can therefore serve as a vital ingredient in a holistic strategy for network security, offering savvy insights out of which organisations can create anticipatory measures for the changing threat scenario.

In today’s digital age, the significance of network security can never be overemphasised. Organisations are continually under siege by very sophisticated cyber threats which require a really robust security procedure for protection. One very innovative and effective way to strengthen network security is through deploying honeypots.

A honeypot is defined as a computer system or a program that purposefully exposes itself to outsiders as vulnerable simply to entice attackers. By mimicking valuable assets, the honeypots can help organisations in discovering, analysing, and mitigating any security risks.

Understanding honeypots

Before discussing the application of a honeypot it should first be understood, what is it essentially about? Honeypots are systems that bring cybercriminals into their domain and can act as decoys, luring them away from the real network. Such systems have four main functions:

  1. Deception: Legitimate target systems are impersonated by honeypots to engage attackers so that security teams can observe how they conduct themselves.
  2. Gathering Data: Honeypots store a wealth of data from attacks on strategies employed in attack, tools used and points of weaknesses that could be exploited.
  3. Threat Intelligence: The data thus collected can be used for threat analysis improving overall security posture, through education of teams on the current trends in cybercrime.

Types of honeypots

  1. Low-Interaction Honeypots: These are the simple systems that simulate a very few numbers of vulnerabilities. They require very few resources to deploy and are mostly easy to deploy. Mainly they provide the very basic interactions and are used for collecting the data about the automated attacks.
  2. High-Interaction Honeypots: High-interaction honeypots are full operating systems and thus present a much more realistic environment to an intruder. These types of honeypots are resource hungry and demand a lot of maintenance but give much in-depth understanding of sophisticated attack methodologies.
  3. Research Honeypots: It is primarily used by researchers and organisations interested in studying attack patterns as well as acquiring intelligence for academic or security research purposes.
  4. Production Honeypots: These honeypots are integrated into an organisation’s production environment to enhance security through potential baiting of attackers and real-time collection of attack data.

Steps for building a honeypot

  1. Define Objectives: Organisations should be able to clearly define the objective for which the honeypot would be deployed. Whether it is for research, threat analysis, or distraction, clear objectives will shape subsequent decisions.
  2. Choosing a Type of Honeypot: Based on the objectives, decide on whether to choose a low- or high-interaction honeypot. This will influence the resources required and the levels of detail in the attack data that can be gathered.
  3. Design the Environment: Control the environment where the honeypot will reside. Isolation will be vital because it will deny them the opportunity to use the honeypot as a route into the real network. This would mean having the honeypot in a different VLAN, or using some virtualisation technology.
  4. Deployment: Once the environment is designed, it is time to deploy the honeypot also. It typically involves configuring the operating system, applications, and vulnerabilities to draw specific types of attacks. Ensure that the honeypot has distinct characteristics that can lure it into the sights of attackers.
  5. Monitoring and Data Collection: Provide strong monitoring solutions that have the capacity to capture and perform analysis of the activities occurring in the honeypot. This may include packet-analysing tools, logging of user activities, recording interactions with the system, and so on.
  6. Analysis and Response: Data collected through honeypots must be continuously analysed in order to allow identification of trends, emerging threats, and methodologies by which attackers operate. This information would be useful to strengthen the pre-existing security measures within the environment of the actual network.

Advantages of deploying a honeypot

  1. Improved Detection: Honeypots may be able to detect threats that currently go unnoticed in traditional detection systems, giving organisations advanced warning of impending infiltrations.
  2. Enhanced Incident Response: Organisations gain intelligence about how attackers behave, thereby developing responses that are specific to the attacks and how they strengthen real systems to avoid the attack.
  3. Economical Security Strategy: The cost associated with honeypot technologies will be smaller than what will be involved in better traditional security solutions and still return actionable intelligence.
  4. Training Security Teams: Contacting real attacker methodologies allows security teams to fortify their working knowledge of threats and enhance their response preparedness by its practice.

Importance of MDM

Mobile devices are increasingly responsible for business activity, necessitating MDM for data security and compliance purposes. One safe strategy is to place a honeypot alongside the MDM for further increased security.

For instance, maximum effect from a honeypot would require MDM integration. MDM solutions are managing mobile devices while being managed to make sure that they are all enrolled, configured, and secured.

Thus, the honeypot should be treated as a separate device within the MDM, allowing through centralised MDM dashboards monitoring and control over it. It helps analyse traffic and alerts generated by the honeypot against the information from other managed devices.

After the installation of honeypots and MDM, the next essential step is continuous monitoring to glean insights that can be fed into the overall security strategy or be used to improve MDM configurations to better safeguard actual devices.

A final consideration is that the creation of a honeypot is not a one-time job. Catching up with the evolutionary threat landscape requires consistent re-examination and revitalisation.

Thus, to keep up with attackers’ new methods, the honeypot design and MDM policies must be modified and adapted.

How Identity-as-a-Service transforms mobile management?

  • By offering centralised and secured frameworks to manage identities, IDaaS gives organisations all the weapons necessary to combat very difficult MDM situations.
  • The IDaaS and mobile device management tool together provide an environment that is agile yet secure.
  • IDaaS will become one of the most important foundations for ongoing effective and secure mobile device management in a workspace where mobile devices take center stage.

In the age of digitalism and cloud technology, there has been increasing realisation and understanding among enterprises about the need to seamlessly manage identities, more especially in the scope of mobile device management (MDM). The work of mobile devices goes beyond communication. They have become extensions of a person’s digital self where work, communication, and even social interaction take place.

Thus, the management of these devices requires even stronger frameworks for security and user accessibility and operational efficiency. This is where identity as a service comes as a savior for organisations to make mobile device management simpler, secure, and user-friendly.

What is IDaaS?

Identity-as-a-Service (IDaaS) is a cloud-based service that manages user identities and provides application and system access based on identifications. IDaaS solutions can manage specific identity functions, including authentication, provisioning, and identity management through a mix of single sign-on (SSO), multi-factor authentication (MFA), and federation services.

Organisations can scale their identity management capabilities rapidly through the cloud infrastructure while streamlining their operational risks and costs without the need to purchase and maintain on-premise hardware and software.

Bridging IDaaS with MDM

MDM and IDaaS come together to form an integrated environment or framework for managing user identity in conjunction with the mobile devices used by these users. This linkage assures that the correct users have accessibility to the requisite resources at the most appropriate time. There are several ways in which IDaaS facilitates MDM by simplifying most processes:

  1. Centralised Access Control:  This is one of the major advantages of having IDaaS. It allows organisations to synchronise all aspects of identity within a single platform. The efficiency of centralised access enable IT admins to provision new users, revoke access whenever needed, manage roles and permissions associated with a wide variety of devices and applications. Centralised control also minimises unauthorised access and enforces policies all across mobile platforms for better security.
  2. Improved Safety: Mobile devices are always susceptible to security breaches, and this primarily happens when employees connect with a company’s server through a mobile device. An example of this is IDaaS, which increase the security aspect in the event of an occurrence of multi-factor authentication and other security mechanisms that would validate a user identity beyond username or password confirmation.
  3. Onboarding and Offboarding: Bringing a person onboard would require allowing that person to have access to the applications needed for work; for someone being removed, it would also allow an employee to move out of the organisation, thus making the employee deactivated immediately while reopening their accounts and assigning roles. IDaaS automates these workflows to immediately deactivate an account, improve efficiency through minimum downtime, and enforce tighter security measures.
  4. User Experience Enrichment: Such an aspect of MDM is log-on diversity for an assortment of apps and systems. IDaaS improves the user experience as it allows the user to have one-time authentication for accessing an unlimited number of authorised applications throughout devices by a svelte single sign-on. Not just in terms of user simplicity, it will also motivate users to comply with the prescribed security protocols.
  5.  Compliance with Regulations and Reporting: There is more than one area in which the IDaaS into MDM can be useful for an organisation to comply with standards. By keeping a verified database of user access and identity attributes, organisations can monitor and report user activity, both of which may be required in compliance audits and under federal data protection acts such as GDPR and HIPAA. This type of compliance would contribute to risk management and prove accountability to stakeholders.
  6. Management of Devices and Applications: The IDaaS facilities can also handle mobile policy management for the applications installed on mobile devices. For example; data encryption can be easily applied and set as a requirement from any remote place by the IT department, before carrying out whitelisting for ala software that is supposed to be installed on company devices. These measures improve security to a large extent within the organisation and make it comply with the corporate governance regulations.

IDaaS providers

The IDaaS market is highly fragmented with several providers adopting a unique approach with special features and integrations tailoring them to different businesses. Some of the most prominent names in this field are Okta, Microsoft Azure Active Directory, and Auth0. These providers focus on either large enterprises or small businesses by providing extensive applications for third-party integrations.

UAE card payments to grow by 10.6% to $150b in 2025

  • Shift is primarily driven by increasing consumer preference for digital transactions, robust government support for financial inclusion and comprehensive digital transformation efforts across various sectors

The United Arab Emirates (UAE) is undergoing a significant financial transformation, marked by a strong push towards a cashless economy. Data and analytics company GlobalData projects UAE’s card payments market to surpass $150 billion in 2025, representing a 10.6 per cent growth rate.

The shift is primarily driven by increasing consumer preference for digital transactions, robust government support for financial inclusion and comprehensive digital transformation efforts across various sectors.

The rising prominence of card payments is evident in the substantial 13.3 per cent growth observed in 2024, reaching AED511.4 billion ($139.3 billion). This growth can be attributed, in part, to initiatives such as the “Wage Protection System,” which mandates electronic wage payments through authorised financial institutions.

This system not only increases financial inclusion by bringing more individuals into the formal banking system but also fosters demand for banking and payment products like debit and credit cards.

Dubai Cashless Strategy

Further solidifying the move towards a cashless society is the Dubai Cashless Strategy, launched in October 2024 with the ambitious goal of achieving 90 per cent cashless transactions in Dubai by 2026.

The strategy aims to broaden the adoption of digital payment solutions across both government and private sectors through innovative technologies, including artificial intelligence and contactless payment methods.

Moreover, the Financial Infrastructure Transformation (FIT) Program and the expansion of Point-of-Sale (POS) infrastructure, including the proliferation of cost-effective mobile POS terminals for SMEs, are crucial components supporting this transition, Ravi Sharma, Lead Banking and Payments Analyst at GlobalData, said.

While the forecast for continued growth in card payments is optimistic, the report also acknowledges potential challenges. The current global economic uncertainty, stemming from factors like new US tariffs, could potentially impact the UAE’s overall economic growth and, consequently, slow down the pace of expansion in the card payments market.

Despite this potential headwind, Sharma said the underlying trend remains positive, with GlobalData projecting a compound annual growth rate (CAGR) of 9.6 per cent between 2025 and 2029, leading to an estimated AED 814.7 billion ($221.8 billion) in card payments by 2029.

The projection underscores the UAE’s commitment to fostering a digital economy and its potential to become a leader in cashless transactions within the region.