 
|
|
In partnership with:
I capture the castleMediaeval castle architects with their concentric, multi-layered approach can help CIOs protect key applications and business critical systems. If we compare at the evolution of infosecurity with history, how far have we come? I believe that we're somewhere shortly after the Norman Conquest, in other words, mediaeval. Take Harlech Castle in North Wales. Harlech was one of the Iron Ring of castles built by King Edward I to quell Welsh resistance and prevent future insurrection. Its design and location are testament to the advanced security architecture of the time and their success in securing key assets and keeping intruders out. Design blueprints Back in the days of the Crusades and the knights errant, the security of the castle was paramount in the design phase. The architects made it tough to get in, and tougher to progress as the value of the protected asset rose. Even so, convenience and usability were also factors because people had to live and work and play within its confines, and to trade outside the castle walls. Harlech is a graphic example of these principles in action. In particular, the site, protected by the sea, steep cliffs and the natural strength of the impenetrable rock, played a major role in helping Edward build a castle that met the defensive requirements of the age. By choosing the site carefully, Edward immediately raised the ante for attackers, and reduced his long term cost of ownership. Harlech fell twice, but only to long sieges. In today's information world, it seems security loses primacy to every conceivable efficiency or convenience. Applications are built and implemented as rapidly as possible, and it is assumed the overall perimeter fencing will secure them. The mediaeval architect would have laughed at such an idea, and frankly so should we. An integrated, multi-layered approach is essential to guard against today's sophisticated IT security threats and protect business-critical systems. Let's look at how it was done in the 13th century, and what we can learn from it. Protecting The Crown Jewels Harlech castle's architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets. A perfectly concentric design, Harlech had one line of defences after another, rather than a single perimeter line. The moat and drawbridge formed the first line of defence, and for those who penetrated these initial lines, there lay the outer wall and an impressive twin-towered gatehouse with three portcullises. The inner ward is the castle's most strategic location. Here, key areas are protected by high inner walls, round towers and battlements. These were designed to trap attackers in a killing ground, and to slaughter them with cross-fire. They also offered defenders a choice of weapons, from arrows and rocks to boiling oil. Every element was used primarily to give the utmost security to the king and his most valuable assets. We should regard infosecurity in much the same way to ensure that business-critical systems are impregnable. A comprehensive, integrated approach cannot rely on a single perimeter wall, but instead must offer a range of defences to protect key applications. To continue the analogy, centrally-managed distributed firewalls act as inner keeps or round towers to protecting key business assets and applications. Two-factor authentication via devices such as smart cards are part of the multi-layered defences of the gatehouse; they are cyber-portcullises to deter intruders. Encouraging trade and commerce The same is true today. It is important that security architecture improve openness to legitimate entities, and provide them with access to network applications and services for maximum productivity. But they must also maintain the integrity of core business systems. Secure mobile data access The ability to pick up email on mobile phones, access home networking and wireless roaming, or give controlled third party access to contractors all contribute towards increased productivity and efficiency within an organization. But equally, they need to be controlled in order to maintain security across the organization. Lessons from history Companies today rarely brandish their information security credentials, perhaps because they have little confidence in it. But letting people know you've taken active steps to protect your assets is in itself a powerful deterrent. All castles need to be seen to dominate their surrounding countryside because invaders haven't changed much - given a choice, they'll go for the least secure fort, be it stone or cyber. A simple perimeter wall and a selection of unrelated point products will not secure your organization, it will simply increase administration. Imagine having to control separate gatehouses for knights, foot soldiers, tradesmen, etc. An integrated security solution, much like the combined know-how of Edward's architects, strategists and foot soldiers, will ensure a coordinated, seamless approach to infosecurity. About the author Jamie Bodley-Scott is a network security specialist AppGate.
|
|
