The Royal Mail is uniting all its systems into a coherent security
architecture as computing boundaries blur. Philip Hunter
reports
Until recently IT security was built on the assumption that
computer systems were fairly static, with well-defined boundaries.
Firewall, filtering software and antivirus software are all
supposed to prevent nasty surprises coming over the fence into your
organisation. However, the nature of IT is changing - computing
boundaries are becoming less defined as businesses use IT systems
to reach out to customers and business partners.
To meet this challenge, the Royal Mail has developed a blueprint
for IT security in the emerging world of diffuse networks without
clear boundaries, and is attempting to create an industry group to
carry it forward into a standard approach. According to its group
head of IT security David Lacey, the Royal Mail decided to take
matters into its own hands while in the process of uniting its
systems and processes within a coherent security architecture.
There were plenty of products capable of fulfilling part of the
task, but none that helped fit it all together, says Lacey.
"Whenever we put in a security architecture, for example a public
key infrastructure, there isn't a product on the planet that can
make it work."
A more fundamental weakness of present security solutions is that
suppliers are stuck in a mindset of preconfigured security systems
that fails to address the needs of the emerging digital world of
interconnected networks and processes. "At the moment we
preconfigure security, but when we have a dynamic, unpredictable
infrastructure, that will no longer be possible, so we will need
intelligent monitoring processes," Lacey adds.
The drive towards a new security architecture had gained added
impetus since the 11 September terror attacks in the US, Lacey
says, creating growing awareness that IT security needed to focus
on information flows rather than static data that was more
vulnerable to attack. "So we need to get away from filters and
firewalls, and focus on flows. We will see the death of the
firewall around 2005/2006," he says.
The Royal Mail architecture defines how security will cope with an
increasingly connected world by focusing on intelligent monitoring
and distributed identity management. The model defines access
rights to objects and resources on the basis of roles, and uses
classification of information flows to determine levels of security
at different parts of the network. Management is also a crucial
aspect of the security architecture, says Lacey, because IT
security has been weakened by an over-emphasis on point solutions.
"We're not interested in best of breed, only in how things fit
together," he says.
Most IT security suppliers and service providers agree with the
Royal Mail's direction, but not all accept the need for a new
architecture. IBM's security business unit manager for northern
Europe, Peter Jopling, is among the sceptics. Unless such
initiatives receive widespread industry backing they bring a risk
of luring enterprises into interoperability cul de sacs, he says.
"In 18 months' time you may want to work with a new business
partner that has taken a different technological route. The best
chance of being able to integrate with a new partner with
relatively little expense is to adhere to open standards such as
Oasis Web Services Security."
But according to Jeremy Ward, director of security services at
Symantec, a specialist supplier in the field, the Royal Mail
architecture is just what the industry needs. "All boundaries are
permeable now and we have to fall back on defence in depth," he
says.
The Royal Mail was also right to tackle the immediate problem of
manageability. "The major problem most companies are facing at the
moment is the proliferation of security devices and their ability
to handle the complexity. A firewall may produce three million
reports a month, but without the right analysis such data is itself
valueless," says Ward.
According to Yag Kanani, partner in charge of IT security at the
consultancy group Deloitte Touche Tohmatsu, the Royal Mail is at
the cutting edge of IT security because it has so many critical
systems that need protecting. "It has a requirement for processes
to be automated, and to do this they need to be fail safe," says
Kanani. "In addition it has a range of projects such as parcel
tracking through tagging and bar coding, access to services via
smartcards, lots of initiatives for digital signatures,
e-enablement over the counter, and electronic voting, where
security is absolutely pivotal. It makes sense for the Royal Mail
to see the big picture, and see where all projects and processes
come together."
Another aspect of the Royal Mail's strategy, according to Lacey, is
to promote both the status and function of IT security from being a
necessary impediment into a business enabler, making it easier
rather than harder for users to navigate around a network and
access services and resources to which they are entitled.
Jopling agrees, pointing out that the challenge here is to solve
the problem of "federated identity management", meaning the process
of ensuring that individuals and applications obtain seamless
access to all their authorised resources wherever they are, while
being barred from those parts they are not allowed to reach. To
make this work effectively on a large scale, there needs to be an
automated process for approving new access rights in addition to
those a user already has, in order to exploit new or emerging
services. The same applies at the level of enterprises, to cope
with constant fluxes in user populations and changing business
conditions.
"One of the biggest constraints that organisations have at the
moment is that when they need to expand and go into new
marketplaces, one of the biggest costs is setting up and
provisioning new services," says Jopling.
As Kanani points out, enterprises are failing to keep up with the
constant churn of users, to the extent that about 70% of all user
accounts are extinct or "orphaned", because they have failed to be
annulled as people leave or move to a new department. This leaves
the organisation vulnerable and is an unnecessary expense in
software licence fees for non-existent users. This is one motive
for tackling role-based access and management within the Royal
Mail's new architecture.
The new approach to security will entail distributing the
monitoring of possible intrusions, but centralising the management
and analysis. This is essential in order both to rationalise the
information to avoid costly false alarms, and to collect all the
relevant monitoring data from the far reaches of the network, says
Kanani. "One of the key issues with intrusion detection systems
(IDS) is that people want to encrypt data so that it is secure, but
then the IDS can't identify the traffic," Kanani adds. "By evolving
IDS to systems on the network, it can act on data that has been
decrypted, and this also helps cope with the huge volumes of
data."
It is possible for enterprises to adopt such an approach without a
wholesale new architecture. The question then is whether all
enterprises will need such an architecture, or whether they can
just extract the best practices from it that they need. To some
extent Lacey admits they will do the latter, rather than migrate at
a stroke to a new approach. "There is no way a Shell or BP will one
day go straight over - they will have a hybrid for some time."