Until recently IT security was built on the assumption that computer systems were fairly static, with well-defined boundaries. Firewall, filtering software and antivirus software are all supposed to prevent nasty surprises coming over the fence into your organisation. However, the nature of IT is changing - computing boundaries are becoming less defined as businesses use IT systems to reach out to customers and business partners.
To meet this challenge, the Royal Mail has developed a blueprint for IT security in the emerging world of diffuse networks without clear boundaries, and is attempting to create an industry group to carry it forward into a standard approach. According to its group head of IT security David Lacey, the Royal Mail decided to take matters into its own hands while in the process of uniting its systems and processes within a coherent security architecture. There were plenty of products capable of fulfilling part of the task, but none that helped fit it all together, says Lacey. "Whenever we put in a security architecture, for example a public key infrastructure, there isn't a product on the planet that can make it work."
A more fundamental weakness of present security solutions is that suppliers are stuck in a mindset of preconfigured security systems that fails to address the needs of the emerging digital world of interconnected networks and processes. "At the moment we preconfigure security, but when we have a dynamic, unpredictable infrastructure, that will no longer be possible, so we will need intelligent monitoring processes," Lacey adds.
The drive towards a new security architecture had gained added impetus since the 11 September terror attacks in the US, Lacey says, creating growing awareness that IT security needed to focus on information flows rather than static data that was more vulnerable to attack. "So we need to get away from filters and firewalls, and focus on flows. We will see the death of the firewall around 2005/2006," he says.
The Royal Mail architecture defines how security will cope with an increasingly connected world by focusing on intelligent monitoring and distributed identity management. The model defines access rights to objects and resources on the basis of roles, and uses classification of information flows to determine levels of security at different parts of the network. Management is also a crucial aspect of the security architecture, says Lacey, because IT security has been weakened by an over-emphasis on point solutions. "We're not interested in best of breed, only in how things fit together," he says.
Most IT security suppliers and service providers agree with the Royal Mail's direction, but not all accept the need for a new architecture. IBM's security business unit manager for northern Europe, Peter Jopling, is among the sceptics. Unless such initiatives receive widespread industry backing they bring a risk of luring enterprises into interoperability cul de sacs, he says. "In 18 months' time you may want to work with a new business partner that has taken a different technological route. The best chance of being able to integrate with a new partner with relatively little expense is to adhere to open standards such as Oasis Web Services Security."
But according to Jeremy Ward, director of security services at Symantec, a specialist supplier in the field, the Royal Mail architecture is just what the industry needs. "All boundaries are permeable now and we have to fall back on defence in depth," he says.
The Royal Mail was also right to tackle the immediate problem of manageability. "The major problem most companies are facing at the moment is the proliferation of security devices and their ability to handle the complexity. A firewall may produce three million reports a month, but without the right analysis such data is itself valueless," says Ward.
According to Yag Kanani, partner in charge of IT security at the consultancy group Deloitte Touche Tohmatsu, the Royal Mail is at the cutting edge of IT security because it has so many critical systems that need protecting. "It has a requirement for processes to be automated, and to do this they need to be fail safe," says Kanani. "In addition it has a range of projects such as parcel tracking through tagging and bar coding, access to services via smartcards, lots of initiatives for digital signatures, e-enablement over the counter, and electronic voting, where security is absolutely pivotal. It makes sense for the Royal Mail to see the big picture, and see where all projects and processes come together."
Another aspect of the Royal Mail's strategy, according to Lacey, is to promote both the status and function of IT security from being a necessary impediment into a business enabler, making it easier rather than harder for users to navigate around a network and access services and resources to which they are entitled.
Jopling agrees, pointing out that the challenge here is to solve the problem of "federated identity management", meaning the process of ensuring that individuals and applications obtain seamless access to all their authorised resources wherever they are, while being barred from those parts they are not allowed to reach. To make this work effectively on a large scale, there needs to be an automated process for approving new access rights in addition to those a user already has, in order to exploit new or emerging services. The same applies at the level of enterprises, to cope with constant fluxes in user populations and changing business conditions.
"One of the biggest constraints that organisations have at the moment is that when they need to expand and go into new marketplaces, one of the biggest costs is setting up and provisioning new services," says Jopling.
As Kanani points out, enterprises are failing to keep up with the constant churn of users, to the extent that about 70% of all user accounts are extinct or "orphaned", because they have failed to be annulled as people leave or move to a new department. This leaves the organisation vulnerable and is an unnecessary expense in software licence fees for non-existent users. This is one motive for tackling role-based access and management within the Royal Mail's new architecture.
The new approach to security will entail distributing the monitoring of possible intrusions, but centralising the management and analysis. This is essential in order both to rationalise the information to avoid costly false alarms, and to collect all the relevant monitoring data from the far reaches of the network, says Kanani. "One of the key issues with intrusion detection systems (IDS) is that people want to encrypt data so that it is secure, but then the IDS can't identify the traffic," Kanani adds. "By evolving IDS to systems on the network, it can act on data that has been decrypted, and this also helps cope with the huge volumes of data."
It is possible for enterprises to adopt such an approach without a wholesale new architecture. The question then is whether all enterprises will need such an architecture, or whether they can just extract the best practices from it that they need. To some extent Lacey admits they will do the latter, rather than migrate at a stroke to a new approach. "There is no way a Shell or BP will one day go straight over - they will have a hybrid for some time."