To the outside observer it might seem as though the current focus on internet security is a recent development, with the message only now cutting through to the wider public. However, Alan Byrne, founder and managing director of Kerna Communications (pictured), doesn’t see it that way. Ever since he went into business as a networking consultancy, security has never been far from the agenda.
The fact that Kerna is now a 10-year-old company illustrates that, while certain risks and threats may have changed, the need for security has always been there. Byrne was involved in the earliest implementations of connecting Irish organisations to the internet and he points out that even in those days, there was an awareness of the need to protect themselves now that data was being sent and received over an open network.
“We were very focused on internet technologies such as delivering external email servers,” he recalls. “What we discovered very quickly was that the whole notion of security was just being thought about. Because of our strong skill base, we were coming from the point of view of having managed and implemented what were at the time the largest internet networks in the country. We were very much pushed by our customers into the security space.”
Back then IT security was in its infancy, which meant that Kerna got involved in developing bespoke firewalls because these products weren’t commercially available. Byrne emphasises that at the time, the company’s services were a “technical sell” rather than pushing a product. “We were never saying: ‘Here’s a box that does everything, don’t worry’.”
Now things are different. Firewalls are available from many different suppliers off the shelf, but Byrne believes that software built from the ground up stood the test extremely well. “There’s a misconception that you can’t do this until there’s a commercial product there to do it,” he states. The software tool kit that Kerna used as the basis to develop those early firewalls eventually became the core of the Network Associates Gauntlet firewall product.
“It was a really good basis to develop a system that’s almost as good as anything available today,” Byrne says. “The architecture and design of firewalls really has moved on very little since we started 10 years ago. You put in layers of security and make sure there’s no single point of failure; those principles haven’t changed.”
If only the same were true of other areas in IT security. Asked about the changes in the security space over that time, Byrne identifies several key areas. “The focus historically has been on perimeter security and the threats were quite different. There’s now a focus on compliance and there are new requirements being forced on the business, such as in financial services,” he relates.
What this means in practice is that the business is now more attuned than ever to the need for security, whereas previously it was something that only the IT manager worried about. “The key difference is one of business awareness: 10 years ago the internet was on the periphery of what a business was doing; now it’s at the core,” Byrne states.
Newer risks being brought to the table include the growth of portable devices and their ability to connect to the network. “Now, at a corporate level, companies are aware of those risks,” he points out. “It’s no longer left to the guy who looks after the network. Organisations are insisting that security is addressed right the way through. The IT guy is now being asked to do things that before they had to bring to the organisation and fight for. It’s made the IT manager’s job a bit easier, it’s not a corner they have to fight.”
Another change Byrne sees is that instead of thinking about an internet connection, businesses are beginning to look more closely at the services running on top of that — and email remains the most important service of all.
That fact, plus the growth in legislation and new requirements on organisations to protect information, is creating a new culture around email, Byrne believes. “Some organisations have been a little loose in the past, letting information travel freely over email that they shouldn’t have,” he says.
Kerna has developed a program called Secure Mail that is capable of encrypting email traffic for improved security where sensitive data may need to be passed back and forth electronically. It has already implemented a mail gateway to implement just such a policy for one Dublin-based financial services firm.
In effect, the gateway asks whether a particular email can travel freely or whether it needs to be secured. “It’s putting decision making into email, the same as happens with a firewall. If it can’t go securely, it will queue until it can. It makes decisions on a range of different criteria, such as name, domain or tags,” Byrne explains.
This may be a case of a technology whose time has finally come, because the principle behind it is not new. Before establishing Kerna, Byrne had been working on an EU project involving this kind of privacy-enhanced email 12 years ago.
According to Byrne, it never became standardised enough to be deployed, but he believes there are other reasons why it has taken so long to become available. “It has been an unfortunate trend in the security business for many years that the specialist practitioners are unable to progress solutions to risks such as these until a big enough and pointy enough stick is available to them,” he says, citing the introduction of chip and PIN for credit cards or the gradual rollout of better authentication for online banking services.
The drivers for these, he claims, are external factors such as regulatory intervention. “In the case of email, both data protection legislation and sector regulators have focused on the need to secure information in transit so, while the technology has waited in the wings for more than 10 years, the time has finally arrived for it to be rolled out,” he suggests.
Beyond that, Byrne returns to the larger security problem, namely the difficulty in creating a perimeter. Keeping abreast of developments in the security community, he puts forward an interesting alternative to the current problem. “The radical suggestion is to turn off the firewall,” he ventures, before qualifying his statement. “The practical suggestion is: don’t even think about it! What you need to do is put in layers and defend in depth, so if something goes through the first controls, it’s stopped by the second set.”
The analogy is that a traditional security structure resembled a castle protected by a large wall. The modern castle has more than one way in or out and few controls as to what takes place within those walls. In these terms, Byrne’s vision of a more secure network involves not just protecting the ‘king’ within the castle by placing him away from others and having him guarded by a sentry. He sees security being applied at an application level, or, taking the analogy further, “you need to start tasting the food,” he quips.
To start with, he believes that servers should be separately protected from the rest of the network with various protection mechanisms dotted around the network making intelligent decisions to shut down a certain data stream if it’s suspected of causing a problem.
Beyond that, Byrne believes that this approach will also be reflected in new types of security products that provide a very fine level of protection. “You will see a lot of focus on tools that can sanitise information,” he predicts. “They will look for certain attacks and check information prior to being sent to an application.”
Coming full circle in the discussion, Byrne thinks that the main driver above all will be making security more prominent in business decision making. “[It means] taking security out of this niche around networking and putting it at the forefront. It’s not: ‘We will come along at the end of this and add some security on it.’ It’s that at the design of applications, security has an input from day one to ensure controls are better; not adding components after the fact,” he explains.
This is blurring the boundaries between networking and security, Byrne acknowledges. “It doesn’t just mean protecting the perimeter, it’s the applications and all elements of IT services. For security to be effective it needs to be part and parcel of everything you do,” he states.
By Gordon Smith
