Firewalls and anti-virus solutions are becoming increasingly ineffective at protecting the organisation’s information assets. So believes David Lacy, head of information security and governance at the Royal Mail in the UK.
According to Lacy, the firewall/AV approach worked in the old days because the perimeters of the network were well defined. You had your company network connected to the internet and you secured that connection – the bit between the so-called trusted network (your company network) and the untrusted network (the internet).
You may have had other users coming in from home on a dial-in connection and best practice is to bring all of these through one point and secure that point.
Business needs are changing, however, and the perimeter is becoming less well defined. Your customers may want to be more closely connected to your systems to check inventory, delivery or financial records relating to their transactions. There may be good reasons why they cannot come in through the internet connection, so another connection is required which needs securing. Your suppliers or business partners may want to do something similar, thus adding more complexity to the security infrastructure.
Your own staff may need access while out on the road and it may be more practical for them to use mobile phones and personal digital assistants that use WAP, 2.5G or 3G technology. Apart from the challenge of another access point there are different technologies with different threats to deal with. Lacy maintains that securing each point in the old way will cost too much and will just not work.
This calls for a completely new approach to how we make applications available and keep them secure. The architecture that Lacy envisages is one where the network is opened up and we accept that almost anyone can access it. In this scenario we don’t spend much time or money putting in firewalls; instead the emphasis is on keeping the communications private by encrypting all traffic and on authentication – the method by which we ensure we know who is accessing and using the applications.
Interestingly, the technology that most facilitates this is PKI (public key infrastructure). PKI is the best way to manage the keys that are required for securing communications in transit and for using certificates to identify yourself.
This was the much-hyped technology of the Verisigns, Entrusts and Baltimores. But before you dust off your much depreciated shares you should pause a while. There has been an upsurge in demand for PKI but only for discrete applications. There is still no guarantee if you invest in PKI now that your implementation will work with your customer’s. Until there is this interoperability it is hard to see how we get from the perimeter-based approach to the new way advocated by Lacy.
– Conall Lavery, managing director, Entropy