What CIOs Can Learn From Mediaeval Castles
|
|
|
|
|
Infosecurity experts can learn a lot from mediaeval castle architects, especially how their concentric, multi-layered approach can help CIOs protect key applications and business critical systems.
If we compare at the evolution of infosecurity with history, how far have we come? I believe that were somewhere shortly after the Norman Conquest - in other words, mediaeval. However, thats not a criticism: in fact, in the 13th century, they had a pretty strong grasp of security issues.
Go to any Heritage castle that dates from these times and youll see what I mean. Take Harlech Castle in North Wales, for example. Harlech formed part of the Iron Ring of castles built by King Edward I in order to quell Welsh resistance and prevent future insurrection. Its design and location are testament to the advanced security architecture of the time and their success in securing key assets and keeping intruders at bay.
Back in the days of the crusade and the knight errant, the security of the castle was put above all else in the design phase. A secure design was paramount, and a key part of the business of survival. While security remained uppermost in the mind of the castle architect, convenience and useabiltiy did also factor in the design process. Secure outer areas provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today.
In many ways, the security policies and designs of our Norman ancestors were a lot smarter and more effective at keeping foes at bay than ours today. Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weakensses to attack and leave themselves unguarded.
Harlechs unsurpassed natural setting - with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock - certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age. In todays information world, security consistently loses to every conceivable efficiency or convenience. Applications are built as rapidly as possible and put onto the network landscape, often no consideration is given to their security at it is assumed that they will be secured with the overall perimeter fencing.
The mediaeval architect would have laughed at such an idea, and frankly so should we. An integrated, multi-layered approach is necessary to guard against todays sophisticated IT security threats and protect business critical systems across an organisation. Lets look at how it was done in the 13th century, and what we can learn from it. Harlech castles architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.
A perfectly concentric design, Harlech had one line of defences after another, rather than a single perimeter line. The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the and outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later). The inner ward is the forts most strategic location. Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.
We must look at infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack. An integrated, multi-layered approach to Infosecurity does not rely on a single perimeter wall, but instead offers a range of defences to protect key applications. Centrally managed distributed firewalls act as inner keeps or round towers, protecting key business assets and applications. Two-factor authentication solutions such as smart cards form part of the multi-layered defences of the gatehouse - cyber portcullises to deter the would-be intruder.
Maximum security is all well and good, but the castle architect also had to design a fortress which would control access to third parties such as merchants and tradespeople whose presence would benefit the castle community and help it to prosper. The walls are not optimised to control access - indeed when access was gained via the walls castles were usually overrun. So James of St George the castles designer specified an elaborate gatehouse with no less than seven obstacles, including three portcullises and arrow holes and doubtless many a vat of boiling oil in waiting.
Even when a merchant was finally through the gatehouse the inside might be split up into separated areas or wards as well. Ensuring not all areas were accessible to tradespeople. In todays increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openess and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.
Pervasive virtual private networks and secure instant messaging solutions provide local and remote access for all users, ensuring controlled yet secure access to designated servers or applications. Secure mobile data access - the ability to pick up e-mail on mobile phones, access home networking and wireless roaming, or give controlled third party access to contractors, will all contribute towards increased productivity and efficiency within an organisation, but equally, all need to managed and controlled in order to maintain security across the organisation and protect its key assets.
Companies today rarely brandish information security. Perhaps because they have little confidence in it. By letting people know youve taken active steps to protect your assets, this in itself will be a powerful deterrent - invaders havent changed much over the last millennium - theyll still go for the least secure fort, be it stone or cyber.
A simple perimeter wall and a selection of unrelated point products will not secure your organisation, it will simply increase administration - imagine having to control separate gatehouses for Knights, foot soldiers, tradesmen, etc. An integrated security solution, much like the combined know-how of Edward Is architects, strategists and footsoldiers, will ensure a coordinated, seamless approach to infosecurity. Integrated security manages the security of key business applications in the castle keeps, while also ensuring controlled application-based entry to other areas, boosting productivity, prosperity and growth for the organisation as a whole.
Jamie Bodley-Scott, AppGate
BIOS, Jun 06, 06 | Print | Send | Comments (0) | Posted In Security
Related Articles
Defending In Depth
Cyber Security & Other Games
Second Life, Second Identity?
Don't Choke In The Name Of Security
A Baker's Dozen Of Security Bytes
Patching Up Security
Webroot Software Spy Sweeper 5.3
PC Tools Spyware Doctor 4.0
How Cybercrime Operations Work
ZoneLabs ZoneAlarm Internet Security Suite 7
More...
|