I'm the CIO of the castle...

Jamie Bodley-Scott, AppGate

Photo of Jamie Bodley-Scott Jamie Bodley-Scott of network security specialist AppGate looks at what infosecurity experts can learn from medieval castle architects, and how their concentric, multi-layered approach can help CIOs protect key applications and business-critical systems.

If we compare the evolution of infosecurity with history, how far have we come? I believe that we're somewhere shortly after the Norman Conquest - in other words, medieval. However that's not a criticism: in fact in the 13th century they had a pretty strong grasp of security issues. Go to any heritage castle that dates from these times and you’ll see what I mean.

Take Harlech Castle in North Wales, for example. Harlech formed part of the Iron Ring of castles built by King Edward I in order to quell Welsh resistance and prevent future insurrection. Its design and location are testament to the advanced security architecture of the time and their success in securing key assets and keeping intruders at bay.

Design blueprints

Back in the days of the crusade and the knight errant, the security of the castle was put above all else in the design phase. A secure design was paramount, and a key part of the business of survival.

Whilst security remained uppermost in the mind of the castle architect, convenience and usability did also factor in the design process.

Secure outer areas provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today.

Fending off marauding tribesfolk

In many ways, the security policies and designs of our Norman ancestors were a lot smarter and more effective at keeping foes at bay than ours today.

Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weaknesses to attack and leave themselves unguarded.

Harlech's unsurpassed natural setting - with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock - certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age.

In today's information world, security consistently loses out to every conceivable efficiency or convenience. Applications are built as rapidly as possible and put onto the network landscape; often no consideration is given to their security as it is assumed that they will be secured with the overall perimeter fencing.

The medieval architect would have laughed at such an idea, and frankly so should we. An integrated, multi-layered approach is necessary to guard against today's sophisticated IT security threats and protect business critical systems across an organization. Let's look at how it was done in the 13th century, and what we can learn from it.

Protecting the crown jewels

Harlech castle's architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.

A perfectly concentric design, Harlech had one line of defence after another, rather than a single perimeter line. The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later).

The inner ward is the fort's most strategic location. Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.

We must look at infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack. An integrated, multi-layered approach to infosecurity does not rely on a single perimeter wall, but instead offers a range of defences to protect key applications.

Centrally managed distributed firewalls act as inner keeps or round towers, protecting key business assets and applications. Two-factor authentication solutions such as smart cards form part of the multi-layered defences of the gatehouse - cyber portcullises to deter the would-be intruder.

Encouraging trade and commerce

Maximum security is all well and good, but the castle architect also had to design a fortress that would control access to third parties such as merchants and trades people whose presence would benefit the castle community and help it to prosper.

The walls are not optimized to control access - indeed when access was gained via the walls castles were usually over-run. So James of St George, the castle's designer, specified an elaborate gatehouse with no less than seven obstacles, including three portcullises and arrow holes and doubtless many a vat of boiling oil in waiting.

This is effectively an access control solution. Even when a merchant was finally through the gatehouse, the inside might be split up into separated areas or wards as well, ensuring not all areas were accessible to trades people.

In today's increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openness and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.

Pervasive virtual private networks and secure instant messaging solutions provide local and remote access for all users, ensuring controlled yet secure access to designated servers or applications.

Secure mobile data access - the ability to pick up email on mobile phones, access home networking and wireless roaming, or give controlled third party access to contractors, will all contribute towards increased productivity and efficiency within an organization, but equally, all need to managed and controlled in order to maintain security across the organization and protect its key assets.

Learning lessons from history

A simple perimeter wall and a selection of unrelated point products will not secure your organization, it will simply add another security solution to your organization. Imagine a castle having to control separate gatehouses for knights, foot soldiers and tradesmen.

An integrated security solution, much like the combined know-how of Edward I's architects, strategists and foot soldiers, will ensure a co-ordinated, seamless approach to infosecurity.

Companies today rarely brandish information security - perhaps because they have little confidence in it. But letting people know you've taken active steps to protect your assets is in itself a powerful deterrent. Invaders haven't changed much over the last millennium - they'll still go for an obvious target like a weakly defended fort with static defences, be it stone or cyber.

Integrated security manages the security of key business assets in the castle keeps, whilst also ensuring controlled needs-based entry to other areas. The effect of this is to create a more dynamic organization able to adapt the way its infrastructure behaves according to changes in the business environment.

Bringing parties together in a secure way is the basis of all types of trade. The AppGate solution focuses on securing connectivity and tries to avoid proscribing exactly where and how the connectivity must be used.

This has two key advantages - your investment is actually working for your business, helping establish an environment in which to do business, and it makes the fortifications you are using harder to target because they are tailored differently from business to business.