What CIOs can learn from Mediaeval Castles

By | December 10, 2006

If we compare at the evolution of Infosecurity with history, how far have we come? I believe that we’re somewhere shortly after the Norman Conquest – in other words, mediaeval. However, that’s not a criticism: in fact, in the 13th century, they had a pretty strong grasp of security issues.

Go to any Heritage castle that dates from these times and you’ll see what I mean.

Take Harlech Castle in North Wales, for example. Harlech formed part of the Iron Ring of castles built by King Edward I in order to quell Welsh resistance and prevent future insurrection. Its design and location are testament to the advanced security architecture of the time and their success in securing key assets and keeping intruders at bay.

Design BluePrints

Back in the days of the crusade and the knight errant, the security of the castle was put above all else in the design phase. A secure design was paramount, and a key part of the business of survival.

Whilst security remained uppermost in the mind of the castle architect, convenience and useabiltiy did also factor in the design process. Secure outer “areas” provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today.

Fending Off Marauding Tribesfolk

In many ways, the security policies and designs of our Norman ancestors were a lot smarter and more effective at keeping foes at bay than ours today.

Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weakensses to attack and leave themselves unguarded.

Harlech’s unsurpassed natural setting – with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock – certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age.

In today’s information world, security consistently loses to every conceivable efficiency or convenience. Applications are built as rapidly as possible and put onto the network landscape, often no consideration is given to their security at it is assumed that they will be secured with the overall perimeter fencing.

The mediaeval architect would have laughed at such an idea, and frankly so should we. An integrated, multi-layered approach is necessary to guard against today’s sophisticated IT security threats and protect business critical systems across an organisation.

Let’s look at how it was done in the 13th century, and what we can learn from it.

Protecting The Crown Jewels

Harlech castle’s architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.

A perfectly concentric design, Harlech had one line of defences after another, rather than a single perimeter line. The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the and outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later).

The inner ward is the fort’s most strategic location. Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.

We must look at Infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack. An integrated, multi-layered approach to Infosecurity does not rely on a single perimeter wall, but instead offers a range of defences to protect key applications.

Centrally managed distributed firewalls act as inner keeps or round towers, protecting key business assets and applications. Two factor authentication solutions such as smart cards form part of the multi-layered defences of the gatehouse – cyber portcullises to deter the would-be intruder.

Encouraging Trade and Commerce

Maximum security is all well and good, but the castle architect also had to design a fortress which would control access to third parties such as merchants and tradespeople whose presence would benefit the castle community and help it to prosper. The walls are not optimised to control access – indeed when access was gained via the walls castles were usually overrun. So James of St George the castles designer specified an elaborate gatehouse with no less than seven obstacles, including three portcullises and arrow holes and doubtless many a vat of boiling oil in waiting. This is effectively an access control solution.

Even when a merchant was finally through the gatehouse the inside might be split up into separated areas or wards as well. Ensuring not all areas were accessible to tradespeople.

In today’s increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openess and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.

Pervasive virtual private networks and secure instant messaging solutions provide local and remote access for all users, ensuring controlled yet secure access to designated servers or applications.

Secure mobile data access – the ability to pick up email on mobile phones, access home networking and wireless roaming, or give controlled third party access to contractors, will all contribute towards increased productivity and efficiency within an organsation, but equally, all need to manged and controlled in order to mainain security acrss the organisation and protect its key assets.

Learning Lessons from History

Companies today rarely brandish information security. Perhaps because they have little confidence in it. By letting people know you’ve taken active steps to protect your assets, this in itself will be a powerful deterrant – invaders havent changed much over the last millennium – they’ll still go for the least secure fort, be it stone or cyber.

A simple perimeter wall and a selection of unrelated point procucts will not secure your organisation, it will simply increase administration – imagine having to control separate gatehouses for Knights, foot soldiers, tradesmen, etc. An integrated security solution, much like the combined know-how of Edward I’s architects, strategists and footsoldiers, will ensure a coordinated, seamless approach to infosecurity.

Integrated security manages the security of key business applications in the castle keeps, whilst also ensuring controlled application-based entry to other areas, boosting productivity, prosperity and growth for the organisation as a whole.

Leave a Reply