Why the co-founder and CTO of AppGate came up with a solution for deperimeterisation before anyone had ever heard of it.
I've been told to report to a "virtual office", part of a business centre used by Scandinavian companies looking for a bolt hole in London. It turns out to be in a 19th-century building in a little-known square just south of Kensington High Street. Here I find a rather lonely looking Tomas Olovsson, the chief technology officer of Gothenburg-based Appgate.
The company owes its existence to a defence project completed on a consultancy basis around ten years ago. The solution that emerged defined the need to protect applications where they sat in the network rather than protect them at the firewall level. Word began to get out about this innovative approach and soon other defence contractors started enquiring about the solution.
"We realised that it was stupid for people calling us to ask to buy the system. So in 1999 AppGate was founded and we started actively marketing," recalls Olovsson. To begin with, the firm focused on high security markets in Scandinavia, but has now expanded into Northern Europe and the US, with branch offices in Paris, Worthing and in North Carolina. The company's customer base has moved beyond defence, into the banking and pharmaceutical sectors.
In conversation, Olovsson has the quiet, studious manner of the dedicated technocrat. He also has patience and eagerness to explain. This probably comes from his other job; that of associate professor at Chalmers University of Technology, also in Gothenburg. Chalmers' website claims it is responsible for a number of innovations, including those famous Volvo crash test dummies and the ink-jet printer.
As you would expect from a good professor, he eagerly scribbles down the technical concepts he is explaining to me. I feel like I'm back in science class as he draws a whole virtual private network (VPN) on the back of my notes. The VPN technology and the philosophy he is illustrating for me has become quite widely discussed in the last couple of years and will be familiar to anyone who attends lectures by the Jericho Forum, which named it deperimeterisation. Olovsson is nonplussed about this.
"When we started we didn't think that this concept should be called anything. We said that segmentation in terms of applications and access is the way to go and this was a cheap and fast way to implement segmentation," he says. "Then we discovered ways to adapt this for larger organisations. Later we heard that the Jericho Forum had been formed and they called it deperimeterisation. We realised this is exactly what we are doing; they just came up with a name for it."
When the Forum held a competition in 2005 for the best white paper on this topic, AppGate won it easily. The irony was that it described the solution it had already made commercially available. So now that theory and solution have found each other, what is the relationship between the two organisations?
"We obviously attend meetings and look at what they're doing," Olovsson concedes. "The world is turning mobile. Everything and everyone wants to be connected, so it's a business driver and it is a matter of competition. But you have to offer these services to users."
But not that many vendors are, which potentially gives AppGate a huge head start in the market. "Yes," he agrees, in his understated manner, "it's an advantage. Firewalls will still have their place as a kind of border patrol. But large organisations need more. They tend to realise that the firewalls are increasingly full of holes. And they see the necessity to change that architecture."
So the world is going mobile and the need for security architecture to change is there. But are there some sectors that still need a big, beefy firewall? The talk turns to whether the AppGate logic can be applied to online banking, for example, where the end user could be said to be very close to the application but a long way from the network. Doesn't this put them at some extra risk? Olovsson seems to be less sure of the suitability of application-centric technology and admits that, for some applications, a point solution is most appropriate - for now.
"There will continue to be dedicated special applications with which you interact directly. You can always find a point solution that solves a particular problem in a good way. But, security-wise, it's dangerous to end up with lots of point solutions unless you really have to because, all of them have to be managed," he warns.
"You don't really know how they interact with each other, where the holes are or if they even fit together. And so in that case it's much better to have one product that solves a lot of problems that works with different devices; anything from PCs to Macs to telephones etc. You need one solution," he insists.
I wonder whether we are getting into the kind of wishful thinking the Jericho Forum is sometimes accused of. It's easy to say what an ideal world should be; much harder to define and create the technology to deliver it. Are we any closer then?
Olovsson's answers are not entirely convincing and seem to have a place for the firewall after all, but at the client level, because his technology will have made everything else so much harder to crack within the VPN. "As it becomes even harder to attack the server, the client will be more open for direct attacks," he says. "So you need, say, a firewall on the client side. The system should be able to look at the type of device you're using; whether it's a corporate sanctioned network, a laptop you got from your employer, or even whether you should be able to log in from an airport."
That's the future, but what of now? Has there been a sense that some vendors are resistant to changing the focus of their products? Olovsson is animated on this point, openly inviting competition; it seems, for the good of the industry.
"Products must be more capable. You cannot sell the basic version anymore, so the solution must be more adaptable, must support many more protocols," he demands. "There has to be more flexibility in how we use systems, how they are set and interact with the systems around them.
"All vendors need to go down that route. Point solutions may even be replaced by functions within the systems. Microsoft is coming into the plain VPN market, so all vendors must move on somehow. If they don't, sooner or later, they will die." You have been warned.
He says that interest is growing and that the organisations now actively looking for solutions that enable deperimeterisation are no longer just defence or government customers. So far the interest has mostly come from Sweden and the UK, where, he says, there is more enthusiasm and knowledge of the issue. But that's starting to change.
"I think sooner or later the US will wake up. What we see is that many of the larger organisations take action and then it spreads within the business. This has happened in Europe," predicts Olovsson.
The conversation becomes philosophical when I enquire whether AppGate customers can point to tangible improvements in security. After the usual reluctance that characterises nearly everyone in information security, Olovsson does bring up some research he did around 12 years ago while working on his PhD.
Measuring security is a problem, he says. "Is it possible to have a measurement of how secure a particular system is? We did quite a lot of work with some UK universities at the time. But it is still a problem. Applying the same principles and parameters for measuring reliability and mean time between failure didn't work," Olovsson explains.
He argues that we need different ways to measure security because, put simply, attacks are completely unpredictable and their timing unknown. The best you can do is to make sure that the system actually fulfils the stated requirements.
Olovsson is happier again when talking about security in general and the importance of building it in rather than bolting it on, especially in our increasingly connected worlds. Those responsible are the system architects, he states. "Security must be designed into the system, but today nearly the opposite is the case. It's 'design a system and add some security to it'. And the architects of the program don't know that much about security," he laments.
He adds that security is still seen as an afterthought, with consultants brought in at the end of the project for "a couple of months". To him it's like launching a product and then saying 'well we just need to add the reliability and it will be perfect'". And the universities and educational establishments need to play their part before tomorrow's IT decision makers get into industry.
AppGate inherits a great tradition of innovation that characterises Sweden and other Nordic countries. However, some in IT security see signs of product stasis within their own industry, with techno gloss often added instead of genuine improvement to software and hardware. Olovsson agrees.
"Unfortunately it sells better to have a polished user interface, spending more money on that part than on security. It's a concern and, again, we're back to education. It's in everyone's interest that we educate people so they know what actually has to be done" he says.
So is he a little frustrated by the industry and gets more out of his professorship? Far from it, he insists. He feels he has the best of both worlds: on the cutting edge of technology but also able to impart wisdom to the next generation. "I would very much like to see more education within the field, and I would like to contribute to that. I'm lucky to work in the industry with AppGate, in education with the university and also share research from the university. It's very inspiring," he says.
His biggest lesson in life, says Olovsson, was to grow up as a technician and realise that it's not just technology for its own sake. "It needs to play a role in society or within the industry somewhere and it's very important to check all the boxes, even if you think yourself that they are not really needed."
TOMAS OLOVSSON - THE CV
1984 MA in Computer Engineering, Chalmers University of Technology, Sweden
1995 PhD in Computer Engineering, Chalmers
1996-99 Senior security consultant and manager of networking and information security department, Carlstedt Research & Technology
1999 to date Co-founder and CTO of AppGate Network Security
2002 to date Olovsson works 50 per cent of his time as associate professor at Chalmers University of Technology, responsible for courses in computer communications and network security
SWEDISH INNOVATION: MORE THAN FLATPACKED FURNITURE
Think of Sweden and you think of IKEA, Abba and Absolut vodka, but the country has a great manufacturing tradition and a long history of technical and scientific innovation.
For example, the ubiquitous adjustable nut wrench was patented in 1892 by one Johan Petter Johansson, and the company he founded lives on today in the form of Bahco tools.
The metal zipper as we know it today, often thought to be an American invention, was perfected by Gideon Sundback in 1914, who emigrated to the USA to establish mass production.
The famous shots of Neil Armstrong on the moon in 1969 were taken with a Hasselblad camera. Launched in 1948, it made headlines in the photographic world as it combined the toughness, agility and ease of use of 35mm SLRs but with the high resolution offered by medium format film. The basic design is still being manufactured today.
Next time you buy a carton of milk or juice, the chances are the packaging will have been designed by Tetra Pak, a company founded by Ruben Rausing. This innovative packaging giant developed out of an idea by Erik Wallenberg who, in 1944, realised that by simply squeezing the two ends of a tube of plastic coated paper at right angles to each other, a hygienic and easily stacked tetrahedron drinks container could be manufactured. Later these cartons were reshaped into the more conventional square shape we know today. By 2003, Tetra Pak manufactured 105 billion cartons at sites across the globe.
Modern engineering takes roller bearing technology for granted, but it is to Sven Wingquist to whom it should give thanks. In 1907, he invented the spherical ball bearing. He went on to found Svenska Kullagerfabriken, or SKF as it is better known today.
Finally, the airbag sensors, retractable three-point seat belts and child safety seats that we take for granted in our cars were all first developed by innovators working in the Swedish car industry.