Hi all, sorry I haven’t been here to bother you for the past two days.

I’m giving a 20-minute talk at an event tomorrow on IT Security Implications for Network Convergence. Here are my notes–what did I miss?

Implications of Network Convergence

Have we had the right conversations about the right issues?

 Convergence is enabled by technological change, but is not driven by it. The drivers of convergence are mainly commercial.
 Convergence affects not just telecommunications and broadcasting. The scope of convergence is the entire knowledge and transaction-intensive services sector;
 Convergence is structural in nature, but changes to industry structure are the most profound changes associated with it
 Would anybody here wager that all of the commercial sponsors of this event will all have the same corporate governance in 2 years’ time?

Real World Effects of Network Convergence

Lesser Effects
• Fewer network owners (oligopoly), less responsive?
• May require more regulation as a result
• May decrease options for network users
I call these lesser effects because in many countries the regulatory framework exists to effectively deal with these issues—we don’t have to invent ways of treating oligopolies or organisations to protect consumers.
Greater Effects
• Currently, the Internet treats all traffic equally. In future, converged networks will be able to pick and choose messages and send them to recipients more quickly and efficiently based on their value to network owners. It is possible that network owners will make perfect decisions regarding priorities, and that those decisions will align with their commercial needs. Possible, but not too likely
• Convergence on IP networks may render other networks redundant. Sky may not need as many billion pound satellites, choosing to use IPTV to distribute content. BT may finally be able to offload their very expensive business of maintaining copper connections to home and business, and just provide wireless connections to all. Bear in mind that BT would love this, in terms of reducing costs. Television and radio broadcasters may choose to cease terrestrial broadcasting in favour of using the Internet.
o The Internet was invented to be a back-up system to radio and telephone communications in case of a disaster. If the back-up system becomes the only system, what do we do if the network goes down?

IT Security Issues

Network Failure and Degradation
One problem with converged networks and the service-oriented architecture that tends to support them is that the majority of large networks are poorly understood. Traffic has typically been added piecemeal over a long period and much data communication does not require particularly high standards of service.

This is especially true of service-oriented architectures (SOA). Ambitious developments in this area have led to a situation where the precise communications flows are not well known. As this kind of architecture is often built to be tolerant of high latency and lost packets, nobody is aware of issues until the network is subjected to new stresses. Services such as VoIP, Citrix-style thin clients or video are not at all tolerant of low quality networks.

Question 1: Have we designed a ‘Fail and Fix’ into our approach to network problems?

When it comes to security, there are three main areas of focus: Unauthorized access to data and resources (which is where access control and encryption come in); Malware (such as viruses, spam.); Compliance with government and industry regulations.

Question 2: Are these the right areas of focus in 2007, and will they be the right areas to focus on in 2009?

Typically, security is controlled by PINs and access numbers, which, depending on the vendor, can often be customized to a wide degree, and SSL 128‐bit encryption. Organisations can add more layers, depending on their needs and the ability of the applications to accept it. Convergence applications require security in three key areas: user access, data protection, and delivery security.

Those components have been turned into a new discipline, or field of endeavour, called Identity Management. It is new. Standards and agreements on interoperability are still under discussion.

Question 3: Is Identity Management as a concept and practice robust enough to be the linchpin for converged networks?

Those are my 3 questions. What are yours?