Log on to the network of financial services company Royal London, and your attention as an employee will be drawn to an unusual message. It’s the sort of message only a tiny fraction of office workers in the developed world currently have to read, but that is guaranteed to change over the next decade.

"This important message is for all users of Royal London Computers & Systems and is to protect the interests of the company & individual employees....to ensure compliance Royal London reserves the right to continue its policy, without warning, to monitor (employees)."

Once they have noted the qualifier and clicked “Ok”, every event that happens on any one of the company’s 2,900 PCs is invisibly recorded by a client program running silently in the background and communicating with a network server at pre-set moments.

Every application run by the employee is noted, as is every window opened, every email or instant message sent or received (including webmail), and ever file opened. The granularity is extraordinary – it even records keystrokes and can keep screenshots taken at pre-set intervals.

All of this data is stored in a database system that can be accessed by network administrators if they so choose, at any date in the future. What a particular person was doing at a particular moment in time on a particular PC is a matter of running a search using a management console.

Nothing, but nothing, is invisible, even if it has been stored in another language. With the possible exception of certain kinds of encrypted VoIP traffic, if it happened it will be accessible to administrators. Since the security is enforced using a program running on the device, mobile computers such as laptops continue to log information even when they are not connected to the network, so there is no escape from its clutches.

All-seeing
It might sound like a digital Big Brother, but neither Royal London nor the company responsible for creating the Monitoring and Audit System (MAS) system, 3ami, sees it in such despondent terms. “We don’t want to be associated with spyware,” emphasises 3ami managing director Tim Ellsmore during his pitch to Techworld.

It is about setting parameters for staff in the way they use systems, creating a degree of accountability and transparency, and hopefully securing Royal London from the problems that regularly beset other organisations, he says.

The point of the log-on message is not to frighten staff. It is to tell them that work on this network will be different from any they have ever used before, whether privately or at other companies they’ve worked for. After trialling the system for eight months, Royal London now plans to roll it out to its entire workforce.

According to 3ami, The MAS system is a totally new way of conceiving of the element of computer security that tends to be ignored or tackled as an after thought – the threat posed, however inadvertently, by employees working with legitimate privileges. These people are not strangers. They walk through the main door of the company every day, sit down at their workstations and then are handed access to the very core of the company’s most critical resources.

Certainly, corporate networks have grown chaotic in ways that could never have been apparent to the early architects of PC LANs. Information moves in and out of companies in unpredictable and sometimes frighteningly arbitrary ways and applications are often imported and run against company policies.

The consequences of all this can be unexpected but are easy to ignore if they are out of sight. In a company without instant messaging monitoring, for instance, information flowing out using this channel can be seen as “security neutral” because the threat simply ignored.

Instead of securing the network by stopping certain external events from occurring – as would be the case in conventional perimeter security – the MAS system acts as an internal deterrent. Everything that happens can be traced at a later date in a way that is hard to deny. In some cases, being able to audit certain types of event such as email traffic is now part of UK data protection law, with compliance and regulation equally onerous in the US.

Long audits
“We do trust our staff,” says Nick Harwood, Royal London’s group IT security manager. “However, we do have a security policy which tells them they will be monitored.” Before the 3ami MAS system was installed, they would have had to reply on audit trails and logs that could take days to work on, soaking up valuable administration time.

What about overhead? 3ami quotes each workstation as requiring 15Mb of disk space, which is constantly reused as data is copied back to the database server. Data is only copied across the network when the PC is active, otherwise there is no traffic at all. The central database itself accumulates data at a quoted rate of 50 kilobytes per day, per workstation for basic text capture, or 2-3MB per day, per user if email and screen captures are included.

Since it was launched the MAS has sometimes been a hard sell, but Ellsmore reports growing interest more recently. He has noted particular enthusiasm from public sector organisations such as UK police forces.

“The majority of clients we speak to have been monitoring already,” he says. “Companies probably do it in some context but they are not sure they are doing it properly and don’t talk about it.”

The example of Royal London shows that the 3ami’s unusual approach to the issue of network security is starting to make sense beyond the self-conscious regimes running public sector systems.

There are still companies that would feel uncomfortable with recording what their employees do, fearing it implies a lack of trust, but as the importance of introducing deterrence into internal network security becomes a mainstream and accepted principle, this could start to change.

A secure private network is one that probably makes no assumptions about people’s trustworthiness, regardless of whether they happen to work for the company or not. Users are not the enemy but they are a risk. This is the world of the closely observed network and the closely observed employee.