IT security doesn't work very well. Firewalls supposedly repel invaders — apart from those that get through the necessary holes and into the constantly compromised software behind.
The inconvenience of shoring up security infrastructures is restricting the evolution of the extended business. Something needs to change and the UK security user group the Jericho Forum believes it has the answer.
The roving gang of European chief information security officers claims the key to better security is less walls not more — a concept they call deperimeterisation. De-P is ugly shorthand for the recognition that you can't do business if you hide behind walls. As the city of Jericho found out in the sixth book of Joshua, walls fall down.
But if you can't hide, what can you do? Trust and verify. Establish those whom you trust. Verify that they are who they say they are. Make sure they only have access to data they need. Ignore everything else.
Security is a process not a product, says Jericho, and an open process at that. Establish open standards for identity management, digital rights, encryption and data-level authentication, and we can eventually do away with the rest of the security infrastructure altogether while maintaining commercial and operational flexibility.
This will take a while. But because the Jericho Forum is user-led, it is honest about the problems and pragmatic about a gradual introduction of these ideas. ZDNet UK spoke to one of Jericho's founders, Paul Simmonds, global information security director of chemical giant ICI, about the ideas behind deperimeterisation and pushing the organisations unique take on security to the US.
Q: What makes Jericho different from other security groups?
A: First and foremost, it’s user driven. Secondly, it addresses areas that no one else does. We were very careful when we formalised it. We did very extensive Web searches to determine that no one else was addressing the problem.
And what exactly is the problem, as you see it?
My rant at the moment is that the security industry is not learning from its mistakes. If you don’t learn from your mistakes, you’re not going to move forward. We are still designing new systems — pick any vendor, get feedback from a consultant and it’ll be full of insecure protocols hidden behind a firewall. People are still working on the concept of an essentially structured perimeter design. We’ve got to shake off that mentality. That is the challenge for the security industry — bottom line. If you want to be employed in this industry, you’re going to need to have that mindset. That’s key to what is going on- shifting that mindset. We said from day one, this [the Jericho Forum] was about starting a discussion. If you want to know where we’ve gone — it’s now about shifting the mindset.
Talkback
This is an interesting concept. One of which I have been trying to explain to people for years. The flaws lie not in lack of tools but in the design of the products we seek to secure.
Our own IS department constantly codes with no security in mind. I have to develop and build the safeguards around the app rather than have a safe app/service.
My question is: How is this type of technology/methodology apply to financial institutions and laws such as Sarbanes Oxley and GLB? This won't fly with them based on how the laws are currently in place.
There is a Linux technology available that provides this now- Trustifier.
Since Trustifier provides the height of internal controls, (mandatory access controls) and tamper resistant audit trails for all users, an added bonus is compliance is pretty much provided out-of-the-box.
There is a Linux technology available that provides this now- Trustifier.
Since Trustifier provides the height of internal controls, (mandatory access controls) and tamper resistant audit trails for all users, an added bonus is compliance is pretty much provided out-of-the-box.
Check out the Jericho Vision paper on the web site http://www.opengroup.org/tech/jericho/ -
Jericho covers much more than individual products.
And then join up!
What is critical is achieving node-level security and defense in depth. There is also an important workflow component, because "authorized" users otherwise can do "unauthorized" things. However, even without security threats many companies would need to keep their firewalls in place because their internal IP address structure might not be "street legal."