The big problem is how we are going to operate our businesses in one, two or three years’ time. It’s a about being able to operate your entire business on the Internet. In reality, you’d be daft to do that — it would be a [subsection] of that, but that’s the pure idea.
Do you really see businesses like ICI and those of other Jericho members such as BP becoming deperimeterised any time soon?
In two years' time I’d like to oversee a business lead transformation at ICI working in a deperimeterised environment. The key to that is security returning many millions to ICI’s bottom line. If it doesn’t do that we shouldn’t be doing it at all.
I think we'll start in two years. That's a feasible option. BP — in terms of changing entire infrastructures, it’s a good few years away. And we’ll need serious business justifications for it — and rightly so.
What do you think the outcome of all this will be?
My personal opinion is that all large corporations are going to be faced with doing this. The only real question for me is: "Do you want to get up front and drive it or do you want to follow?"
What are you looking for in products exactly?
To have security built in not bolted on. Having inherently secure products and systems rather than systems where we put lots of proof, wrappers around data.
How does that compare with security technology now?
If you look at what’s hot now, VoIP as a protocol is inherently insecure. The vendors will tell you 'you can do it', give you an IPSEC connection and tell you it’s OK. But that’s bolt-on security. That's using VoIP with transport layer security.
Why is it difficult to inform people about deperimeterisation?
When you get chief information security officers from 50 global 200 companies, we’ve all got daytime jobs. We can all discuss and brain dump. The hard stuff is technical writing and the back office stuff. It’s time consuming. If we can find that we take the thought leadership, it’s win-win. We get stuff out of vendors for the end user.
Talkback
This is an interesting concept. One of which I have been trying to explain to people for years. The flaws lie not in lack of tools but in the design of the products we seek to secure.
Our own IS department constantly codes with no security in mind. I have to develop and build the safeguards around the app rather than have a safe app/service.
My question is: How is this type of technology/methodology apply to financial institutions and laws such as Sarbanes Oxley and GLB? This won't fly with them based on how the laws are currently in place.
There is a Linux technology available that provides this now- Trustifier.
Since Trustifier provides the height of internal controls, (mandatory access controls) and tamper resistant audit trails for all users, an added bonus is compliance is pretty much provided out-of-the-box.
There is a Linux technology available that provides this now- Trustifier.
Since Trustifier provides the height of internal controls, (mandatory access controls) and tamper resistant audit trails for all users, an added bonus is compliance is pretty much provided out-of-the-box.
Check out the Jericho Vision paper on the web site http://www.opengroup.org/tech/jericho/ -
Jericho covers much more than individual products.
And then join up!
What is critical is achieving node-level security and defense in depth. There is also an important workflow component, because "authorized" users otherwise can do "unauthorized" things. However, even without security threats many companies would need to keep their firewalls in place because their internal IP address structure might not be "street legal."