IT security doesn't work very well. Firewalls supposedly repel invaders — apart from those that get through the necessary holes and into the constantly compromised software behind.
The inconvenience of shoring up security infrastructures is restricting the evolution of the extended business. Something needs to change and the UK security user group the Jericho Forum believes it has the answer.
The roving gang of European chief information security officers claims the key to better security is less walls not more — a concept they call deperimeterisation. De-P is ugly shorthand for the recognition that you can't do business if you hide behind walls. As the city of Jericho found out in the sixth book of Joshua, walls fall down.
But if you can't hide, what can you do? Trust and verify. Establish those whom you trust. Verify that they are who they say they are. Make sure they only have access to data they need. Ignore everything else.
Security is a process not a product, says Jericho, and an open process at that. Establish open standards for identity management, digital rights, encryption and data-level authentication, and we can eventually do away with the rest of the security infrastructure altogether while maintaining commercial and operational flexibility.
This will take a while. But because the Jericho Forum is user-led, it is honest about the problems and pragmatic about a gradual introduction of these ideas. ZDNet UK spoke to one of Jericho's founders, Paul Simmonds, global information security director of chemical giant ICI, about the ideas behind deperimeterisation and pushing the organisations unique take on security to the US.
Q: What makes Jericho different from other security groups?
A: First and foremost, it’s user driven. Secondly, it addresses areas that no one else does. We were very careful when we formalised it. We did very extensive Web searches to determine that no one else was addressing the problem.
And what exactly is the problem, as you see it?
My rant at the moment is that the security industry is not learning from its mistakes. If you don’t learn from your mistakes, you’re not going to move forward. We are still designing new systems — pick any vendor, get feedback from a consultant and it’ll be full of insecure protocols hidden behind a firewall. People are still working on the concept of an essentially structured perimeter design. We’ve got to shake off that mentality. That is the challenge for the security industry — bottom line. If you want to be employed in this industry, you’re going to need to have that mindset. That’s key to what is going on- shifting that mindset. We said from day one, this [the Jericho Forum] was about starting a discussion. If you want to know where we’ve gone — it’s now about shifting the mindset.