IT security doesn't work very well. Firewalls supposedly repel invaders — apart from those that get through the necessary holes and into the constantly compromised software behind.
The inconvenience of shoring up security infrastructures is restricting the evolution of the extended business. Something needs to change and the UK security user group the Jericho Forum believes it has the answer.
The roving gang of European chief information security officers claims the key to better security is less walls not more — a concept they call deperimeterisation. De-P is ugly shorthand for the recognition that you can't do business if you hide behind walls. As the city of Jericho found out in the sixth book of Joshua, walls fall down.
But if you can't hide, what can you do? Trust and verify. Establish those whom you trust. Verify that they are who they say they are. Make sure they only have access to data they need. Ignore everything else.
Security is a process not a product, says Jericho, and an open process at that. Establish open standards for identity management, digital rights, encryption and data-level authentication, and we can eventually do away with the rest of the security infrastructure altogether while maintaining commercial and operational flexibility.
This will take a while. But because the Jericho Forum is user-led, it is honest about the problems and pragmatic about a gradual introduction of these ideas. ZDNet UK spoke to one of Jericho's founders, Paul Simmonds, global information security director of chemical giant ICI, about the ideas behind deperimeterisation and pushing the organisations unique take on security to the US.
Q: What makes Jericho different from other security groups?
A: First and foremost, it’s user driven. Secondly, it addresses areas that no one else does. We were very careful when we formalised it. We did very extensive Web searches to determine that no one else was addressing the problem.
And what exactly is the problem, as you see it?
My rant at the moment is that the security industry is not learning from its mistakes. If you don’t learn from your mistakes, you’re not going to move forward. We are still designing new systems — pick any vendor, get feedback from a consultant and it’ll be full of insecure protocols hidden behind a firewall. People are still working on the concept of an essentially structured perimeter design. We’ve got to shake off that mentality. That is the challenge for the security industry — bottom line. If you want to be employed in this industry, you’re going to need to have that mindset. That’s key to what is going on- shifting that mindset. We said from day one, this [the Jericho Forum] was about starting a discussion. If you want to know where we’ve gone — it’s now about shifting the mindset.
The big problem is how we are going to operate our businesses in one, two or three years’ time. It’s a about being able to operate your entire business on the Internet. In reality, you’d be daft to do that — it would be a [subsection] of that, but that’s the pure idea.
Do you really see businesses like ICI and those of other Jericho members such as BP becoming deperimeterised any time soon?
In two years' time I’d like to oversee a business lead transformation at ICI working in a deperimeterised environment. The key to that is security returning many millions to ICI’s bottom line. If it doesn’t do that we shouldn’t be doing it at all.
I think we'll start in two years. That's a feasible option. BP — in terms of changing entire infrastructures, it’s a good few years away. And we’ll need serious business justifications for it — and rightly so.
What do you think the outcome of all this will be?
My personal opinion is that all large corporations are going to be faced with doing this. The only real question for me is: "Do you want to get up front and drive it or do you want to follow?"
What are you looking for in products exactly?
To have security built in not bolted on. Having inherently secure products and systems rather than systems where we put lots of proof, wrappers around data.
How does that compare with security technology now?
If you look at what’s hot now, VoIP as a protocol is inherently insecure. The vendors will tell you 'you can do it', give you an IPSEC connection and tell you it’s OK. But that’s bolt-on security. That's using VoIP with transport layer security.
Why is it difficult to inform people about deperimeterisation?
When you get chief information security officers from 50 global 200 companies, we’ve all got daytime jobs. We can all discuss and brain dump. The hard stuff is technical writing and the back office stuff. It’s time consuming. If we can find that we take the thought leadership, it’s win-win. We get stuff out of vendors for the end user.
What challenges have you come across?
The challenges of business are two fold — one is being able to do business on the Web — Can you do business to business securely? More of the demand is to use the Internet as a common transport mechanism. That's straight economics. You've got this high performing infrastructure. Why have alternatives if you can do it securely?
UPS and Walmart are championing the AS2 protocol. That's about to go to the IETF for ratification. That allows you to do business to business. It allows us to connect our e-commerce system to someone else's using the Internet. If you can drop your borders you can do an awful lot more of these transactions.
How do you keep a balance between your role in ICI and your commitment to Jericho?
The strategy is to keep part of my remit and goals. Jericho fits in to that. As long as I balance strategy with my daytime job, there isn't an issue.
When will you allow vendors to take part in the Jericho Forum?
They've already started. We've had a huge amount of interest. We've been keeping a record and telling them that the doors are now open. We've had to write a code of conduct though as a safeguard. That covers the basics. We want vendor CTOs and technologists to be involved rather than through marketing and PR. Ultimately, it's in their interests that we find an accelerated output. But we need to find a way of how to get that output out quicker.
What do members get out of Jericho?
At the end of the day, everything that comes out of Jericho. If you can't afford to pay you will get the output. If you want to be involved in thought leadership, there's a minimal charge. That's the fairest way we could think of doing it.
Paul Simmonds recently took part in a ZDNet UK Exclusive Web cast on the merits of outsourcing your IT security.