Jericho Forum Looks to Bring Network Walls Tumbling Down

by Paul Stamp and Robert Whiteley with Laura Koetzle and Michael Rasmussen

The Jericho Forum claims that existing security approaches are obsolete. With the advent of outsourcing, managed services, enterprise mobility, and closer business partner relationships, this is no longer the case.

By No Analyst or Consultant

August 31, 2005 — CSO —

The chief information security officers at organizations like HSBC and Rolls-Royce established the Jericho Forum in 2003 in order to develop and influence information and communications technology (ICT) security standards.¹ The group claims that existing security approaches are obsolete, because they assume the organization manages and owns the entire infrastructure it uses and that all individuals who perform security functions are employees of the organization. With the advent of outsourcing, managed services, enterprise mobility, and closer business partner relationships, this is no longer the case  in fact, its often hard to decide who does and who does not belong to your internal organization.

Perimeter? What Perimeter? Goes Firmly Mainstream In Jericho

IT and network security boffins have talked about the disappearing network perimeter for years. So whats all the fuss about? The charter members of the Jericho Forum are all user companies  not vendors with gear to sell  and the Jericho Forums is the first practical vision for de-perimeterization to come from user companies. De-perimeterization means redefining the boundaries between an organizations corporate network, business partner networks, and the Internet, and de-emphasizing the present security controls at those boundaries. The group counsels a four-phase approach to de-perimeterization:

1. Make services available across the perimeter . . . Organizations are already making services available across the Internet using technologies like Web Services and SSL VPNs instead of extending their network into their partners. Efforts like Cisco Systems Application-Oriented Network (AON) and Juniper Networks Enterprise Initiative will continue the trend of decoupling the authentication of the user from the underlying infrastructure.

2. Then remove the perimeter altogether. The next stage is to reduce drastically the importance of the network boundary as a security control. Traditionally, the perimeter firewall becomes one of a series of devices to block malicious traffic; but de-perimeterized organizations instead focus on authenticating users and devices. They then distribute threat protection technologies like firewalls and intrusion prevention systems (IPS) at various points in the corporate and service provider networks.

3. Develop a standards-based approach to data access . . . Once the perimeter disappears, user organizations and vendors must settle on an open, standards-based way to pass around and trust authentication credentials, as well as a method of defining and validating the data access level a user should have when trying to get at protected resources. Standards bodies such as OASIS and the W3C are starting to see the fruits of their labors in this area with standards like the security assertion markup language (SAML) and WS-Federation.² Although full-blown adoption of federated identity has been slow thus far, the Liberty Alliance Project has built some momentum around loose confederations of organizations like governments and large companies with autonomous business units.³

4. Then control access to the data, not the underlying infrastructure. Finally, organizations will implement a security model that guarantees data confidentiality and integrity independent of its storage location and of the network used to transport it. Organizations will only transfer data between authenticated and authorized parties, and theyll send information about encryption and user capabilities along with the data itself.

• Print