The chief information security officers at organizations like HSBC and Rolls-Royce established the Jericho Forum in 2003 in order to develop and influence information and communications technology (ICT) security standards.¹ The group claims that existing security approaches are obsolete, because they assume the organization manages and owns the entire infrastructure it uses and that all individuals who perform security functions are employees of the organization. With the advent of outsourcing, managed services, enterprise mobility, and closer business partner relationships, this is no longer the case in fact, its often hard to decide who does and who does not belong to your internal organization.
Perimeter? What Perimeter? Goes Firmly Mainstream In Jericho
IT and network security boffins have talked about the disappearing network perimeter for years. So whats all the fuss about? The charter members of the Jericho Forum are all user companies not vendors with gear to sell and the Jericho Forums is the first practical vision for de-perimeterization to come from user companies. De-perimeterization means redefining the boundaries between an organizations corporate network, business partner networks, and the Internet, and de-emphasizing the present security controls at those boundaries. The group counsels a four-phase approach to de-perimeterization:
- 1. Make services available across the perimeter . . . Organizations are already making services available across the Internet using technologies like Web Services and SSL VPNs instead of extending their network into their partners. Efforts like Cisco Systems Application-Oriented Network (AON) and Juniper Networks Enterprise Initiative will continue the trend of decoupling the authentication of the user from the underlying infrastructure.
2. Then remove the perimeter altogether. The next stage is to reduce drastically the importance of the network boundary as a security control. Traditionally, the perimeter firewall becomes one of a series of devices to block malicious traffic; but de-perimeterized organizations instead focus on authenticating users and devices. They then distribute threat protection technologies like firewalls and intrusion prevention systems (IPS) at various points in the corporate and service provider networks.
3. Develop a standards-based approach to data access . . . Once the perimeter disappears, user organizations and vendors must settle on an open, standards-based way to pass around and trust authentication credentials, as well as a method of defining and validating the data access level a user should have when trying to get at protected resources. Standards bodies such as OASIS and the W3C are starting to see the fruits of their labors in this area with standards like the security assertion markup language (SAML) and WS-Federation.² Although full-blown adoption of federated identity has been slow thus far, the Liberty Alliance Project has built some momentum around loose confederations of organizations like governments and large companies with autonomous business units.³
4. Then control access to the data, not the underlying infrastructure. Finally, organizations will implement a security model that guarantees data confidentiality and integrity independent of its storage location and of the network used to transport it. Organizations will only transfer data between authenticated and authorized parties, and theyll send information about encryption and user capabilities along with the data itself.
The Jericho Forum claims that this process is well underway and estimates that by the end of 2007, phases three and four will start to see some real mainstream adoption.
GROUP BOASTS IMPRESSIVE MEMBERSHIP LIST
Industry heavyweights like Barclays, Boeing, BP, HSBC, Imperial Chemical Industries, Procter & Gamble, Rolls-Royce, and Royal Mail all participate actively in the Jericho Forum, and the group aims to have several hundred member organizations by the end of 2005. The Jericho Forum has just begun to promote itself and solicit input. The focus is on US firms, because the Forum already has so many prominent European members.
Until recently, the Jericho Forum kept vendors at arms length, and its members remain adamant that anything they produce will be based on open standards and will not promote any proprietary solutions.
THE JERICHO FORUM WILL TOPPLE WALLS WELL BEYOND IT SECURITY
The Jericho Forum is turning current security models on their heads, and its likely to affect much more than the way companies look at orthodox IT security. Jerichos approach touches on domains like digital rights management, network quality of service, and business partner risk management, because it:
- Fundamentally changes the way organizations approach connectivity. Todays environment assumes VPNs will protect all remote access. But deployed correctly, the Jericho Forums approach removes the need for securing connectivity instead, it relies on the data itself to be already secured. After phase four is complete, enterprises can stop deploying purpose-built remote access gateways and use technologies like network quarantine to simply authenticate and assess users regardless of device type. Well still use technologies like SSL VPNs for extranet portals, but they will no longer play a critical role in remote access.
- Automates business partner risk mitigation. To enforce effective cross-company access controls, the Jericho Forum will need to promote a standards-based way of expressing business partner policies and relationships. This, too, will be an essential step for organizations trying to automate their business partner risk management process.
- Provides framework for effective digital rights management. Current digital rights management efforts focus either on consumers or on single enterprises. The need for a common approach to protect intellectual or artistic property will drive a cross-industry, standards-based approach to data-level information protection.
- Spending shifts from threat protection to secure design. So far, security spending has been a reactive affair, either: 1) in response to a security incident or threat, such as a worm, spyware, or a phishing attack; or 2) to comply with a regulation, directive, or contractual obligation. De-perimeterized organizations will design and build secure infrastructures from the ground up rather than try to retrofit security into the existing way of doing things. Spending will shift from protective measures like firewalls, antivirus software, and intrusion prevention systems (IPS) toward technologies like strong authentication and network quarantine that enable secure communication.
GLOBAL MISTRUST AND CRYPTO REGULATIONS WILL PREVENT TRUE ADOPTION
Although there are isolated de-perimeterization initiatives underway, theyll need to overcome significant barriers to make true de-perimeterization a reality, and these problems certainly arent going to be fixed within the timeline proposed by the Jericho Forum:
- True de-perimeterization requires universal trust infrastructure. In order to authenticate users, devices, and data from outside your organization, you need a way to establish and verify how much you trust them. PKI buffs have repeatedly tried and failed to put a global trust infrastructure in place and federation buffs like those in the Liberty Alliance seem to be running across the same problems. Implementing a global trust infrastructure is a monumental task, and its near-impossible that we can do it within the few years predicted by the Jericho Forum.
- Strong data-level encryption raises international commerce concerns. Countries like China, Israel, and Russia have strict requirements for the import, export, and use of strong encryption products. It will be extremely difficult to develop a data-level encryption solution that provides the appropriate level of protection while complying with global regulations.
- Without more vendor participation, the Jericho Forum will go nowhere fast. Uptake among technology vendors has been slow since the Jericho Forum opened its doors to them in November 2004. Vendors must create the technology to drive adoption of the standards and, in order to succeed, the Jericho Forum will need much greater participation from the likes of Cisco, Computer Associates, IBM, and Microsoft. But Jerichos members are right to be cautious; including too many vendors will bury the forums momentum in the gridlock that vendor consortia almost invariably produce.
END NOTES
1. The Jericho Forum outlines its objectives and scope in its Visioning White Paper. Note that most North American firms refer to information technology (IT) infrastructure, while firms from Europe, Australia, and New Zealand often refer to it as information and communications technology (ICT). In the context of the Jericho Forum, Forrester is using these terms interchangeably. See http://www.opengroup.org/projects/jericho/uploads/40/6809/vision_wp.pdf
2. The Liberty Alliance, a consortium representing organizations from around the world, was created in 2001 to address the technical, business and policy challenges around identity and identity-based Web services. For more information, go to http://www.projectliberty.org. Most cross-boundary authentication standards efforts center on WS-Security or federation standards like SAML and WS-Federation.
3. The US federal governments General Services Administration (GSA) and Department of Defense (DoD) have thrown their support behind the Liberty Alliance. For more information, go to http://xml.coverpages.org/ni2003-03-06-b.html. Additionally, France Telecom announced plans to implement a Liberty-interoperable federation infrastructure last July for its 50 million Orange subscribers. For more information, go to http://www.projectliberty.org/press/details.php?item_id=75.