The IT industry collaborates on many areas of security, but
these relationships are tied to specific products from specific
manufacturers.
Last month, for example, IBM joined with Cisco to produce software
that would manage access to corporate networks by checking whether
individual PCs posed a security risk because they lacked the latest
patch updates.
This approach will only secure businesses that deploy the relevant
IBM/Cisco product.
Jericho Forum member David Lacey, director of security and risk
management, technology, services and innovation at Royal Mail, said
this approach could, in practice, lock out customers and business
partners. "We believe it is time for IT users to seize the
standards agenda and begin to articulate solutions for the future,"
he said.
The forum plans to look at the possibility of developing standards
to define data and the access rights users have to that data.
Standards are essential, as user authentication needs to work on
whatever system is used to access the data, be that Windows, MacOS,
Unix, Linux, a mainframe or a mobile device operating system. No
such standards yet exist.
Existing commercial software for controlling access is inadequate,
according to members of the Jericho Forum. The digital rights
management in Office 2003, for example, fails if the user opens the
document in an earlier version of Microsoft Office. The security is
also void once the document is e-mailed and opened in another
package, such as Staroffice.
"One thing the Jericho forum would like to see is security models
that reflect the collaborative nature of the business," Lacey
said.
There is no easy answer, but the forum has proposed a number of
ways security could develop. For example, future versions of
databases from leading suppliers could incorporate security that
not only encrypted all the data but also provided a way to control
access to individual items of data. For instance, a user of a
payroll system should still be able to check the salaries of staff
but might not have access to data showing directors' pay.
With this level of control, external users, including customers,
suppliers and business partners could be given access to specific
pieces of information.
In the draft manifesto, members of the Jericho Forum have proposed
that the group should develop classification standards to aid
collaboration between its various members.
"It is hoped that this bottom-up approach will result in a common
framework that will be applicable and adopted by other enterprises
and SMEs," said Lacey.