A group of 20 chief security officers representing some of
the largest organisations in the world are attempting to set a
user-driven agenda for IT security.
So far, users have bought into an IT security strategy that is
largely set by suppliers offering products and services ranging
from firewalls and intrusion detection systems to e-mail security
gateway services.
As organisations require increased business agility, users are
beginning to question whether traditional models of IT security
will work with the business models they are looking to
develop.
The Jericho Forum is setting out a plan for IT security
encompassing the types of products and services it believes will be
required to support business.
Established in January, the forum has drafted a document outlining
an IT security strategy, dubbed deperimeterisation, which defines
an IT architecture that can support business agility.
The architecture is aimed at solving simple, practical problems,
for example, setting up a new sales office. It currently takes from
one to six months to design an extension to the corporate wide area
network, negotiate a contract with a telecoms provider, set-up a
virtual private network and install a local area network, phone
lines and desktop PCs to support a new office.
However, in the proposed model, the user would simply need to find
an office with internet connectivity and plug in desktop PCs and IP
telephones.
The Jericho Forum believes deperimeterisation will reduce the need
for IT directors to manage secure access to a network.
For such a strategy to work, all data on the company's network
needs to be encrypted. End-users, whether they are internal staff,
customers or business partners, would be given on-the-fly
authorisation to access specific pieces of encrypted data within
the company's network.
The forum's draft document presented a four-pronged approach to
achieving deperimeterisation covering how to control network
access, the types of devices deperimeterisation will need to
support, proposals for the standards that the IT industry and
businesses will need to adopt and an approach for managing access
to the network.
Issues that need to be resolved if deperimeterisation is to
take-off include securing access to corporate IT from non-secure
computers; correlating security information across the company
network; how to give business partners secure access to data and
how to control access by processes such as digital rights
management across an operating system.
Deperimeterisation will require a phased approach and many
businesses are unlikely to re-engineer their network to support it
until 2008, according to senior forum members.