Using anti-virus, anti-spam and a firewall at the
network perimeter to vet entrants have long been the front-line
weapons against outside security threats. But there are people who
argue that these defences are not suited to doing business today.
Is the traditional security approach, where access is granted or
denied at the network border, becoming obsolete in a world where
business is carried out over the internet?
One person who thinks so is Paul Simmonds, global information
security director for ICI. Four years ago, Simmonds and a number of
FTSE 100 chief security officers, including David Lacey from Royal
Mail, Paul Dorey of BP and John Meakin from Standard Charter Bank,
began questioning the current approaches to network security.
The challenge for global businesses was to provide the right IT
infrastructure to enable business partners to exchange information
freely, while at the same time keeping the data itself secure.
Firewalls and the complex rules that govern data access were hard
to keep up-to-date, and unsuitable to a more dynamic business
environment.
And so the Jericho Forum was formed. Its aim was to shift focus
away from the network to protecting the data itself. "It is a
fundamental shift in how you think about security and not one you
have a choice about. And that is the key message Jericho wants to
get across," says Simmonds.
Jericho proposes dropping the perimeter walls that the firewalls
maintain in an approach it calls deperimeterisation. In effect, it
suggests dispensing with locks on your home and leaving the door
and windows wide open.
"In 2003 a number of enlightened organisations were being asked
by the business to make increasing connections to the outside world
and effectively punch many holes into the perimeter," says
Simmonds.
Jericho's key goal was to raise awareness and pester suppliers
into coming up with products and open standards that could cope
with a porous perimeter.
Rather than rely on the corporate firewall at the boundary of
the network, Jericho proposes that security mechanisms should be
located where they are needed, which could be at the individual
application, data or device level. That means people can connect
directly onto the "raw internet", as Simmonds calls it.
Firewalls still have a role in network security, however. "What
Jericho is saying is that firewalls should be used in the right
places, to do the right things. It does not mean they will not be
used in a datacentre or an application," says Simmonds.
Rather than the absolute approach of each device having security
embedded, in practice it will be carefully selected devices that
are activated. So routers and other key devices on the network will
be "hardened" with security built in.
Instead of network security, Simmonds says the emphasis should
shift to protocol security. So IT directors should check that
suppliers include secure protocols in their products, and beware
supplier flannel as they try and persuade you that a firewall can
take the place of secure protocols.
If most of your employees work inside the network and
third-parties do not need to access your data, then capital
investment would clearly be better targeted elsewhere than on
deperimeterisation. But deperimeterisation is inevitable, says
Simmonds. While change always costs money, deperimeterisation can
actually save you money in the long run, he says.
Following Jericho's principles forces companies to go back to
basics: simple solutions are cost effective. "Security works when
it is simple. If you have layer upon layer of security, all you end
up with is a band-aid solution," says Simmonds.
So how do you start? The first step, says Simmonds, is to ask
the business what the plans are for the next three or four years.
Invariably, that picture will include demands for greater
communication and information sharing with partners and customers
over the internet. If you step back and look at what you really
need to do - to connect devices straight onto the raw internet -
then that forces you to look at things very differently.
"You need to start moving away from being network centric to
systems and access centric," says Simmonds. "The term network
security is wrong. There is no such thing as network security when
it comes to the internet."
As far as Simmonds and the Jericho Forum is concerned, those
perimeter walls are coming tumbling down, whether you like or not.
Although there are still improvements to be made, suppliers have
stepped up to the mark and are creating the systems to enable a
secure deperimeterised environment. Companies like ICI, BP,
Rolls-Royce and many others are already reaping the benefits and so
can other companies, large and small.
"There is nothing to stop you taking the Jericho blueprint and
ending up with a very secure system that operates on the raw
internet with negligible overheads," says Simmonds.