Using anti-virus, anti-spam and a firewall at the network perimeter to vet entrants have long been the front-line...
weapons against outside security threats. But there are people who argue that these defences are not suited to doing business today. Is the traditional security approach, where access is granted or denied at the network border, becoming obsolete in a world where business is carried out over the internet?
One person who thinks so is Paul Simmonds, global information security director for ICI. Four years ago, Simmonds and a number of FTSE 100 chief security officers, including David Lacey from Royal Mail, Paul Dorey of BP and John Meakin from Standard Charter Bank, began questioning the current approaches to network security.
The challenge for global businesses was to provide the right IT infrastructure to enable business partners to exchange information freely, while at the same time keeping the data itself secure. Firewalls and the complex rules that govern data access were hard to keep up-to-date, and unsuitable to a more dynamic business environment.
And so the Jericho Forum was formed. Its aim was to shift focus away from the network to protecting the data itself. "It is a fundamental shift in how you think about security and not one you have a choice about. And that is the key message Jericho wants to get across," says Simmonds.
Jericho proposes dropping the perimeter walls that the firewalls maintain in an approach it calls deperimeterisation. In effect, it suggests dispensing with locks on your home and leaving the door and windows wide open.
"In 2003 a number of enlightened organisations were being asked by the business to make increasing connections to the outside world and effectively punch many holes into the perimeter," says Simmonds.
Jericho's key goal was to raise awareness and pester suppliers into coming up with products and open standards that could cope with a porous perimeter.
Rather than rely on the corporate firewall at the boundary of the network, Jericho proposes that security mechanisms should be located where they are needed, which could be at the individual application, data or device level. That means people can connect directly onto the "raw internet", as Simmonds calls it.
Firewalls still have a role in network security, however. "What Jericho is saying is that firewalls should be used in the right places, to do the right things. It does not mean they will not be used in a datacentre or an application," says Simmonds.
Rather than the absolute approach of each device having security embedded, in practice it will be carefully selected devices that are activated. So routers and other key devices on the network will be "hardened" with security built in.
Instead of network security, Simmonds says the emphasis should shift to protocol security. So IT directors should check that suppliers include secure protocols in their products, and beware supplier flannel as they try and persuade you that a firewall can take the place of secure protocols.
If most of your employees work inside the network and third-parties do not need to access your data, then capital investment would clearly be better targeted elsewhere than on deperimeterisation. But deperimeterisation is inevitable, says Simmonds. While change always costs money, deperimeterisation can actually save you money in the long run, he says.
Following Jericho's principles forces companies to go back to basics: simple solutions are cost effective. "Security works when it is simple. If you have layer upon layer of security, all you end up with is a band-aid solution," says Simmonds.
So how do you start? The first step, says Simmonds, is to ask the business what the plans are for the next three or four years. Invariably, that picture will include demands for greater communication and information sharing with partners and customers over the internet. If you step back and look at what you really need to do - to connect devices straight onto the raw internet - then that forces you to look at things very differently.
"You need to start moving away from being network centric to systems and access centric," says Simmonds. "The term network security is wrong. There is no such thing as network security when it comes to the internet."
As far as Simmonds and the Jericho Forum is concerned, those perimeter walls are coming tumbling down, whether you like or not. Although there are still improvements to be made, suppliers have stepped up to the mark and are creating the systems to enable a secure deperimeterised environment. Companies like ICI, BP, Rolls-Royce and many others are already reaping the benefits and so can other companies, large and small.
"There is nothing to stop you taking the Jericho blueprint and ending up with a very secure system that operates on the raw internet with negligible overheads," says Simmonds.