Whither De-perimeterisation?

Just published on the Jericho Forum site are the presentations from last week’s conference in London. They include the results of an interesting survey of attendees (carried out with the help of Qualys) which has already attracted some media attention.

It seems like an opportune time to reflect on the progress of the Jericho Forum. To assess just where we are on the road towards true de-perimeterised working. Is it achievable now? Or is it all just a pipe dream? The short answer is that it can’t be the latter. We have to make it work. Otherwise we’ll be sleepwalking towards a future crisis. Corporate perimeters are already leaking confidential data and letting in malware. The situation will progressively get worse. It’s not good enough to shore up traditional defences. We need to be proactive and implement new solutions.

Examining the poll of around 100 top security practitioners is illuminating. Around 70% believed that insiders represent the greatest risk, with employees at the top of the list. Traditional “hard shell” security doesn’t address this risk. A majority of those polled also believe that their network already has a porous perimeter. But in five years time, they expect things to be different. By then, network perimeters will mainly exist for quality of service purposes. Most organizations are not yet where they want to be. They are still growing in maturity. And the main obstacles to progress are lack of budget, time and personnel.

From all of this one can conclude that de-perimeterisation remains a future goal rather than an achievable state. So what exactly do we need – other than time, budget and staff – to make it work? In my view the key enablers are strategy and architecture. To achieve true de-perimeterised working requires state-of-the-art components assembled in a beyond-the-state-of-the-art architecture. We need new ambitious infrastructure such as a modern federated identity management system that can work efficiently across an open network environment. Implementing such infrastructure is not a trivial task. It involves a complete rethink of authentication, provisioning and management processes. It demands an architecture and network topology that can deploy encryption, authentication and policy enforcement controls in the most effective positions. But most of all it requires a big vision, an up-front investment in technology and a realistic migration plan.