Eli Lilly to put 'deperimeterisation' into practice

The Jericho Forum has been promoting the need for a new approach to information security that will take account of a more fluid style of business, and where the traditional hard boundaries between the company and the rest of the world were fast dissolving. Adrian Seccombe, CISO at Eli Lilly, explains how the principles of Jericho, known as deperimeterisation, are being put into practice, and how they will enable the business to operate more flexibly and at lower cost without jeopardising security.

What has been the catalyst for change in your business?
At the start of 2008, the CEO of El Lilly announced a new company strategy that would make it a more distributed operation, working with partners in all areas of the business. He said it would take Eli Lilly from being a FIPCO (a fully integrated pharmaceutical company) to a FIPNET – a full integrated pharmaceutical network. Becoming a FIPNET means we are going to leverage external competences and network externally and collaboration will be the primary driver of our organisation. Our strategy goes through to 2010, and has three main aims – to manage costs downwards, to increase flexibility, and to do that more securely.

It is all about deriving value from your information assets at an acceptable level of risk.
Adrian Seccombe,
CISO and Senior Enterprise Information ArchitectEli Lilly

How do you keep risks under control when sharing information with outside organisations?
The publication this week of the Collaboration Oriented Architecture from Jericho could not have been more timely for me. We are taking this framework and implementing it as hard and as fast as we can. In the past, outsourcing has always offered a way to deliver lower costs but it's not something we have been able to deliberately engineer to be more secure. Adoption of COA principles allows us to do that. But I want to emphasise that the FIPNET is not an IT thing. It is a business objective of Eli Lilly to leverage global competence in a number of different areas. It is a recognition that we can do more by working with outside organisations than we could deliver by ourselves inside the company. For instance, we're looking at ways of manufacturing more cost-effectively and in a more innovative way. And at the moment, we are at the start of our transformation. How does the COA help you?
One of the core components of the COA is the acronym PRIDE, which outlines the processes that you need to refine in order to move from an internally focused organisation to one that workers in a collaborative way.

P stands for people, and deals with the onboarding and offboarding of all the people you have to deal with – not just your direct employees, but in our case, also customers and patients. In Eli Lilly, more than half our people now are externally provided rather than directed employed. It means that the traditional HR department has to work in a much broader perspective.

R stands for risk in a collaborative environment. If you assume it is only your responsibility to protect your information assets, and try to do that in the old silo mentality, you don't make the most of the resources of your collaborators to enable you to be more secure. Then you end up causing the problems you are trying to avoid. Organisations that try to keep all the risks internal are going to lose. The ones who start to move their risk controls outwards will win. Your data is going into the cloud whether you like it or not – so get the security into the cloud too. We already see examples of this with companies such as Postini or MessageLabs that clean email in the cloud. You can extend it to web browsing, where traditionally people previously had proxy servers where they tried to managed the browsing activities of their users. But move it to a new model – like the model that organisations such as ScanSafe provide – you go to a tower in the cloud and all your browsing is managed in real-time and much more effectively than trying to do it yourself with your own proxy servers.

I stands for information asset management, which covers the lifecycle of the information from its creation and identification of who will be responsible for it, through to the end of the cycle and its effective destruction in a managed way that is compliant with the various regulations around the world.

Information management becomes more complex when the assets are moving between collaborators. So instead of holding the information in silos, we need to be information-centric and move much more of the management of the assets to the data itself. This means you can hand over the data with a classification that is already agreed at pre-determined trust levels, and the information asset will know how it can operate.

D stands for device, and how you onboard and offboard devices. It deals with the lifecycle of the device while it is connected. You add credentials to the device that make it known to you in the future. You actually set levels of trust that you want the device to operate at. Once it comes to the end of its useful life, you make sure that no information assets are going to be put at risk by its disposal.

E stands for enterprise. How to onboard and offboard an enterprise? If you are taking on a new collaborator, it needs to be done more cost-effectively and efficiently than we do at the moment. And during the lifecycle of the collaboration, we need to manage the trust levels between the organisations. And when the collaboration comes to an end, you need to offboard the organisation whilst at the same time managing the risk state and the information assets involved. We don't have the processes for that at the moment, certainly not processes that can be automated anyway.

With such a focus on information assets, can you tell me how you are classifying and managing information?
We use Microsoft Sharepoint as one of our key collaboration tools. We are putting up identity federation models and have already built into Sharepoint a classification framework that is based on one from the G8 countries. It is a traffic light protocol using four colours: white (public), then green, amber or red (depending on level of sensitivity). We went through a discussion about how many classifications to use. Some people wanted five, even 10. Some folks wants levels of granularity you cannot believe. But we are trying to make it easy for a human to grasp quite quickly.

  • Red reflects anything that could kill people, such as life safety systems, or environmental protection systems. Red accounts for less than 1% of the data we hold, and we decided not to hold this on Sharepoint.
  • Green accounts for about 85% of our data pool. We do an impact assessment to see what damage could be done against the measures of confidentiality, integrity and availability, and if the level is low, then it will be green.
  • The middle ground (amber) will be the rest – and that is where most of the difficulty of identification comes in. Intellectual property that could be of value to a competitor would be amber.

We are at the start of the journey, but in our Sharepoint system, and the traffic-light protocol is being rolled out. So every time someone saves a record into Sharepoint now, classification is a required field. And we know that for most of the time, it is going to be green. It is the responsibility of the person storing the field to change from the default setting of green to amber if for example they spot intellectual property or Social Security numbers that warrant a higher classification.

Many people are sceptical about information security ever becoming a business enabler. What effect will this have on Eli Lilly's business?
One of the brand pillars of Eli Lilly is reliability and trustworthiness. If we can move to becoming a FIPNET – driving lower cost and more flexibility, whilst maintaining or improving our trustworthiness and reliability, then if that is not a business enabler, I don't know what is. If the organisation can start doing things much more cost-effectively in a manner that is much more secure than their competitors, that is a big advantage, It is all about deriving value from your information assets at an acceptable level of risk. We want to be the collaborator of choice, so we need to help other companies get on board.. If we don't focus on how to do collaboration more effectively across a broader frame, we won't be able to achieve our goal. So the Jericho Forum activity is strategic to us.

Read more on IT risk management