FTSE companies demand common security standards

UK users seize the initiative as suppliers fail to deliver

UK users seize the initiative as suppliers fail to deliver.

Ten FTSE 100 companies have joined forces in an effort to drive home their IT security concerns to IT suppliers.

The organisations, which include ICI, BP and some of the UK's biggest banks and financial services companies, along with Royal Mail, are concerned that suppliers' existing products will not support their future business strategies, such as B2B web services.

The group, which has emerged over the past year, will present its case at IT security conferences in a bid to drum up wider support from the user community.

The group is collaborating on an open standards security architecture that was originally developed internally by Royal Mail. The architecture aims to overcome the limitations of current IT security, where products from rival suppliers are unable to share security information in a standard way.

Paul Simmonds, global information security director at chemical manufacturer ICI, said "We have to accept that a network cannot be kept highly sanitised. We need a more strategic approach to defining tools and standards than is available today. Traditional network security has reached the end of its life."

Simmonds, together with David Lacey, director of security and risk management technology, services and innovation at Royal Mail, will present the group's position in a debate with Tony Kenyon, head of security at BT Global Services, at this week's RSA security conference in Amsterdam.

"Unless the industry can agree on a universal security framework, we will never be able to exploit the full potential of B2B web services," Lacey told Computer Weekly. "The IT industry needs to classify security in a consistent way."

Graham Bird of the industry and user forum the Open Group, whose members include the NHS Information Authority and the Department for Work and Pensions, is backing the initiative.

Although a business could mandate a set of IT products to achieve a level of security throughout the company, Bird said, "It is difficult to control security outside your organisation. It is not possible to move information in a boundaryless way."

An example of this is the digital rights management technology in Microsoft Office 2003. An Office 2003 user could control access to a document but only if recipients of the document were also using Office 2003 digital rights management.

"The industry has to stop making all technology competitive. Suppliers have to collaborate on standards, and compete on functionality," Bird said.

Chris Thompson, vice-president for network security products at IT security company McAfee, said suppliers had to face the challenge of creating interoperability between security products.

"There is no event correlation between security products. There is no real industry standard to make this work in real time. To achieve this, the industry needs to work together," Thompson said.

However, Thompson warned that the industry was at least five years away from being able to deliver this requirement.

Users have set security agenda >>

Security proposal

The group is calling for:
  • A consistent framework across the industry for classifying data, systems, users and connections

  • Agreed levels of strength of security mechanisms.

    "The Royal Mail architecture sets out proposed solutions for classification levels and corresponding security solutions based on open standards," said David Lacey, director of security and risk management technology at Royal Mail.

Read more on Hackers and cybercrime prevention