Forum says open security standards are essential to support business partnerships

The IT industry collaborates on many areas of security, but these relationships are tied to specific products from specific...

The IT industry collaborates on many areas of security, but these relationships are tied to specific products from specific manufacturers.

Last month, for example, IBM joined with Cisco to produce software that would manage access to corporate networks by checking whether individual PCs posed a security risk because they lacked the latest patch updates.

This approach will only secure businesses that deploy the relevant IBM/Cisco product.

Jericho Forum member David Lacey, director of security and risk management, technology, services and innovation at Royal Mail, said this approach could, in practice, lock out customers and business partners. "We believe it is time for IT users to seize the standards agenda and begin to articulate solutions for the future," he said.

The forum plans to look at the possibility of developing standards to define data and the access rights users have to that data. Standards are essential, as user authentication needs to work on whatever system is used to access the data, be that Windows, MacOS, Unix, Linux, a mainframe or a mobile device operating system. No such standards yet exist.

Existing commercial software for controlling access is inadequate, according to members of the Jericho Forum. The digital rights management in Office 2003, for example, fails if the user opens the document in an earlier version of Microsoft Office. The security is also void once the document is e-mailed and opened in another package, such as Staroffice.

"One thing the Jericho forum would like to see is security models that reflect the collaborative nature of the business," Lacey said.

There is no easy answer, but the forum has proposed a number of ways security could develop. For example, future versions of databases from leading suppliers could incorporate security that not only encrypted all the data but also provided a way to control access to individual items of data. For instance, a user of a payroll system should still be able to check the salaries of staff but might not have access to data showing directors' pay.

With this level of control, external users, including customers, suppliers and business partners could be given access to specific pieces of information.

In the draft manifesto, members of the Jericho Forum have proposed that the group should develop classification standards to aid collaboration between its various members.

"It is hoped that this bottom-up approach will result in a common framework that will be applicable and adopted by other enterprises and SMEs," said Lacey.

Read more on IT risk management