A management framework for ascertaining trust and authenticating users is the final piece of the deperimeterisation jigsaw.
At present there are more questions than answers. How can a user be uniquely identified and authorised to access a network? Is one firm's security strategy aligned to its partner's, or will network security be compromised if the two link networks?
Despite these concerns, members of the Jericho Forum believe that cross-company global authentication is essential. This may be take the form of existing industry-specific collaborations such as the Chemical Industry Data Exchange (CIDX) or a global directory that allows you to identify yourself, customers and business partners.
Paul Simmonds, global information security director at ICI, said a possible scenario would be for CIDX to establish a trust network so that if ICI was running a joint venture with Dupont, users from both companies could be authenticated to log into a shared workspace. "At the moment the joint venture partner has to be maintained as a user on my system," he said.
The group hopes to look into best practices and standards to cover grey areas of IT security such as how a company vets staff for trustworthiness or the ethical policy assessment of third-party business partners.
The group admits that deperimeterisation means that gathering audit information across all possible network access points is a huge undertaking. In its draft manifesto the group said, "It remains unclear how and whether audit information could be collated such that sufficient accountability and audit trails can be established." The failure to establish clear audit trails could, for example, hold back the development of web services.
Another problem identified by the forum concerns analysis and automation tools. According to the draft manifesto, little progress has been made in developing standards for such tools.
Members of Jericho are also assessing whether current enterprise directories, which are used for authenticating users onto corporate systems, could be modified to support authorisation in a deperimeterised network.