Jericho Forum presents strategy for secure access for businesses

A group of 20 chief security officers representing some of the largest organisations in the world are attempting to set a...

A group of 20 chief security officers representing some of the largest organisations in the world are attempting to set a user-driven agenda for IT security.

So far, users have bought into an IT security strategy that is largely set by suppliers offering products and services ranging from firewalls and intrusion detection systems to e-mail security gateway services.

As organisations require increased business agility, users are beginning to question whether traditional models of IT security will work with the business models they are looking to develop.

The Jericho Forum is setting out a plan for IT security encompassing the types of products and services it believes will be required to support business.

Established in January, the forum has drafted a document outlining an IT security strategy, dubbed deperimeterisation, which defines an IT architecture that can support business agility.

The architecture is aimed at solving simple, practical problems, for example, setting up a new sales office. It currently takes from one to six months to design an extension to the corporate wide area network, negotiate a contract with a telecoms provider, set-up a virtual private network and install a local area network, phone lines and desktop PCs to support a new office.

However, in the proposed model, the user would simply need to find an office with internet connectivity and plug in desktop PCs and IP telephones.

The Jericho Forum believes deperimeterisation will reduce the need for IT directors to manage secure access to a network.

For such a strategy to work, all data on the company's network needs to be encrypted. End-users, whether they are internal staff, customers or business partners, would be given on-the-fly authorisation to access specific pieces of encrypted data within the company's network.

The forum's draft document presented a four-pronged approach to achieving deperimeterisation covering how to control network access, the types of devices deperimeterisation will need to support, proposals for the standards that the IT industry and businesses will need to adopt and an approach for managing access to the network.

Issues that need to be resolved if deperimeterisation is to take-off include securing access to corporate IT from non-secure computers; correlating security information across the company network; how to give business partners secure access to data and how to control access by processes such as digital rights management across an operating system.

Deperimeterisation will require a phased approach and many businesses are unlikely to re-engineer their network to support it until 2008, according to senior forum members.

Read more on IT risk management