Make way for the 'embedded internet'

Jericho Forum says internet can be as secure as corporate network

Members of the Jericho Forum, the user group of global IT security chiefs, are developing a set of proposals for making the internet as secure as a corporate network.

The group, whose members include ICI, Airbus, HSBCand Rolls-Royce, met at the end of August to flesh out their ideas on the sort of IT products that are needed to support the changing business requirements of multi-national organisations.

The anchor of the group's strategy, dubbed the embedded internet, represents a significant departure from how businesses secure corporate information.

Rather than providing users and business partners with access to a company's network through a virtual private network, the group proposes that people should use the internet to connect to a company's applications.

Some Jericho members, such as BP and Standard Chartered Bank, are already looking at this approach to network security. It involves using the internet to provide remote users with browser access to applications, while corporate data is protected within a secure enterprise datacentre.

Group members at the meeting said more work was necessary on encryption technology, identity management and security for business processes before the embedded internet is widely used as a corporate network.

Nick Bleech, head of security management in the technology advisory practice at KPMG, said, "You can get a lot of value for money using the internet as a corporate network. What is needed is [strong] security."

Bleech is editing a white paper, which will outline the aims of the forum. If the embedded internet is to be accepted, he said, a model of trust is required so that businesses can be certain of who is trying to connect to their network.

"Jericho wants a common understanding of risk," he said. This will involve creating a set of procedures that any business could use to assess risk in a standard way.

A related requirement is a universally accepted standard for trusted identities. One member of the group told last month's meeting of plans to discard passwords for authenticating users.

The Jericho Forum believes biometrics may offer an answer, but some of those at the meeting were sceptical that the government's proposed national identity card programme would be useful to business.

Other potential approaches include using chip-and-Pin technology in a challenge/response mode where the user is asked to enter digits on a keypad.

The third proposal concerns encryption. The group wants to see encryption technology that addresses usability concerns of business. A limitation in current approaches, according to the Jericho Forum, is that encryption is unable to work within an application.

The forum is also examining where today's technology is unable to protect business processes. John Meakin, head of information security at Standard Chartered Bank, said the group would be looking at how the IT industry could deliver a model for securing business processes.

Meakin said defence contractor Bae Systems had produced much work on network-enabled warfare, which could be used outside a military context to support reliable, secure processes.

Founder plans a security society   

David Lacey, Royal Mail director of information security, and founder of Jericho Forum, is looking to establish a society for IT security professionals.  

The new group will aim to get royal charter status. Industry groups and suppliers are increasingly promoting information security accreditation standards, but Lacey said existing efforts did not meet the needs of high-level business executives charged with IT security. 

"We want something aimed at the chief information security officer," said Lacey, who plans to invite 25 global chief security officers to join the society, which is due to be launched in early 2005.   

Jericho Forum   

Members include: 

  • Airbus  
  • BP 
  • GlaxoSmithKline 
  • HSBC 
  • ICI 
  • Rolls Royce 
  • Royal Mail 
  • Standard Chartered Bank

BP prefers the internet >>

Read more on IT risk management