World without frontiers

Two years after it raised the security dangers of working in a mobile and flexible world – and coined the word 'deperimeterisation' to describe it – the Jericho Forum says its message is finally being accepted around the world.

Jericho was officially founded at the offices of The Open Group in Reading in January 2004, but had existed as a loose affiliation of corporate CISOs who had been chewing over the idea of deperimeterisation since the summer of 2003.

The group decided to adopt the mantel of an organised pressure group when it realised there was a very real security issue on the doorstep. While some firms were struggling to patch a disintegrating corporate perimeter, others were desperately searching for solutions to move their business forward, without being hobbled by perimeters.

"Companies were not clearly explaining their needs. They were content to take what the vendors churned out," explains Paul Simmonds, global information security director for ICI and Jericho board member. "Our initial role was to get people talking and raise awareness about this – and I think we have achieved that".

The Open Group manages the Forum's day-to-day affairs, but all decisions are made by the elected management board, which now boasts representatives from heavyweight players such as Rolls Royce, BP, Royal Mail, ICI, Procter & Gamble, Standard Charter Bank and Qantas.

While the Forum initially had its roots in the UK, it now claims organisation and vendor involvement from Europe, North America and Asia Pacific.

The group admits 'deperimeterisation' isn't the most catchy phrase to explain multiple-level security, but Simmonds calls it an "overarching phrase" that "covers everything". So what is it?

According to the Jericho Forum, it is a concept that describes protecting an enterprise's systems and data on multiple levels using a pick'n'mix of encryption, inherently secure computer protocols and data-level authentication. At the same time, it enables the free flow of secure data wherever and whenever it is needed, in whatever medium and between dissimilar organisations – such as banks and oil companies, for example. This kicks against the notion of security via a network boundary to the internet.

The Forum believes that deperimeterisation eventually makes the enterprise's network security perimeter obsolete, and cites three key factors for this erosion:

• Security exploits using delivery mechanisms (such as email and web) that transit the border, delivering the security exploits to the heart of an enterprise;
• Vendors with products that need to communicate across the border encapsulating their protocols within the web protocols;
• The demands of businesses needing to trade using the internet and being restricted by their corporate perimeter, and either creating further holes in that perimeter and, if not immediately, eventually bypassing the perimeter.

The Forum argues that the demands now made on enterprise networks have outstripped the old castle, moat and drawbridge ideal of perimeter security – with its firewalls, anti-virus solutions and detection and protection systems.

While perimeter security has its obvious advantages, the problem is that attacks now come from within. The CSI/FBI Computer Crime and Security Survey 2005 found that 40 per cent of intrusions in enterprises are internal. Virus attacks are the source of the greatest financial losses, but unauthorised access showed a large cost increase and replaced DoS as the second most significant contributor to IT crime losses during the past year.

"Network security must move on. As with global terrorism, the enemy works within the general population and uses unconventional methods to attack within a multi-dimensional battle space," says Tim Wadley, a director at Logicalis Network Solutions. "The internet has seen good and bad blur together, making it increasingly difficult to spot friend from foe. Like a counter-terrorist approach, multiple layers of security are crucial. So in support of the ideas of the Jericho Forum, network security must now be pervasive and responsive, working on a multi-layered approach to meet emergent threats and counter internal attacks."

Some people dismiss Jericho as trying to re-invent the wheel. "While the group does an admirable job raising awareness, there is nothing particularly new either in what it suggests or even how it suggests we get there," says Chris Hoff, chief security strategist at Crossbeam Systems.

"There is a need for some additional technology and process re-tooling, some of which is here already – in fact, we now have an incredibly robust palette of resources to use. But why do we need such a long word for something we already know? You can dress something up as pretty as you like, but in my world that's not called 'deperimeterisation', it's called a common sense application of rational risk management aligned to the needs of the business."

Hoff insists the Forum's vision is outmoded. "Its definition speaks to what amounts to a very technically focused set of IT security practices, rather than data survivability. What we should come to terms with is that confidentiality, integrity and availability will be compromised. It's not a case of if, it's a case of when.

The focus should be less on IT security and more on information survivability; a pervasive enterprise-wide risk management strategy and not a narrowly-focused excuse for more complex end-point products," he says.

Despite appearances, the Jericho Forum denies that it is advocating the imminent removal of firewalls. It believes they are still necessary, but will phase themselves out as inherently secure methods of connectivity come along.

"Jericho, unlike WiFi which is about one issue and one protocol, is about lots of solutions. It is a concept for solving a problem," insists Simmonds. "The key is that they can interoperate. They may be different architectures and protocols, but they can pull together to work as one."

Walmart stores, which chose to go with the AS2 internet-based protocol for electronic data exchange with thousands of its national and global suppliers, is a good example, says Simmonds. Walmart insists on using EDI software that adheres to AS2 (Applicability Statement 2) data transmission protocols and its clout has forced suppliers to follow suit.

Now that the Jericho Forum has put deperimeterisation firmly on the agenda, the next step is to draft a set of basics on how companies should go about putting it in place. Initially, these will consist of ten 'Commandments', due for release in April, built around a series of issue statements covering procurement and various topics, such as protocols. The Jericho Forum hopes it will also act as a guideline on what the industry needs to deliver.

Later this year, the Forum will also show off a vanilla deperimeterisation architecture to large corporate CEOs, which will act as a roadmap. "We need to discuss how they can leverage on this and run their business," says Simmonds.

He admits the Jericho Forum still has some way to go to win hearts and minds. "We are about being locked into better services and solutions, not locked into proprietary protocols."

Firms entering the de-perimiterisation zone must realise that it is not a quick fix and there are serious considerations to take on board, warns Ian Kilpatrick, chairman of the Wick Hill Group. "A consequence of deperimeterisation is that your risk analyses of your applications and networks are now no longer valid and need to be revisited. You also need to revisit them on a regular basis.

"You need to secure your applications – and, in some cases, servers – because what was a manageable risk in-house has become a potentially significantly greater risk from an unknown person connecting to the network. This changes the security profile from not only gateway defence, but to key risk protection".

Faizel Lakhani, VP of ConSentry Networks, argues that although the Forum is pursuing a noble goal, it will be too little too late. "Standardisation processes take years, and then they don't always work out," he says. "The problems that Jericho talks about are very real, enterprises are really struggling out there, but what it is talking about won't happen fast enough.

"Enterprises can't and won't wait for Jericho to normalise standards, we have to leverage on existing technologies and work around them. They don't have to be standards compliant," adds Lakhani.

Some enterprises have already opted to run with what is available to control LAN security. For example, Continental Airlines has opted to go with ConSentry Networks to control access. "We need to manage where our users go on the LAN and what they can do," says Andre Gold, Continental's director of information security. "Before ConSentry, we couldn't see them, let alone control them. We also need to stop malware from impacting network availability."

The Forum, however, maintains that enterprises are already moving quickly. At one of its meetings last year in Cincinnati, a surprising outcome was a plea for organisations to accept the fact that their information security perimeter had already disappeared. Jericho asked CISOs to collaborate on the development of a security architecture built around the concept of deperimeterisation.

"Many US representatives are actively developing products and standards that are relevant to the Forum, so I'm looking forward to a fruitful collaboration," says Andrew Yeomans, VP of global IT security at investment bank Dresdner Kleinwort Wasserstein, and responsible for the Forum's technical specifications.

Simmonds also shoots down the argument that Jericho isn't yet ready for the mainstream. "Deperimeterisation is a journey and companies are implementing techniques now and have been for a number of years," he states.

But Jericho does argue that it isn't about standards. It regards deperimeterisation as a concept that will be delivered through a broad range of evolving standards. It sees its job as fostering their development, and validating existing standards for the corporate deperimeterisation environment. Neither, it says, are there any plans for a Jericho certification or compliance branding for vendors.

Fundamentally, the Forum's approach doesn't rely on creating new technologies and adding expensive bells and whistles. It is more about pulling together the solutions already there in a unified way.

But it is important to remember that key to deperimeterisation security is the identification of systems and users. Corporates with increasingly mobile workforces and teleworkers will have to adopt higher levels of authentication such as smartcards and, as affordable technology appears, biometrics to validate users and devices on the network.

This is where, predominantly, the industry has started to take note. HP, IBM and Fujitsu have all built Trusted Platform Module (TPM) into corporate laptop models. The TPM is a security chip designed for PCs and servers that enables a number of security features, including authentication, protected storage and secure email.

Dell has gone a step further and added smartcard technology that enables users to be issued with a digital identity. Sony has included TPM and a fingerprint reader in its BX540 corporate notebooks. The security devices will be used together to protect your valuable passwords and top-secret files.

One of the problems cited in Jericho's strategy is that it ignores so-called defence in depth. Many conform to the doctrine that even if your hosts can withstand attacks from an open internet, it makes sense to have an extra layer of defence like a firewall.

"There are logistical benefits to a strong perimeter defence, such as blocking malware before it reaches the user, and the ease of updating in an emergency, but it's unlikely an enterprise will rely solely on perimeter defence. The concept of defence in depth has been with us for a while, at least in relation to anti-virus protection," says David Emm, senior technology consultant at Kaspersky Lab.

"But as long as there are clear benefits from perimeter protection, enterprises will not abandon it. Consider the ability to stop many email worms from getting past the internet gateway simply by blocking EXEs and SCRs, for example, although it's not a total solution to the problem. And the multi-faceted attacks we see today, that don't all come through the gateway, make defence in depth more important than ever," he adds.

Simmonds disagrees: "Deperimeterisation adds to defence in depth. As for the perimeter, if your firewall is flawed, all it adds is an extra layer of complexity, not an extra layer of security."

Those with a fiduciary responsibility for their company need to move away from the "we have a firewall, so we're fine" mentality to a more holistic approach to network security that goes beyond the perimeter, according to Jericho.

"This is the reason for getting the "big four" involved, as they need to be able not only to sign off a deperimeterisation architected infrastructure as secure, but also tell the "non-enlightened" corporates that the traditional reliance on borders is a fallacy," says Simmonds.

Some vendors agree. "This is absolutely accurate, both legitimate and illegitimate access to information is occurring within the boundaries of the firewall. As a result, IT organisations are focusing on how to provide the functions of the DMZ on the internal network, with controlled access to information based on who you are and what you are allowed to do. The LAN is now the DMZ as a result of deperimeterisation," says Lakhani.

But is Jericho just offering insight into the obvious? "Of course," says Hoff. "Its suggestion that "deperimeterisation" is somehow a new answer to a set of really diverse, complex and long-standing IT security issues... simply ignores the present and blames the past," he says.

"We don't need to radically deconstruct the solutions universe to arrive at a more secure future. We just need to learn how to appropriately measure risk and quantify how and why we deploy technology to manage it. I admire Jericho's effort, and identify with the need. But the problem needs to be solved, not renamed."

So does the Forum agree that deperimeterisation requires a universal trust infrastructure to function at its best? "Universal trust sounds like a holy grail, so no," says Simmonds. "Do we need a better trust mechanism than today? Yes."

So is Jericho simply stepping back and resolving the problems of remote access with a new architecture that it naively thinks will avoid the errors of existing solutions? "It is not naive, but it is a red herring," says Simmonds. "Better remote access is something deperimeterisation architecture could improve for you".

The vision of a deperimeterised world is undoubtedly a liberating and less costly one. But is it really achievable?

"Absolutely", says Simmonds. Only time will tell and, for many enterprises struggling to raise the security bar, there is precious little time left.