Worlds without frontiers

There is a whiff of revolution in the air. After putting up with troublesome software for so long, customers are starting to get angry with the service they receive from vendors.

They are not yet storming the barricades, but they are starting to ask questions of the vendors. Such as: If your software is so good, why do I have to spend so much time patching it? Why is it so hard to link one piece of software to another? And why is security just an afterthought for your developers?

User power has already begun to surface. In the US, the recently formed Global Council of CSOs is raising the profile of IT security and pushing for standards (SC, February, p20). The US Department of Energy is also using its purchasing power to persuade Oracle to produce a more secure version of its 9i database. And last month, at a meeting of the Financial Services Roundtable, some of the world's biggest companies warned software vendors to clean up their act, or lose business.

In Europe, a similar mood is taking hold, led by a hard core of influential security bosses at organisations such as BP, Royal Mail, the BBC and ICI. Along with a few other FT100 firms, they have come together to form what they call the Jericho Forum, named after the ancient city whose walls "came tumbling down". In a similar vein, believes the group, the traditional shell of IT security is being breached by the need for firms to communicate over the net, and they need both to prepare for this new "deperimeterised" world and get the software vendors to support them.

One of the group's ringleaders, Paul Simmonds, ICI's global head of security, warns there is no time to lose. "I'm a businessman first and an IT security professional second," he says.

"My role is to support the business, and we're dealing increasingly over the internet with joint venture partners. The old model of the hard security perimeter is no longer good enough."

There lies the challenge. IT security used to rely on building an impregnable shell, using anti-virus, firewalls and intrusion detection, to keep out unwelcome traffic. But this is no longer enough in a world where firms need to open up their networks to customers and partners.

"Everything's business-driven," says Simmonds. "All projects must have a ROI and speed to market makes all the difference."

At the same time, he adds, we're losing the security war. "The old 'M&M' model of security (with a hard shell and soft centre) is no longer sustainable. We are too busy putting our fingers in the dyke to notice that the dam has already been breached."

Whereas connection to the system would once be limited to in-house staff, it is now open to joint-venture partners, suppliers, customers, mobile and home workers – all using a variety of devices from laptops to PDAs. This poses a whole new challenge to IT security. The walls are tumbling down, the perimeter is breached, and so we need to take a new approach to protecting our assets.

The Jericho members have begun to map out how they would like to proceed, but to be successful, they need to get the software industry on their side. By spelling out what their requirements will be over the next two-to-five years, they can provide the vendors with a technical and business roadmap. But will the vendors follow? And how much clout will a group of European companies have with an industry that is largely US-based?

Initial response to the Jericho Forum has been muted, yet polite. "Organisations like this can be very useful to us," says Raimund Genes, European president of Trend Micro. "It can let us know what customers expect from us. But it is too early to say how this one will work."

Richard Archdeacon, technical director for Symantec UK & Ireland, says: "The Forum includes some of the UK's most forward thinking, highly respected security strategists. The implications of a disappearing perimeter around an enterprise is complex, and as the model moves from theory to practice, it is imperative that organisations consider security as part of the business infrastructure and plan accordingly.

"Interoperability will become critical as the number of entry points into an organisation grows, and businesses look to the net as an alternative to the WAN."

Simon Perry, VP of security strategy at Computer Associates, is more cautious. "Jericho will only succeed if it can positively engage with the vendor community, without vendor favouritism and/or the competitive divisions or conflicts that could cause it to self-destruct," he says. "Its highest priority should be in formulating a model as to how it's going to engage the vendor industry.

 "Also crucially important is that the work it does doesn't run contrary to other emerging and established standards that may touch on, or be a basis for delivering, deperimetered architectures – especially those involved with federated identity management systems, and data interchange standards. Unfortunately, I've learned that the word 'standard' is actually a plural, not a singular. We need this group to help develop complementing, not contrary, ideas."

Gerard Lopez, CEO of SecureWave, suggests the perimeter would move, rather than disappear. "Security today is seen as a disabler," he says, "but Utopia is not an open computing environment. The perimeter just moves to where code is executed. You have a perimeter with every individual and machine."

The Forum's proposals envisage a staged transition from the model of a hardened perimeter to one where it is removed and the emphasis changes from trying to keep intruders out toward the protection of specific assets. This will break most professionals out in a cold sweat, but Simmonds insists the group has thought this through thoroughly. By a series of four phases, they want to arrive at a model that more closely reflects their current business needs.

In Simmonds' case, he needs to protect a global organisation with eight different business divisions, and operations spread across the world. ICI makes a whole range of chemicals that end up in paints, foods, fragrances and personal care products. The group employs 35,000 people and it has some 400 active websites – all of which need to be protected from attack. "We now also have around 300 joint venture connections, and we are getting new ones practically every day," he says.

In this business environment, IT security must be able to react quickly and flexibly. "The problems encountered by BP and Royal Mail are different from the ones we face, but the basic concept of deperimeterisation is the same for us all," says Simmonds. "Paul Dorey at BP calls it 'radical externalisation', but it's basically the same thing."

The Forum will try to create generic requirements that it will feed back to the vendors. "We'll work with the CIOs and CTOs of the members' business to formulate requirements, and say to the vendors: 'We want a business solution within two to five years that'll do this'."

As well as providing the vendors with a clear roadmap of requirements, the Forum is issuing a threat: if they fail to deliver the goods, they will lose the business. "Unless they are going to be delivering X, Yand Z in that timeframe, then we won't be buying," says Simmonds.

So what are the chances of success? Pretty good, if the quality of the membership is anything to go by. Jericho was formed in January with ten members from mainly British-owned business. By mid-February, that figure had risen to 18, including the likes of Boeing and Qantas.

In addition, Simmonds has made contact with the US-based Council of CSOs, and some transatlantic co-operation is expected soon.

It would not be the first time that users have tried to flex their muscles, but this time, there does seem to be a real momentum building on an international scale. It reveals a long-standing dissatisfaction with the IT industry, which is seen to have failed to deliver either value or quality. Users are no longer prepared to accept software that needs constant patching and which will not interoperate easily, and at last they are prepared to join forces to get what they want.