The Jericho Forum has generated a lot of noise over the past four years – but not enough to erode the integrity of many security walls.
Since its foundation by a small group of like-minded chief information security officers (CISOs), the “high-level independent user group” that wants to make enterprise IT safer by dismantling the perimeter defences that have traditionally been deployed to protect it has grown to be a major IT industry voice. Its membership includes some of the world’s largest companies, and its pronouncements and position papers are closely scrutinised by the IT industry, and by the IT security sector in particular.
Yet, despite all the attention and headlines that Jericho has garnered, in real terms its progress has been slow. The Forum’s central vision – the widespread adoption of IT security practices that embrace rather than erect a barrier to Internet computing – is still a distant prospect at most organisations. It is also a vision that has been dismissed by some as unworkable, even irresponsible.
Against the grain
Although alive with small companies promoting innovative solutions to specific security problems, the security sector is still dominated by vendors whose revenues are largely derived from conventional firewall, network access and anti-virus products.
Jericho, it is probably true to say, has come very close to winning the intellectual argument for perimeterless IT security, but it is going to take something more practical than clever theories to bring conventional IT security barriers tumbling down. Last month, at the InfoSecurity Europe conference in London, the Jericho Forum took just such a practical step with the publication of its Collaboration Oriented Architecture.
The COA is Jericho’s blueprint for building a secure IT infrastructure in a world of partnership and collaborative working – and it is long overdue. “
Every day, IT managers are under pressure to work with people outside their organisation,” says Paul Simmonds, a board member of the Forum, and former CISO at ICI. “To be effective, both parties need access to intellectual property, but this precious data is commonly transferred via an infrastructure that the organisation cannot control effectively.”
“With the COA, we are laying out a clear framework of people, processes and technology that need addressing,” he says.
For organisations that have found themselves becoming increasingly receptive to Jericho’s ideas, this is undoubtedly good news. Although the COA stops well short of being a simple recipe for de-perimeterisation, it includes a list of technologies – such as end point security and data leak protection (DLP) – and a set of recommended practices with which to deploy them.
Best of all, according to Simmonds, “all of the technologies we are suggesting are backed by products and procedures that are already working in commercial environments. We are simply presenting an effective way of bringing them together.”
Of course, using terms like ‘simple’ to describe Jericho’s approach to IT security must be done with caution. There may be nothing in the COA blueprint that hasn’t already been made to work by a Jericho member, but it is worth bearing in mind that those members are companies such as Rolls-Royce, KLM and Eli Lilly.
These companies not only have an urgent operational need to stretch their IT assets beyond the conventional boundaries, they also have the financial and technical resources to support COA development and, critically, the market position to make it happen.
To be fair, Jericho members like Adrian Seccombe, CISO at pharmaceuticals company Eli Lilly, don’t pretend that COA is a magic formula, or that all of the technologies needed to make it work (like DLP) are as mature as everyone would like. “We are not saying that the COA contains an easy technical fix to all this. If anything, we are saying that this is just as much about people and process,” says Seccombe.
This means that there is still hard work ahead for any organisation that wants to embrace COA or, as seems increasingly likely, is forced into doing so by the bigger business partners.
Indeed, although Seccombe may be sincere in his plea that “Jericho isn’t trying to be the 900lb gorilla” that forces the rest of the world to see things its way, the sub-text of COA is that a truly collaborative business future is taken as a given. Companies like Eli Lilly are already in the process of reinventing themselves as networked business entities, and organisations that want to work with them won’t be able to do so if they persist in hiding behind yesterday’s perimeter-based IT security fences.
With COA in the open, the writing is now on the wall for conventional IT security practices – those that don’t read and understand the message might soon find that that outdated old wall is crashing down around them.
Further reading
IT security is a futile pursuit says IBM There is no future in the security business, says new head of IBM Internet Security Systems
Anti-virus vendors – Fighting a losing battle Anti-virus vendors are struggling to keep up with the new malware methods
Find more stories in the Security & Continuity Briefing Room