the business case for removing your perimeter paul simmonds board of management, jericho forum ®...
TRANSCRIPT
The business case for removingyour perimeter
Paul Simmonds
Board of Management, Jericho Forum®
CISO, ICI Plc.
Agenda
Introductions The shift in computing security Threats versus business opportunities Case studies of best practice Getting to where we need to be Conclusions
A brief introduction to the Jericho Forum
The Jericho Forum aims to drive and influence development of security standards that will meet future business needs
These standards will:– Facilitate the secure interoperation, collaboration and commerce
over open networks– Be based on a security architecture and design approach
entitled “de-perimeterization”. Globally, more than fifty blue-chip user organisations, from
all sectors, are working together to solve the problems posed by de-perimeterization
The Open Group hosts the Jericho Forum Everything published is free and open-source.
Cabinet Office
Foreign & Commonwealth
Office
Some of our members
History
Computing history can be defined in terms in increasing connectivity over time;– starting from no connectivity,– to the restricted connectivity we currently have
today; – islands of corporate connectivity behind their
managed perimeter.
Full de-perimeterized workingFull de-perimeterized working
Full Internet-based Collaboration
Full Internet-based Collaboration
Consumerisation [Cheap IP based devices]
Consumerisation [Cheap IP based devices]
Limited Internet-based Collaboration
Limited Internet-based Collaboration
External WorkingVPN based
External WorkingVPN based
External collaboration [Private connections]
External collaboration [Private connections]
Internet ConnectivityWeb, e-Mail, Telnet, FTP
Internet ConnectivityWeb, e-Mail, Telnet, FTP
Connectivity forInternet e-Mail
Connectivity forInternet e-Mail
Connected LANsinteroperating protocols
Connected LANsinteroperating protocols
Local Area NetworksIslands by technology
Local Area NetworksIslands by technology
Stand-alone Computing [Mainframe, Mini, PC’s]
Stand-alone Computing [Mainframe, Mini, PC’s] Time
Connectivity
Drivers: Low cost and feature rich devices
Drivers: B2B & B2C integration, flexibility, M&A
Drivers: Cost, flexibility, faster working
Today
Drivers: Outsourcing and off-shoring
Effective breakdown of perimeter
Trends and Signs
Key indicators that your organization is becoming de-perimeterized:
• Mismatch of the (legal) business border, the physical border and network perimeter
• Business demanding to directly interconnect systems where collaborative relationships exist
• Good network connectivity and access for all business / operational relationships
• Distributed / shared applications across business / operational relationships
• Applications that bypasses perimeter security
Business Requirements
CollaborationWith staff, partners, JV’s, competitors, outsourcers, suppliers, customers etc.
Data needs to exist everywhereWe should be concerned primarily with information loss not loss of the physical asset
Pervasive access is mandatoryWe should be worried about inappropriate access – not access itself
Derived Business Requirements
Computing should: Work anywhere Any IP, anytime, anywhere (“Martini” model) Be secure Be self-defending Capable of identifying itself Capable of identifying its user Have a defined level of trust Have trust based on environment
Work the same irrespective of whether thedevice is on the Internet or the Intranet.
Paper available from the Jericho Forum
The Jericho Forum “Commandments” are freely available from the Jericho Forum Website
http://www.jerichoforum.org
So who’s doing it ? . . . .
BP declares war on the LANBy putting de-perimeterization into practice, BP's technology director is hoping to make his company's computers more secure
Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cyber-criminals.
Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.
Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office.
http://news.zdnet.co.uk/security/0,1000000189,39253439,00.htm
So who’s doing it ? . . . .
ICI set for big savings by switching internet traffic to DSLICI is poised to sign a deal that could save it millions of pounds by allowing it to transfer non essential internet traffic from its wide area network........
…..With non-essential traffic removed, the Wan would be reserved for transferring business-critical data. This would allow the chemicals company to run its network for far longer without upgrading its bandwidth. ICI's Wan connects its 30,000 employees worldwide, but a recent internal audit of the firm's network usage found that 30% of traffic was browser-based.
Cliff Saran - http://www.computerweekly.com/Articles/Article.aspx?liArticleID=220002
So who’s doing it ? . . . .
KLM to save £2m through laptop self-support plan
KLM Royal Dutch Airlines expects to save £2m in support costs by giving staff an allowance to buy and maintain their own laptops……
……This project follows the path advocated by security user group the Jericho Forum, protecting data rather than perimeters, said van Deth.
John-Paul Kamath - 16 July 2007http://www.computerweekly.com/Articles/Article.aspx
The future
Many - and in some cases most - network security perimeters will disappear
Like it or not de-perimeterization is happening The business and operational drivers will already
exist within your organisation It's already started and it's only a matter of:
– how fast,– how soon and– whether you decide to control it
Future challenges
Data vs. Network– As networks open up and are shared the challenge
is to protect the data
Ad-hoc relationship– Shorter, more ad-hoc relationships are becoming
the norm
Collaborators, competitors and enemies– Our networks contain people with various trust levels– Collaborators in one area; competitors in other areas– Those we need to share with, but do not trust
Old Thinking vs. Jericho Thinking
Old Mindset Connections to the
secure network Connection-level
authentication Authentication to
access the secure network
Secure tunnel from device to network connection point
New Mindset Connections to
secure resources Protocol-level
authentication Authentication to
access individual secure resources
Secure protocol from device directly to secure resources
Architecting for a Jericho Forum future
De-perimeterization is what is happening to you; The Jericho Forum blueprint is the generic concept
of how to respond the concept Collaboration Oriented Architectures (COA) are a
structure and components to enable de-perimeterized working and collaboration
COA is not a single solution; it is deliberately plural
Risks and benefits
Risks Get it wrong and
expose the business Keep adding more
layers of security Cost and/or inability
to manage Saddled with
yesterday’s technology
Inflexible to respond to market demands
Benefits Increased levels of
security Simpler, less complex
security Cheaper to run, easier
to manage Tomorrows technology
with ability to gain business advantage
Flexible and adaptable solutions
Getting from where we are today . . .
How to move from a secure network with poor process administration to insecure networks with secure protocols and processes
1. Accept that you do not have a secure network
2. Base all technology and design assumptions on this revised paradigm
3. Start using de-perimeterized solutions today – they will work just as well inside a “secure” network
4. Change mindsets within your organisation
Opportunity through change
With change there are three options:– Resist the change– Let the change happen to you– Leverage the change for maximum advantage
De-perimeterization is different to other change – To leverage this level of fundamental change
needs a conscious change in architecture. – De-perimeterization is happening now, so it is
essential that COA is part of your organizations strategic planning today.
Paper available from the Jericho Forum
The Jericho Forum White Paperthe “Business rationale for de-perimeterization” is freely available from the Jericho Forum Website
http://www.jerichoforum.org