The business case for removingyour perimeter

Paul Simmonds

Board of Management, Jericho Forum®

CISO, ICI Plc.

Agenda

Introductions The shift in computing security Threats versus business opportunities Case studies of best practice Getting to where we need to be Conclusions

A brief introduction to the Jericho Forum

The Jericho Forum aims to drive and influence development of security standards that will meet future business needs

These standards will:– Facilitate the secure interoperation, collaboration and commerce

over open networks– Be based on a security architecture and design approach

entitled “de-perimeterization”. Globally, more than fifty blue-chip user organisations, from

all sectors, are working together to solve the problems posed by de-perimeterization

The Open Group hosts the Jericho Forum Everything published is free and open-source.

Cabinet Office

Foreign & Commonwealth

Office

Some of our members

History

Computing history can be defined in terms in increasing connectivity over time;– starting from no connectivity,– to the restricted connectivity we currently have

today; – islands of corporate connectivity behind their

managed perimeter.

Full de-perimeterized workingFull de-perimeterized working

Full Internet-based Collaboration

Full Internet-based Collaboration

Consumerisation [Cheap IP based devices]

Consumerisation [Cheap IP based devices]

Limited Internet-based Collaboration

Limited Internet-based Collaboration

External WorkingVPN based

External WorkingVPN based

External collaboration [Private connections]

External collaboration [Private connections]

Internet ConnectivityWeb, e-Mail, Telnet, FTP

Internet ConnectivityWeb, e-Mail, Telnet, FTP

Connectivity forInternet e-Mail

Connectivity forInternet e-Mail

Connected LANsinteroperating protocols

Connected LANsinteroperating protocols

Local Area NetworksIslands by technology

Local Area NetworksIslands by technology

Stand-alone Computing [Mainframe, Mini, PC’s]

Stand-alone Computing [Mainframe, Mini, PC’s] Time

Connectivity

Drivers: Low cost and feature rich devices

Drivers: B2B & B2C integration, flexibility, M&A

Drivers: Cost, flexibility, faster working

Today

Drivers: Outsourcing and off-shoring

Effective breakdown of perimeter

Trends and Signs

Key indicators that your organization is becoming de-perimeterized:

• Mismatch of the (legal) business border, the physical border and network perimeter

• Business demanding to directly interconnect systems where collaborative relationships exist

• Good network connectivity and access for all business / operational relationships

• Distributed / shared applications across business / operational relationships

• Applications that bypasses perimeter security

Business Requirements

CollaborationWith staff, partners, JV’s, competitors, outsourcers, suppliers, customers etc.

Data needs to exist everywhereWe should be concerned primarily with information loss not loss of the physical asset

Pervasive access is mandatoryWe should be worried about inappropriate access – not access itself

Derived Business Requirements

Computing should: Work anywhere Any IP, anytime, anywhere (“Martini” model) Be secure Be self-defending Capable of identifying itself Capable of identifying its user Have a defined level of trust Have trust based on environment

Work the same irrespective of whether thedevice is on the Internet or the Intranet.

Paper available from the Jericho Forum

The Jericho Forum “Commandments” are freely available from the Jericho Forum Website

http://www.jerichoforum.org

So who’s doing it ? . . . .

BP declares war on the LANBy putting de-perimeterization into practice, BP's technology director is hoping to make his company's computers more secure

Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cyber-criminals.

Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.

Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office.

http://news.zdnet.co.uk/security/0,1000000189,39253439,00.htm

So who’s doing it ? . . . .

ICI set for big savings by switching internet traffic to DSLICI is poised to sign a deal that could save it millions of pounds by allowing it to transfer non essential internet traffic from its wide area network........

…..With non-essential traffic removed, the Wan would be reserved for transferring business-critical data. This would allow the chemicals company to run its network for far longer without upgrading its bandwidth. ICI's Wan connects its 30,000 employees worldwide, but a recent internal audit of the firm's network usage found that 30% of traffic was browser-based.

Cliff Saran - http://www.computerweekly.com/Articles/Article.aspx?liArticleID=220002

So who’s doing it ? . . . .

KLM to save £2m through laptop self-support plan

KLM Royal Dutch Airlines expects to save £2m in support costs by giving staff an allowance to buy and maintain their own laptops……

……This project follows the path advocated by security user group the Jericho Forum, protecting data rather than perimeters, said van Deth.

John-Paul Kamath - 16 July 2007http://www.computerweekly.com/Articles/Article.aspx

The future

Many - and in some cases most - network security perimeters will disappear

Like it or not de-perimeterization is happening The business and operational drivers will already

exist within your organisation It's already started and it's only a matter of:

– how fast,– how soon and– whether you decide to control it

Future challenges

Data vs. Network– As networks open up and are shared the challenge

is to protect the data

Ad-hoc relationship– Shorter, more ad-hoc relationships are becoming

the norm

Collaborators, competitors and enemies– Our networks contain people with various trust levels– Collaborators in one area; competitors in other areas– Those we need to share with, but do not trust

Old Thinking vs. Jericho Thinking

Old Mindset Connections to the

secure network Connection-level

authentication Authentication to

access the secure network

Secure tunnel from device to network connection point

New Mindset Connections to

secure resources Protocol-level

authentication Authentication to

access individual secure resources

Secure protocol from device directly to secure resources

Architecting for a Jericho Forum future

De-perimeterization is what is happening to you; The Jericho Forum blueprint is the generic concept

of how to respond the concept Collaboration Oriented Architectures (COA) are a

structure and components to enable de-perimeterized working and collaboration

COA is not a single solution; it is deliberately plural

Risks and benefits

Risks Get it wrong and

expose the business Keep adding more

layers of security Cost and/or inability

to manage Saddled with

yesterday’s technology

Inflexible to respond to market demands

Benefits Increased levels of

security Simpler, less complex

security Cheaper to run, easier

to manage Tomorrows technology

with ability to gain business advantage

Flexible and adaptable solutions

Getting from where we are today . . .

How to move from a secure network with poor process administration to insecure networks with secure protocols and processes

1. Accept that you do not have a secure network

2. Base all technology and design assumptions on this revised paradigm

3. Start using de-perimeterized solutions today – they will work just as well inside a “secure” network

4. Change mindsets within your organisation

Opportunity through change

With change there are three options:– Resist the change– Let the change happen to you– Leverage the change for maximum advantage

De-perimeterization is different to other change – To leverage this level of fundamental change

needs a conscious change in architecture. – De-perimeterization is happening now, so it is

essential that COA is part of your organizations strategic planning today.

Paper available from the Jericho Forum

The Jericho Forum White Paperthe “Business rationale for de-perimeterization” is freely available from the Jericho Forum Website

http://www.jerichoforum.org