Professional Documents
Culture Documents
1
Welcome
Richard Watts
Publishing Director,
SC Magazine
2
Agenda
11:35: Welcome
11.45: The Challenge YOU are facing
12.05: What is Jericho?
12.25: What has it achieved in the past year?
12.45: What are we doing going forwards
13.00: Lunch
14.30: Mutually beneficial vendor involvement
14.50: Where could Jericho take us?
15.15: Break (Coffee & Teas)
15.45: Panel Debate & Audience Questions
moderated by Ron Condon
16:45 Summing up the day
17:00 Close
3
Welcome
Ron Condon
Editor in Chief,
SC Magazine
4
The Challenge YOU are facing
John Meakin
Standard Charter Bank
& Jericho Forum Board
5
Tearing Down the Walls:
The Business Case for Jericho
Agenda
The Business Problem
The Death of the Perimeter
The Security Problem
The Potential Solution
Scenarios
The Future
6
The Business Problem
7
Current Network Security Strategy
“It’s all about the firewalls….”
Premise:
– SCB internal network is “open” at network layer
– All restriction of access and protection of data occurs at higher
layers (host, application, etc)
Control remote connectivity for:
– off-network hosts/people via “trusted”/“untrusted” networks
– “trusted” third-parties via “trusted” third-party networks
– “trusted” third-parties via “untrusted” networks, ie Internet
– “untrusted” third-parties via Internet
Maintain same level of trust at each layer in multi-layer
boundary model
Ensure that SCB network protected by “defence in depth”
Provide range of cost-effective solutions for above scenarios
Provide resilient connectivity as option where
business transaction requirements specify
8
1BPN Illustrated
PSDC/PSAC
Counter-party BPEC
Authentication Authentication
Internet Third Party
Requester Identification Network
Identification PSDC Channel - Tier 1 Boundary
Requester
HTTPS Auditing
Auditing
SOAP/
WWW Server User ID + Auth HTTP
BPEC - Tier 1 Boundary
Interface Auditing
SOAP/HTTP
mediation PSDC Channel - Tier 2 Boundary EDI
Application
EDI ApplicationSQL*net Server
10
The Death of the Perimeter
11
Fortress Firewall - Old Technology?
12
Terminology
“De-perimeterisation”
vs
“Radical Externalisation”
vs
Shrinking Perimeters
13
The Challenge
Business transactions
– from any PC
– on any network
– anywhere
– by anyone of a wide range of different personnel
Direct to one/more small corporate “island”
core(s)
With fully “externalised” network
14
Scenarios
Shrinking Perimeter
Branch Office to Core over Internet
Rep Office to Core over Internet
Third-Party Managed Office to Core
Server to Server over Internet
Home PC to Core over Internet
Mobile Device to Core over Internet
Kiosk PC to Core over Internet
15
Branch Office to Core: Site-Site VPN
P r in te r C o m p u te r
SC B GW AN
E th e r n e t VPN box In te r n e t
VPN box
F ir e w a ll
F ir e w a ll
In n e r O u te r
F ir e w a ll F ir e w a ll
S e rve r L o g S e rve r
16
Managed Office
S e c u re
ID
L a p to p
SCB GW AN
E th e r n e t In te r n e t
S e c u re S S L V P N F ir e w a ll
ID F ir e w a ll w ith a
“ S y g a te S e c u r ity P o r ta l” lik e
p ro d u c t
L a p to p
17
Cybercafe/Kiosk/Airport Lounge
S e cu re
ID
C o m p u te r
SCB GW AN
E th e rn e t In te rn e t
S S L V P N F ire w a ll
F ire w a ll w ith a “S yg a te
S e c u re
ID S e cu rity P o rta l”
L ik e p ro d u c t
C o m p u te r
18
The Security Problem
The remote PC
– Is it securely configured?
– Is it infected with malware?
– What about data stored locally?
The network
– What happens to my data passing over it?
The island host
– Who do I let in?
– How to I exclude others?
The management
– How to manage ‘000s of points of control to the same
standard with robustness
19
So What Do We Need to Do?
20
What is Jericho?
Paul Simmonds
ICI Plc.
& Jericho Forum Board
21
Agenda
22
So what is de-perimeterisation?
23
So what is it actually?
It’s a concept;
It’s how we solve the business needs for our businesses without a
hardened perimeter,
Its how businesses leverage new opportunities when there is no
hardened perimeter,
It’s a set of solutions within a framework that we can pick and
mix from,
It’s defence in depth,
It’s business-driven security solutions
It is not a single solution – it’s a way of thinking . . .
Thus;
There’s a need to challenge conventional thinking
There’s the need to change existing mindsets
24
Why the Jericho Forum?
Why now?
No one else was discussing the problem
Everyone was fixated on perimeter based designs
Somebody needed to point out the “Kings new clothes” to the
world
Someone needed to start the discussion
What’s in it for us?
Ultimately, we need products to implement
We need to stimulate a market for solutions to
de-perimeterised problems
25
The Jericho Forum Composition
Initial Composition
Initially only consumer (user) organisations
– To define the problem space
– To create the vision
– Free from perception of taint from vendors
– With the promise of vendor involvement once the vision defined
That point is here now, and we have our first vendor members
But with safeguards to ensure independence;
User members own the Forum, vote on the deliverables and run
the Board of Managers
Vendors have no voting rights on deliverables or the direction
and management of the Forum.
26
The Open Group relationship
27
The Jericho Forum Charter & Remit
What Jericho Is . . .
There to start the discussion / change the mindset
The arbiters of making de-perimeterised solutions work in the
corporate space
There to refine what are Jericho Architectural principals vs. Good
Secure Design
Building on the work in the visioning document
To define key items aligned with the message that make this
specifically Jericho
There to clarify that there is not just one “Jericho solution”
What Jericho is not . . .
Another standards body
A cartel – this is not about buying a single solution
There to compete with “good security”.
28
Dating & Secure System Design
29
Jericho Principals vs. Good Secure Design
Feature Rich
Business
Driven
30
The Jericho Forum Challenge
31
What has it achieved in the past year?
Andrew Yeomans
Dresdner Kleinwort Wasserstein
&
Chairman of the Jericho
Technology & Standards
Working Group
32
A year or so ago, a few good men….
BP ICI
Standard
Royal Mail Chartered Bank
33
Got rather more (men and women) . . .
ABN AMRO Bank HSBC Royal Dutch/Shell
Airbus ICI Standard Chartered
Barclays Bank ING Bank
BAE SYSTEMS JPMorgan Chase The Open Group
Boeing KPMG LLP (UK) UBS Investment Bank
BBC Lockheed Martin UKCeB (Council for e-
BP Business) Task Force
Lloyds TSB
Cabinet Office Unilever
National Australia
Cable & Wireless Bank Group (Europe) University of Kent
Credit Agricole Computing Laboratory
Pfizer
Credit Suisse First Boston YELL
Procter & Gamble
Deloitte Qantas
Deutsche Bank Reuters
Dresdner Kleinwort Wasserstein Rolls-Royce
Eli Lilly = Founders
Royal Mail
Ernst & Young LLP RBS
GlaxoSmithKline
34
..with various roles…
35
…worked up about this…
Admin
Customers
Application Partners
Systems Suppliers
• Joint ventures
Everything runs on: Genera
l Users
• Outsourcers
• Same physical wires
• Offshore
• Same logical network
providers
36
…and wider stakeholders and their goals…
Owners/
Board of Investors Customers
Demonstrate Account-ability
Directors Community
Achieve Control
External
and Authority
and Compliance
Executive Auditors
Management
CISO / Governance Regulators
Security
Team
IT function Internal
Other Auditors
Lines of
functions Business
Avoid/Contain
Local/Personal Risks
37
…or in words…
38
39
…with wider general consequences, e.g.
Question Answer
What does a ‘corporate’ policy The assumption of
look like for a virtual ‘organization’ breaks down:
organization? need granularity
40
…and we also agreed where we’re headed
? 21st Century
?
Cyberspace
Streetwise users road warriors
Virtual Enterprises
Virtual Security…?
41
…but – how soon will this hit us?
42
…the answer to which splits into these:
43
…and led us to some initial conclusions…
44
…plus some observations on root causes…
45
…as well as lively debate on what to call it…
De-Perimeterisation
Re-Perimeterisation
Radical Externalisation
Security Without Frontiers
Boundary-Less Information FlowTM
46
…with a key qualification on the “de-”
47
So, the Vision we agreed was:
Vision
To enable business confidence for collaboration
and commerce beyond the constraint of the
corporate, government, academic & home office
perimeter, through;
– Cross-organisational security processes and services
– Products that conform to Open security standards
– Assurance processes that when used in one organisation
can be trusted by others
48
…and the Mission and Milestones:
Mission
Act as a catalyst to accelerate the achievement of the Vision,
by;
– Defining the problem space
– Communicating the collective Vision
– Challenging constraints and creating an environment for
innovation
– Demonstrating the market
– Influencing future products and standards
Timetable
A period of 3-5 years for the achievement of its Vision, whilst
accepting that its Mission will be ongoing beyond that.
49
We established Working Groups . . .
Meta Conceptual scope, structure, dependencies and
Architecture objectives for de-perimeterisation
Trust Future business requirements for identity management
Models and assurance
Technology Intercepts with current/future vendor R&D and
& Standards product roadmaps
Requirements Future business requirements for information
& Ontology management and security requirements management
Management Future business requirements for operational security
& Monitoring management in de-perimeterised environments
PR, Media Promotion of our programme in public affairs, relevant
& Lobbying interest groups and regulatory/ legislative agendas;
collaboration with these groups
50
. . . and defined an initial set of scenarios
Provide Access over wireless/public networks Identity theft, phishing etc.
low-cost Domain inter-working via open networks Standards complexity and lack of
connectivity
interoperability; IPv6
Support Phoning home from a hostile environment On-demand trust validation; environment
roaming isolation/security
personnel Enable portability of identities and data Credentials, attribute/ policy based access
security
Allow Application access by suppliers, distribution Poor integration of strategic applications
external agents or business partners (ERP/CRM etc) with security standards
access Outsourced help desk access to internal Least privilege remote access
systems
Improve Connect organisations using secure XML Standards complexity / inadequate trust
flexibility models
Consolidate/ interconnect identity and access Incomplete interoperability standards
management
Automate policy for controlled info sharing Securing the semantic web
51
…with ever-greater priorities
Provide low-cost Access over wireless/public networks 1.9 1.3
connectivity Domain inter-working via open networks 3.1 2.0
Adrian Seccombe
Eli Lilly
& Chairman, Trust Model
Working Group
53
Jericho Forum Way Forward
54
Jericho Forum Working Groups
55
Jericho Forum Working Groups . . .
Meta Conceptual scope, structure, dependencies and
Architecture objectives for de-perimeterisation
Trust Future business requirements for identity management
Models and assurance
Technology Intercepts with current/future vendor R&D and
& Standards product roadmaps
Requirements Future business requirements for information
& Ontology management and security requirements management
Management Future business requirements for operational security
& Monitoring management in de-perimeterised environments
PR, Media Promotion of our programme in public affairs, relevant
& Lobbying interest groups and regulatory/ legislative agendas;
collaboration with these groups
56
What are Working Groups?
57
Work Group Participation
58
Trust Models Working Group
59
Why Model Trust?
60
Example Trust Model
61
Technology & Standards Work Group
62
Foster academic links and research
63
Promote independent discussion & research
64
Cyber Security: A Crisis of Prioritization
Cyber Security:
A Crisis of Prioritization
(February 2005)
http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
65
Cyber Security: A Crisis of Prioritization
66
April 2005 Butler Group Review
67
The Jericho Challenge
68
The Jericho Forum USA conference
69
Challenges Ahead
70
Lunch
Lunch
71
Mutually beneficial vendor involvement
Paul Simmonds
ICI Plc.
& Jericho Forum Board
72
Agenda
73
Vendor membership of a user forum?
– What’s that about?
74
Vendor membership of a user forum?
– What’s that about?
75
Why become a vendor member?
1. Making customers successful
A CISO gets a daily flood of solutions and
most are rejected out of hand – why?
– Too many solutions use ‘FUD’
– Claim to be the latest miracle cure
– They may be bought in ignorance rather
than reasoned analysis
– Disappointment is likely - not exactly a repeatable
business model!
– HIPPA! SOX! Phishing! Falling Sky!
Of those that solve real problems;
– Too many are not integrated
– Too proprietary, with limited architecture
– At some point they will be thrown away
– Perhaps along with the CISO buying them?
76
Why become a vendor member?
2. Position in the Marketplace
There is uncertainty in the market - CNet, March 05:
"Security, ultimately, will not be a standalone market," said one
investment banker ….. "It will just be just another layer of the
infrastructure stack. It's no longer about just making the security
products work together."
Software, services and hardware companies in the security sector will
pull in $52.2 billion in sales in 2008, compared with $22.8 billion in
2003, predicts market research firm IDC. That makes those
businesses attractive targets for acquirers in the networking,
communications and systems management industries, among others.
Major CISO:
“There are a few very successful security vendors, the remainder find
a small niche and/or sell a few small pilots where expectations are far
in excess of reality.”
77
What’s in it for me
78
What’s in it for me
79
Rights of vendor members vs. user members
80
How to engage
81
Where could Jericho take us?
David Lacey
Royal Mail Plc.
& Jericho Forum Board
82
Thinking beyond Einstein …
Einstein
83
Preparing for a different future …
Author
84
The importance of Security increases …
Increasing Increasing
Threats Increasing Exposure
from viruses,
Expectations greater dependence
hackers, fraud, from customers, on IT, increasing
espionage partners, auditors, connectivity
regulators
85
As organisations continue to change …
Strong
“Organism”
External
relationships
Trend
“Machine”
Weak
Internal
‘Soft’ ‘Hard’
relationships
86
And existing solutions break down …
JV
ASP
JV
Service Intranet
provider
Extranet
Partner
Outsource
JV
ASP
JV
Extranet
Partner
Outsource
JV
ASP
JV
Extranet
Partner
Outsource
87
As we experience the first security paradigm
shift of the 21st Century …
88
Technology will transform our world …
89
There are consequences for security …
91
Further developments …
We will agree common policy languages to support
cross-organisational processes, including federated
identity and access management
This work will underpin the automation of security
countermeasures and enable the exploitation of the
Semantic Web
We will use the Semantic Web to interpret and secure
data in context across organisations
Jericho Technology and Standards will
deliver the underpinning architecture
Jericho Requirements and Ontology
models will enable its exploitation
92
We will increasingly design our own future …
Alan Kay
93
Using the power of our imagination …
Einstein
94
As we look ahead to the second paradigm
shift of the 21st Century …
95
A world of increasing openness and
complexity …
Exploding surveillance opportunities
Limited opportunities for privacy-enhancing
technologies
Proliferating data wakes and pervasive
circumstantial data about personal behaviour
Intelligent monitoring software can highlight
unusual behaviour
Data fusion, mining and visualisation software
can extract intelligence out of noise
Exploitable for business, security,
fraud or espionage
96
Visibility & understanding will be key
97
Break
Coffee &
Tea Served
98
Panel Debate & Audience Questions
Panel
David Lacey
John Meakin
Paul Simmonds
Shane Tully
Andrew Yeomans
99
Wrap-up
Ron Condon
Editor in Chief,
SC Magazine
100
The Jericho Forum USA conference
101
Jericho Forum
Shaping security for tomorrow’s world
www.jerichoforum.org
102