The business case for removing your perimeter Paul Simmonds Board of Management, Jericho Forum® CISO, ICI Plc. Agenda Introductions The shift in computing security Threats versus business opportunities Case studies of best practice Getting to where we need to be Conclusions A brief introduction to the Jericho Forum The Jericho Forum aims to drive and influence development of security standards that will meet future business needs These standards will: – Facilitate the secure interoperation, collaboration and commerce over open networks – Be based on a security architecture and design approach entitled “de-perimeterization”. Globally, more than fifty blue-chip user organisations, from all sectors, are working together to solve the problems posed by de-perimeterization The Open Group hosts the Jericho Forum Everything published is free and open-source. Some of our members Foreign & Commonwealth Office Cabinet Office History Computing history can be defined in terms in increasing connectivity over time; – starting from no connectivity, – to the restricted connectivity we currently have today; – islands of corporate connectivity behind their managed perimeter. Drivers: Cost, flexibility, faster working Full de-perimeterized working Connectivity Drivers: B2B & B2C integration, flexibility, M&A Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Drivers: Low cost and feature rich devices Limited Internet-based Collaboration Drivers: Outsourcing and off-shoring Today External Working VPN based External collaboration [Private connections] Effective breakdown of perimeter Internet Connectivity Web, e-Mail, Telnet, FTP Connectivity for Internet e-Mail Connected LANs interoperating protocols Local Area Networks Islands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Trends and Signs Key indicators that your organization is becoming de-perimeterized: • Mismatch of the (legal) business border, the physical border and network perimeter • Business demanding to directly interconnect systems where collaborative relationships exist • Good network connectivity and access for all business / operational relationships • Distributed / shared applications across business / operational relationships • Applications that bypasses perimeter security Business Requirements Collaboration With staff, partners, JV’s, competitors, outsourcers, suppliers, customers etc. Data needs to exist everywhere We should be concerned primarily with information loss not loss of the physical asset Pervasive access is mandatory We should be worried about inappropriate access – not access itself Derived Business Requirements Computing should: Work anywhere Any IP, anytime, anywhere (“Martini” model) Be secure Be self-defending Capable of identifying itself Capable of identifying its user Have a defined level of trust Have trust based on environment Work the same irrespective of whether the device is on the Internet or the Intranet. Paper available from the Jericho Forum The Jericho Forum “Commandments” are freely available from the Jericho Forum Website http://www.jerichoforum.org So who’s doing it ? . . . . BP declares war on the LAN By putting de-perimeterization into practice, BP's technology director is hoping to make his company's computers more secure Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cyber-criminals. Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall. Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the Internet even when they're in the office. http://news.zdnet.co.uk/security/0,1000000189,39253439,00.htm So who’s doing it ? . . . . ICI set for big savings by switching internet traffic to DSL ICI is poised to sign a deal that could save it millions of pounds by allowing it to transfer nonessential internet traffic from its wide area network........ …..With non-essential traffic removed, the Wan would be reserved for transferring business-critical data. This would allow the chemicals company to run its network for far longer without upgrading its bandwidth. ICI's Wan connects its 30,000 employees worldwide, but a recent internal audit of the firm's network usage found that 30% of traffic was browser-based. Cliff Saran - http://www.computerweekly.com/Articles/Article.aspx?liArticleID=220002 So who’s doing it ? . . . . KLM to save £2m through laptop self-support plan KLM Royal Dutch Airlines expects to save £2m in support costs by giving staff an allowance to buy and maintain their own laptops…… ……This project follows the path advocated by security user group the Jericho Forum, protecting data rather than perimeters, said van Deth. John-Paul Kamath - 16 July 2007 http://www.computerweekly.com/Articles/Article.aspx The future Many - and in some cases most - network security perimeters will disappear Like it or not de-perimeterization is happening The business and operational drivers will already exist within your organisation It's already started and it's only a matter of: – how fast, – how soon and – whether you decide to control it Future challenges Data vs. Network – As networks open up and are shared the challenge is to protect the data Ad-hoc relationship – Shorter, more ad-hoc relationships are becoming the norm Collaborators, competitors and enemies – Our networks contain people with various trust levels – Collaborators in one area; competitors in other areas – Those we need to share with, but do not trust Old Thinking vs. Jericho Thinking Old Mindset Connections to the secure network Connection-level authentication Authentication to access the secure network Secure tunnel from device to network connection point New Mindset Connections to secure resources Protocol-level authentication Authentication to access individual secure resources Secure protocol from device directly to secure resources Architecting for a Jericho Forum future De-perimeterization is what is happening to you; The Jericho Forum blueprint is the generic concept of how to respond the concept Collaboration Oriented Architectures (COA) are a structure and components to enable deperimeterized working and collaboration COA is not a single solution; it is deliberately plural Risks and benefits Risks Get it wrong and expose the business Keep adding more layers of security Cost and/or inability to manage Saddled with yesterday’s technology Inflexible to respond to market demands Benefits Increased levels of security Simpler, less complex security Cheaper to run, easier to manage Tomorrows technology with ability to gain business advantage Flexible and adaptable solutions Getting from where we are today . . . How to move from a secure network with poor process administration to insecure networks with secure protocols and processes 1. Accept that you do not have a secure network 2. Base all technology and design assumptions on this revised paradigm 3. Start using de-perimeterized solutions today – they will work just as well inside a “secure” network 4. Change mindsets within your organisation Opportunity through change With change there are three options: – Resist the change – Let the change happen to you – Leverage the change for maximum advantage De-perimeterization is different to other change – To leverage this level of fundamental change needs a conscious change in architecture. – De-perimeterization is happening now, so it is essential that COA is part of your organizations strategic planning today. Paper available from the Jericho Forum The Jericho Forum White Paper the “Business rationale for de-perimeterization” is freely available from the Jericho Forum Website http://www.jerichoforum.org