The business case for removing the perimeter

advertisement
The business case for removing
your perimeter
Paul Simmonds
Board of Management, Jericho Forum®
CISO, ICI Plc.
Agenda
 Introductions
 The shift in computing security
 Threats versus business opportunities
 Case studies of best practice
 Getting to where we need to be
 Conclusions
A brief introduction to the Jericho Forum
The Jericho Forum aims to drive and influence development
of security standards that will meet future business needs
 These standards will:

– Facilitate the secure interoperation, collaboration and commerce
over open networks
– Be based on a security architecture and design approach
entitled “de-perimeterization”.
Globally, more than fifty blue-chip user organisations, from
all sectors, are working together to solve the problems posed
by de-perimeterization
 The Open Group hosts the Jericho Forum
 Everything published is free and open-source.

Some of our members
Foreign &
Commonwealth
Office
Cabinet
Office
History
 Computing history can be defined in terms in
increasing connectivity over time;
– starting from no connectivity,
– to the restricted connectivity we currently have
today;
– islands of corporate connectivity behind their
managed perimeter.
Drivers: Cost, flexibility,
faster working
Full de-perimeterized working
Connectivity
Drivers: B2B & B2C
integration, flexibility, M&A
Full Internet-based
Collaboration
Consumerisation
[Cheap IP based devices]
Drivers: Low cost and
feature rich devices
Limited Internet-based
Collaboration
Drivers: Outsourcing and
off-shoring
Today
External Working
VPN based
External collaboration
[Private connections]
Effective breakdown of
perimeter
Internet Connectivity
Web, e-Mail, Telnet, FTP
Connectivity for
Internet e-Mail
Connected LANs
interoperating protocols
Local Area Networks
Islands by technology
Stand-alone Computing
[Mainframe, Mini, PC’s]
Time
Trends and Signs
 Key indicators that your organization is
becoming de-perimeterized:
• Mismatch of the (legal) business border, the
physical border and network perimeter
• Business demanding to directly interconnect
systems where collaborative relationships exist
• Good network connectivity and access for all
business / operational relationships
• Distributed / shared applications across
business / operational relationships
• Applications that bypasses perimeter security
Business Requirements
 Collaboration
With staff, partners, JV’s, competitors,
outsourcers, suppliers, customers etc.
 Data needs to exist everywhere
We should be concerned primarily with information
loss not loss of the physical asset
 Pervasive access is mandatory
We should be worried about inappropriate access –
not access itself
Derived Business Requirements
Computing should:
 Work anywhere
 Any IP, anytime, anywhere (“Martini” model)
 Be secure
 Be self-defending
 Capable of identifying itself
 Capable of identifying its user
 Have a defined level of trust
 Have trust based on environment
Work the same irrespective of whether the
device is on the Internet or the Intranet.
Paper available from the Jericho Forum
 The Jericho Forum
“Commandments”
are freely available
from the Jericho
Forum Website
http://www.jerichoforum.org
So who’s doing it ? . . . .
 BP declares war on the LAN
By putting de-perimeterization into practice, BP's technology
director is hoping to make his company's computers more secure
Energy group BP has shifted thousands of its employees off its LAN
in an attempt to repel organised cyber-criminals.
Rather than rely on a strong network perimeter to secure its
systems, BP has decided that these laptops have to be capable of
coping with the worst that malicious hackers can throw at it,
without relying on a network firewall.
Ken Douglas, technology director of BP, told the UK Technology
Innovation & Growth Forum in London on Monday that 18,000 of
BP's 85,000 laptops now connect straight to the Internet even when
they're in the office.
http://news.zdnet.co.uk/security/0,1000000189,39253439,00.htm
So who’s doing it ? . . . .
 ICI set for big savings by switching internet traffic
to DSL
ICI is poised to sign a deal that could save it millions of pounds by
allowing it to transfer nonessential internet traffic from its wide
area network........
…..With non-essential traffic removed, the Wan would be reserved
for transferring business-critical data. This would allow the
chemicals company to run its network for far longer without
upgrading its bandwidth. ICI's Wan connects its 30,000 employees
worldwide, but a recent internal audit of the firm's network usage
found that 30% of traffic was browser-based.
Cliff Saran -
http://www.computerweekly.com/Articles/Article.aspx?liArticleID=220002
So who’s doing it ? . . . .
 KLM to save £2m through laptop self-support plan
KLM Royal Dutch Airlines expects to save £2m in support costs by
giving staff an allowance to buy and maintain their own laptops……
……This project follows the path advocated by security user group
the Jericho Forum, protecting data rather than perimeters, said van
Deth.
John-Paul Kamath - 16 July 2007
http://www.computerweekly.com/Articles/Article.aspx
The future
 Many - and in some cases most - network security
perimeters will disappear
 Like it or not de-perimeterization is happening
 The business and operational drivers will already
exist within your organisation
 It's already started and it's only a matter of:
– how fast,
– how soon and
– whether you decide to control it
Future challenges
 Data vs. Network
– As networks open up and are shared the challenge
is to protect the data
 Ad-hoc relationship
– Shorter, more ad-hoc relationships are becoming
the norm
 Collaborators, competitors and enemies
– Our networks contain people with various trust levels
– Collaborators in one area; competitors in other areas
– Those we need to share with, but do not trust
Old Thinking vs. Jericho Thinking




Old Mindset
Connections to the
secure network
Connection-level
authentication
Authentication to
access the secure
network
Secure tunnel from
device to network
connection point








New Mindset
Connections to
secure resources
Protocol-level
authentication
Authentication to
access individual
secure resources
Secure protocol from
device directly to
secure resources
Architecting for a Jericho Forum future
 De-perimeterization is what is happening to you;
 The Jericho Forum blueprint is the generic concept
of how to respond the concept
 Collaboration Oriented Architectures (COA) are a
structure and components to enable deperimeterized working and collaboration
 COA is not a single solution; it is deliberately
plural
Risks and benefits





Risks
Get it wrong and
expose the business
Keep adding more
layers of security
Cost and/or inability
to manage
Saddled with
yesterday’s
technology
Inflexible to respond
to market demands





Benefits
Increased levels of
security
Simpler, less complex
security
Cheaper to run, easier
to manage
Tomorrows technology
with ability to gain
business advantage
Flexible and adaptable
solutions
Getting from where we are today . . .

How to move from a secure network with poor
process administration to insecure networks with
secure protocols and processes
1. Accept that you do not have a secure network
2. Base all technology and design assumptions on
this revised paradigm
3. Start using de-perimeterized solutions today –
they will work just as well inside a “secure”
network
4. Change mindsets within your organisation
Opportunity through change
 With change there are three options:
– Resist the change
– Let the change happen to you
– Leverage the change for maximum advantage
 De-perimeterization is different to other change
– To leverage this level of fundamental change
needs a conscious change in architecture.
– De-perimeterization is happening now, so it is
essential that COA is part of your organizations
strategic planning today.
Paper available from the Jericho Forum
 The Jericho Forum
White Paper
the “Business
rationale for
de-perimeterization”
is freely available
from the Jericho
Forum Website
http://www.jerichoforum.org
Download