Presentation on theme: "Jericho Forum ® – Report Back What's been achieved through 2009, and how we will continue to make a difference in 2010. Paul Simmonds & Adrian Seccombe."— Presentation transcript:
Jericho Forum ® – Report Back What's been achieved through 2009, and how we will continue to make a difference in Paul Simmonds & Adrian Seccombe Board of Management, Jericho Forum
How we got to here – a brief review of the decade 2001 – The “de-perimeterisation” word coined [Royal Mail’s Jon Measham] 2002 – Discussion started among like minded CISO’s who saw the upcoming problem 2003 – Paul Simmonds & David Lacey present at RSA Europe, caused front page headlines 2004 – January: Jericho Forum founded at The Open Group Office in Reading interim board formed, and agree to Open Group taking over day-to-day running 2004 – December: Interim board form as a Jericho Forum membership group, with an elected Board of Managers 2005 – February: White paper published 2005 – April: First Jericho Conference held alongside Info Security & SC Awards 2005 – Interim board agree to Open Group to take over day-to-day running Trade mark issued 2006 – April: First position paper published 2006 – April: Commandments published 2008 – April: COA Published 2009 – April: Cloud Paper Published 2009 – De-perimeterisation an established concept, now accepted as relevant to the cloud 2009 – Commandments seen to “Stand up to the rigours of the Clouds In computing terms the Noughties was the decade of de-perimeterisation
Key Publications Business rationale for de-perimeterisation Jericho Forum Commandments White Paper Freely available at
Key Publications The need for Inherently Secure Protocols Cloud Cube Freely available at Collaboration Oriented Architectures
And it’s not just us! Forrester – Paul Stamp July 2005 ISSA Journal De-perimeterized Architecture The end to the edge August 2009 ISF – Architectural Responses to the Disappearing Network Boundary February 2009
2009 & Up-coming work Self Assessment Scheme Cloud current work CSA memorandum of understanding Commandments still valid for cloud Identity & Access Management The cloud identity crisis - why cloud won't take off without Id & AM Risk based access
Self Assessment Scheme Rationale –Based on the “Commandments” –“the set of nasty questions to ask your security vendors” –Check if they provide the security solutions you need and, –Expose shortcomings in the features they may be claiming their offerings provide –Can be used stand-alone, or relevant parts simply incorporated into an RFQ Release Timeline –Beta Testing with vendors - Jan 2010 –US Release, 1st RSA –Europe, 27 th Info Security
From Connectivity to Collaboration Full de-perimeterised working Full Internet-based Collaboration Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration External Working VPN based External collaboration [Private connections] Internet Connectivity Web, , Telnet, FTP Connectivity for Internet Connected LANs interoperating protocols Local Area Networks Islands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Connectivity Business Value Risk Today Effective Perimeter Breakdown
Externalisation of Data InternalDe-perimeterisedCOASecured Cloud OldData ThenData NowData Near Future Data Future?Data The security of the network becomes increasingly irrelevant, and the security and integrity of the data becomes everything.
Jericho Forum Cloud Cube Model ProprietaryOpen External Internal Perimeterised De-perimeterised Location Architecture “The Cloud” Ownership - technology/services/code Dimension Four: Insourced / Outsourced
Cloud & the Cloud Cube model CSA memorandum of understanding Commandments still valid for the cloud Hybrid Computing will be the norm (A mix of traditional and various cloud computing) Private Clouds are Perimeterised Collaborative Clouds are best de-perimeterised Select the four types of either with care!
Identity & Access Management Key is to separate Identity Management from Access Management, and Audit the activities Identify: ”I am he/she!” Authenticate: “You are indeed!” …or not Access: I’d like to… do that Authorisation: Yes you are allowed …or not Monitor: What did you do Audit: You did the right things, right! …or not
The Cloud Identity Crisis The Cloud won't take off fully without appropriate Identity and Access Management Private Clouds will be able to take advantage of the old Perimeterised Identity and Access Management models Collaborative Clouds will need a significant shift from Enterprise Centric security to User Centric Security Clouds also will benefit greatly from the shift from Access by Lists to Access by Claims
Risk Based Access Current access methods –Do not support business needs / granularity –Do not support “real” cloud working –Do not support the move the securing the data Trust but verify –Basic trust models for devices & users exist But; –How do you verify environments you do not own? –How do you verify that environments you do not own are cleaned up after use?
2010 Planned / Proposed Work Publish Self Assessment Scheme for RSA Represent Jericho Forum thinking in 2010 RSA Conference Refine linkages to CSA and ENISA, and develop new linkages to other bodies (like ISSA) Identity and Access Management De-perimeterised wireless network implications
A reminder of how we work Thought Leadership Blue-sky thinking Define Problem Solutions Tools Few people 100% occupied More people, some vendors 60/40 split Many people, users & vendors Widest Jericho forum community and non-members De-perimeterisation COA Cloud Thought Leaders User Members Vendor Members IT / Business Leaders
Conclusions De-perimeterisation still a relevant topic with plenty to be highlighted and addressed Commandments are both relevant and still relevant as we move to cloud issues There is a shift from Enterprise Centric to User Centric IAM There needs to be a shift from ACL’s to Claims based access