Welcome 1st Jericho Forum Annual Conference 26th April 2005 Riverbank Hotel, London Hosted by SC Magazine
Welcome Richard Watts Publishing Director,SC Magazine
Agenda • 11:35: Welcome • 11.45: The Challenge YOU are facing • 12.05: What is Jericho? • 12.25: What has it achieved in the past year? • 12.45: What are we doing going forwards • 13.00: Lunch • 14.30: Mutually beneficial vendor involvement • 14.50: Where could Jericho take us? • 15.15: Break (Coffee & Teas) • 15.45: Panel Debate & Audience Questions moderated by Ron Condon • 16:45 Summing up the day • 17:00 Close
Welcome Ron Condon Editor in Chief,SC Magazine
The Challenge YOU are facing John Meakin Standard Charter Bank & Jericho Forum Board
Tearing Down the Walls:The Business Case for Jericho Agenda • The Business Problem • The Death of the Perimeter • The Security Problem • The Potential Solution • Scenarios • The Future
The Business Problem • Business trends & needs breaking traditional network perimeter • Cost effective networking • Collaborative business • Outsourcing • Joint venturing • For Standard Charter Bank: • Challenge of doing business in Africa • Network bandwidth availability • Challenge of grasping market opportunity • Eg Afghanistan, Iraq
Current Network Security Strategy • “It’s all about the firewalls….” • Premise: • SCB internal network is “open” at network layer • All restriction of access and protection of data occurs at higher layers (host, application, etc) • Control remote connectivity for: • off-network hosts/people via “trusted”/“untrusted” networks • “trusted” third-parties via “trusted” third-party networks • “trusted” third-parties via “untrusted” networks, ie Internet • “untrusted” third-parties via Internet • Maintain same level of trust at each layer in multi-layer boundary model • Ensure that SCB network protected by “defence in depth” • Provide range of cost-effective solutions for above scenarios • Provide resilient connectivity as option wherebusiness transaction requirements specify
1BPN Illustrated • Counter-party Authentication • Identification • Auditing • Authentication • Identification • Auditing • User ID + Auth • Auditing • EDI • Application Logic • Interface mediation • EDI • Application Logic • Internal Appl'n Brokerage • Tier 2’s Data Storage • Internal Appl'n Brokerage • Tier 1’s Data Storage BPEC Third Party Network Requester SOAP/ HTTP BPEC - Tier 1 Boundary Application Server SQL*net SQL*net SOAP/ HTTP Tier 2 (GWAN) Boundary Internal Application Application Auth DBMS Server DBMS ISIS Back Office System
Connectivity Scenarios NOTE: This analysis ignores the combination of multiple solutions into a single firewall complex (typical for PSAC installations with Remote SCB Users/Internet Surfing/Email, etc). NOTE: Total cost for 1000 Remote Users Costs dependent on Application design Cost for HA-BPEC Is 22% more Cost for split-site HA-PSDC Is 35% more
The Death of the Perimeter • (Banking) Business is conducted over networks • Multitude of connection points • Multitude of traffic types (protocols, content) • Complication! • Traditional perimeter security doesn’t scale: • For filtering of addresses or protocols • For management of multiple gateways • Mobile & wireless technology (largely) ignores the perimeter control • Most large corporates have leaky perimeters • Perimeter security does nothing about data flow and residence
Terminology “De-perimeterisation” vs “Radical Externalisation” vs Shrinking Perimeters
The Challenge • Business transactions • from any PC • on any network • anywhere • by anyone of a wide range of different personnel • Direct to one/more small corporate “island” core(s) • With fully “externalised” network
Shrinking Perimeter Increasing Management & Integration Required Scenarios “Traditional” Internet B2B “Traditional” Trusted Third-Party Core to Core over Internet Branch Office to Core over Internet Rep Office to Core over Internet Third-Party Managed Office to Core Server to Server over Internet Home PC to Core over Internet Mobile Device to Core over Internet Kiosk PC to Core over Internet
The Security Problem • The remote PC • Is it securely configured? • Is it infected with malware? • What about data stored locally? • The network • What happens to my data passing over it? • The island host • Who do I let in? • How to I exclude others? • The management • How to manage ‘000s of points of control to the same standard with robustness
So What Do We Need to Do? • Vendors claim they have the answer • BUT! • Partial delivery • Proprietary solutions • No integration cross-vendors • We need: • Definition of business scenarios • Standard Technology Requirements Definitions • “Sell side” needs to listen • And integrate • Preferably cross their traditional boundaries! • So what is Jericho? • Over to Paul…..!
What is Jericho? Paul Simmonds ICI Plc. & Jericho Forum Board
Agenda • First, what actually is de-perimeterisation • Then, the Jericho Forum • How the two are related • It’s composition • It’s relationship with the Open Group • It’s charter • It’s remit
So what is de-perimeterisation? It’s fundamentally an acceptance that; • Most exploits will easily transit perimeter security • We let through e-mail • We let through web • We will need to let through VoIP • We let through encrypted traffic (SSL, SMTP-TLS, VPN), • Your border has effectively become a QoS Boundary • Protection has little/no benefit at the perimeter, • That it’s easier to protect data the closer we get to it, • That a hardened perimeter strategy is at odds with current and/or future business needs, • That a hardened perimeter strategy is un-sustainable.
So what is it actually? It’s a concept; • It’s how we solve the business needs for our businesses without a hardened perimeter, • Its how businesses leverage new opportunities when there is no hardened perimeter, • It’s a set of solutions within a framework that we can pick and mix from, • It’s defence in depth, • It’s business-driven security solutions It is not a single solution – it’s a way of thinking . . . Thus; • There’s a need to challenge conventional thinking • There’s the need to change existing mindsets
Why the Jericho Forum? Why now? • No one else was discussing the problem • Everyone was fixated on perimeter based designs • Somebody needed to point out the “Kings new clothes” to the world • Someone needed to start the discussion What’s in it for us? • Ultimately, we need products to implement • We need to stimulate a market for solutions tode-perimeterised problems
The Jericho Forum Composition Initial Composition • Initially only consumer (user) organisations • To define the problem space • To create the vision • Free from perception of taint from vendors • With the promise of vendor involvement once the vision defined • That point is here now, and we have our first vendor members But with safeguards to ensure independence; • User members own the Forum, vote on the deliverables and run the Board of Managers • Vendors have no voting rights on deliverables or the direction and management of the Forum.
The Open Group relationship • Why the Open Group? • Experience with loose “groups” of companies and individuals • Track record of delivery • Regarded as open and impartial • All output is free and Open Source • Existing framework with a good fit • Existing legal framework • Global organisation
The Jericho Forum Charter & Remit What Jericho Is . . . • There to start the discussion / change the mindset • The arbiters of making de-perimeterised solutions work in the corporate space • There to refine what are Jericho Architectural principals vs. Good Secure Design • Building on the work in the visioning document • To define key items aligned with the message that make this specifically Jericho • There to clarify that there is not just one “Jericho solution” What Jericho is not . . . • Another standards body • A cartel – this is not about buying a single solution • There to compete with “good security”.
Dating & Secure System Design • When it comes to dating, at best you get to pick two out of the following three; • Clever • Beautiful / Handsome • Great Personality / Character Traits • So, given budget & development timelines, at best you have to pick two out of the following three; • Fast (Speed to market) • Feature Rich • Secure With acknowledgement to Arian J Evans
Jericho Principals vs. Good Secure Design Fast Delivery COTS Secure Design Inherently SecureSystems, Protocols & Data De-PerimeterisedArchitecture Feature Rich Business Driven
The Jericho Forum Challenge We believe, that in tomorrow’s worldthe only successful e-transactions &e-businesses will utilise ade-perimeterised architecture Thus you only have two choices; • Do you sit back and let it happen to you? Or • Do you help design the future to ensure it fits YOUR business needs?
What has it achieved in the past year? Andrew Yeomans Dresdner Kleinwort Wasserstein & Chairman of the Jericho Technology & Standards Working Group
A year or so ago, a few good men…. Met over a few drinks, and the odd meal, and pondered the meaning of life, but also why this security stuff they were buying wasn’t solving the problems they were encountering . . . ICI BP Standard Chartered Bank Royal Mail
Got rather more (men and women) . . . Royal Dutch/Shell Standard Chartered Bank The Open Group UBS Investment Bank UKCeB (Council for e-Business) Task Force Unilever University of Kent Computing Laboratory YELL = Founders ABN AMRO Bank Airbus Barclays Bank BAE SYSTEMS Boeing BBC BP Cabinet Office Cable & Wireless Credit Agricole Credit Suisse First Boston Deloitte Deutsche Bank Dresdner Kleinwort Wasserstein Eli Lilly Ernst & Young LLP GlaxoSmithKline HSBC ICI ING JPMorgan Chase KPMG LLP (UK) Lockheed Martin Lloyds TSB National Australia Bank Group (Europe) Pfizer Procter & Gamble Qantas Reuters Rolls-Royce Royal Mail RBS
..with various roles… • Chief Information Security Officers • IT Security Directors/Managers • Director’s of Global Risk Management • Senior Information Security Engineers • Enterprise Risk Services Managers • Directors of Architecture • Global Security Services Managers • Forward thinking, highly respected security strategists
Admin Customers Partners Suppliers Application Systems General Users …worked up about this… • Joint ventures • Outsourcers • Offshore providers • Everything runs on: • Same physical wires • Same logical network
Avoid/Contain Enterprise Risks Owners/ Investors Customers Community Board of Directors External Auditors Executive Management Achieve Control and Authority Governance Demonstrate Account-ability and Compliance CISO / Security Team Regulators Internal Auditors IT function Other functions Lines of Business Avoid/Contain Local/Personal Risks …and wider stakeholders and their goals…
…or in words… • The traditional model of a hard perimeter and soft centre is changing as : • Your people move outside the perimeter • They are not just ‘your’ people any more • Business partners move inside the perimeter • The policy is out of sync… • too restrictive at the perimeter (default deny) • lacking in the core (default allow)
Question What does a ‘corporate’ policy look like for a virtual organization? AnswerThe assumption of ‘organization’ breaks down: need granularity …with wider general consequences, e.g. • Trust models – conventional thinking • Architecture-centric governance models lead us to federated identity management and trusted second/third parties • Stakeholder-centric governance models lead us to regulatory solutions and ‘industry’ initiatives,e.g. e-marketplaces • Both approaches may be constrained, if not doomed!
1980s 1990s Network firewalls 21st Century Cyberspace road warriors ? ? …and we also agreed where we’re headed Secure buildings Personnel contracts Permissions/ Vetting Guards and gates Managed Networks Directories Single sign-on Perimeter Security Streetwise users Virtual Enterprises Virtual Security…?
…but – how soon will this hit us? “People often overestimate what will happen in the next two years and underestimate what will happen in ten.I’m guilty of this myself.” Attributed to Bill Gates
What’s changing Static, long term business relationships Assumption that threats are external – perimeters responsible for protecting all assets from all external attacks Traditional client server environment used by an office based workforce Operating System and Network based security controls How soon…? Dynamic, global business partnerships Threats are everywhere – perimeters defend a network, but highly mobile devices must defend themselves: defence in depth needed Growing use of multi-tier applications / services by an increasingly virtual user-base Protection extended to applications and end user devices …the answer to which splits into these:
…and led us to some initial conclusions… • Impacts of the information age are now well known: • Network externalities, disintermediation • Power of globalisation • Information Risks and their impacts • We have lessons from other infrastructure changes (electricity, railways, etc) • Tools such as Technology Road Mapping and Scenario Planning can be used to explore the impact of key drivers, trends and events • IT products emerging in the next 3 -10 years are likely to be in today’s research labs …so this is about getting the rightproducts in place
…plus some observations on root causes… • Many IT ‘standards’ are broken in practice, e.g.: • Certificate/CRL (non) processing in SSL • Bug-compatible implementations of X.509 certificate extensions processing in crypto software • Representing collaborating/cooperating organisations in X.500/LDAP; directory interoperability • Re-inventing the wheel for security services for XML (Signatures, Encryption, Key Management…) • Repeated technical standards initiatives with little or no‘user’ / vendor dialogue: • Vendors supposedly understand ‘user’ requirements • ‘Users’ can’t and/or don’t articulate what they want…
…as well as lively debate on what to call it… • De-Perimeterisation • Re-Perimeterisation • Radical Externalisation • Security Without Frontiers • Boundary-Less Information FlowTM
…with a key qualification on the “de-” • Why would you still have a perimeter? • Block external attacks in network infrastructure • IP spoofing • Block noise and control intranet • Denial of service attacks • Protection from random traffic • Routing and network address management • Legal barrier • Evidence of corporate boundary Depending on business mission, criticality etc.
So, the Vision we agreed was: Vision • To enable business confidence for collaboration and commerce beyond the constraint of the corporate, government, academic & home office perimeter, through; • Cross-organisational security processes and services • Products that conform to Open security standards • Assurance processes that when used in one organisation can be trusted by others Initial visioning whitepaper at: http://www.jerichoforum.org
…and the Mission and Milestones: Mission • Act as a catalyst to accelerate the achievement of the Vision, by; • Defining the problem space • Communicating the collective Vision • Challenging constraints and creating an environment for innovation • Demonstrating the market • Influencing future products and standards Timetable • A period of 3-5 years for the achievement of its Vision, whilst accepting that its Mission will be ongoing beyond that.
MetaArchitecture TrustModels Technology& Standards Requirements& Ontology Management& Monitoring PR, Media& Lobbying Conceptual scope, structure, dependencies and objectives for de-perimeterisation Future business requirements for identity management and assurance Intercepts with current/future vendor R&D and product roadmaps Future business requirements for information management and security requirements management Future business requirements for operational security management in de-perimeterised environments Promotion of our programme in public affairs, relevant interest groups and regulatory/ legislative agendas; collaboration with these groups We established Working Groups . . .