Transcript Jericho Forum - Report Back

®
Jericho Forum – Report Back
What's been achieved through 2009,
and how we will continue to make a difference in 2010.
Paul Simmonds & Adrian Seccombe
Board of Management, Jericho Forum
How we got to here – a brief review of the decade















2001 – The “de-perimeterisation” word coined [Royal Mail’s Jon Measham]
2002 – Discussion started among like minded CISO’s who saw the upcoming problem
2003 – Paul Simmonds & David Lacey present at RSA Europe, caused front page headlines
2004 – January: Jericho Forum founded at The Open Group Office in Reading
interim board formed, and agree to Open Group taking over day-to-day running
2004 – December: Interim board form as a Jericho Forum membership group, with an
elected Board of Managers
2005 – February: White paper published
2005 – April: First Jericho Conference held alongside Info Security & SC Awards
2005 – Interim board agree to Open Group to take over day-to-day running
2006 - Trade mark issued
2006 – April: First position paper published
2006 – April: Commandments published
2008 – April: COA Published
2009 – April: Cloud Paper Published
2009 – De-perimeterisation an established concept, now accepted as relevant to the cloud
2009 – Commandments seen to “Stand up to the rigours of the Clouds
In computing terms the Noughties was the decade of de-perimeterisation
Key Publications
Business rationale for
de-perimeterisation
Jericho Forum
Commandments
White Paper
Freely available at www.jerichoforum.org
Key Publications
The need for Inherently
Secure Protocols
Collaboration Oriented
Architectures
Cloud Cube
Freely available at www.jerichoforum.org
And it’s not just us!
Forrester – Paul Stamp
July 2005
ISSA Journal
De-perimeterized Architecture
The end to the edge
August 2009
ISF – Architectural
Responses to the
Disappearing Network
Boundary
February 2009
2009 & Up-coming work
 Self Assessment Scheme
 Cloud current work
 CSA memorandum of understanding
 Commandments still valid for cloud
 Identity & Access Management
 The cloud identity crisis - why cloud won't take off
without Id & AM
 Risk based access
Self Assessment Scheme
 Rationale
– Based on the “Commandments”
– “the set of nasty questions to ask your
security vendors”
– Check if they provide the security
solutions you need and,
– Expose shortcomings in the features they
may be claiming their offerings provide
– Can be used stand-alone, or relevant
parts simply incorporated into an RFQ
 Release Timeline
– Beta Testing with vendors - Jan 2010
– US Release, 1st March @ RSA
– Europe, 27th April @ Info Security
From Connectivity to Collaboration
Connectivity
Full de-perimeterised working
Full Internet-based
Collaboration
Today
Consumerisation
[Cheap IP based devices]
Limited Internet-based
Collaboration
External Working
VPN based
Effective Perimeter Breakdown
External collaboration
[Private connections]
Internet Connectivity
Web, e-Mail, Telnet, FTP
Connectivity for
Internet e-Mail
Connected LANs
interoperating protocols
Local Area Networks
Islands by technology
Stand-alone Computing
[Mainframe, Mini, PC’s]
Time
Externalisation of Data
Internal
Old
De-perimeterised
COA
Secured Cloud
Data
Then
Data
Now
Data
Near
Future
Data
Future?
Data
The security of the network becomes increasingly irrelevant, and the
security and integrity of the data becomes everything.
Jericho Forum Cloud Cube Model
“The Cloud”
External
Internal
Location
Dimension Four:
Insourced /
Outsourced
Architecture
De-perimeterised
Perimeterised
Proprietary
Open
Ownership - technology/services/code
Cloud & the Cloud Cube model
 CSA memorandum of understanding
 Commandments still valid for the cloud
 Hybrid Computing will be the norm
(A mix of traditional and various cloud computing)
• Private Clouds are Perimeterised
• Collaborative Clouds are best de-perimeterised
 Select the four types of either with care!
Identity & Access Management
 Key is to separate Identity Management from






Access Management, and Audit the activities
Identify: ”I am he/she!”
Authenticate: “You are indeed!” …or not
Access: I’d like to… do that
Authorisation: Yes you are allowed …or not
Monitor: What did you do
Audit: You did the right things, right! …or not
The Cloud Identity Crisis
 The Cloud won't take off fully without appropriate
Identity and Access Management
 Private Clouds will be able to take advantage of
the old Perimeterised Identity and Access
Management models
 Collaborative Clouds will need a significant shift
from Enterprise Centric security to User Centric
Security
 Clouds also will benefit greatly from the shift from
Access by Lists to Access by Claims
Risk Based Access
 Current access methods
– Do not support business needs / granularity
– Do not support “real” cloud working
– Do not support the move the securing the data
 Trust but verify
– Basic trust models for devices & users exist
But;
– How do you verify environments you do not own?
– How do you verify that environments you do not own are
cleaned up after use?
2010 Planned / Proposed Work
 Publish Self Assessment Scheme for RSA
 Represent Jericho Forum thinking in 2010 RSA
Conference
 Refine linkages to CSA and ENISA, and develop
new linkages to other bodies (like ISSA)
 Identity and Access Management
 De-perimeterised wireless network implications
Many people,
users & vendors
Widest Jericho
forum community
and non-members
IT / Business Leaders
More people,
some vendors
60/40 split
Vendor Members
Few people
100% occupied
User Members
Thought
Leaders
COA
De-perimeterisation
Cloud
A reminder of how we work
Conclusions
 De-perimeterisation still a relevant topic with plenty
to be highlighted and addressed
 Commandments are both relevant and still relevant
as we move to cloud issues
 There is a shift from Enterprise Centric to User
Centric IAM
 There needs to be a shift from ACL’s to Claims
based access
Questions & Comments
omments
Questions & Com
Questions & Comments
Questions & Comments
ions & Comments
Shaping security for tomorrow’s world
www.jerichoforum.org