1 Welcome 1 st Jericho Forum Annual Conference 26 th April 2005 Riverbank Hotel, London Hosted by SC Magazine
Jan 15, 2016
1
Welcome
1st Jericho Forum Annual Conference
26th April 2005
Riverbank Hotel, London
Hosted by SC Magazine
2
Welcome
Richard Watts Publishing Director,SC Magazine
3
Agenda
11:35: Welcome 11.45: The Challenge YOU are facing 12.05: What is Jericho? 12.25: What has it achieved in the past year? 12.45: What are we doing going forwards 13.00: Lunch 14.30: Mutually beneficial vendor involvement 14.50: Where could Jericho take us? 15.15: Break (Coffee & Teas) 15.45: Panel Debate & Audience Questions
moderated by Ron Condon 16:45 Summing up the day 17:00 Close
4
Welcome
Ron Condon Editor in Chief,SC Magazine
5
The Challenge YOU are facing
John MeakinStandard Charter Bank
& Jericho Forum Board
6
Tearing Down the Walls:The Business Case for Jericho
Agenda The Business Problem The Death of the Perimeter The Security Problem The Potential Solution Scenarios The Future
7
The Business Problem
Business trends & needs breaking traditional network perimeter
– Cost effective networking– Collaborative business– Outsourcing– Joint venturing
For Standard Charter Bank:– Challenge of doing business in Africa
• Network bandwidth availability
– Challenge of grasping market opportunity• Eg Afghanistan, Iraq
8
Current Network Security Strategy
“It’s all about the firewalls….” Premise:
– SCB internal network is “open” at network layer– All restriction of access and protection of data occurs at higher
layers (host, application, etc) Control remote connectivity for:
– off-network hosts/people via “trusted”/“untrusted” networks– “trusted” third-parties via “trusted” third-party networks– “trusted” third-parties via “untrusted” networks, ie Internet– “untrusted” third-parties via Internet
Maintain same level of trust at each layer in multi-layer boundary model
Ensure that SCB network protected by “defence in depth” Provide range of cost-effective solutions for above scenarios Provide resilient connectivity as option where
business transaction requirements specify
9
PSDC Channel - Tier 1 Boundary
PSDC Channel - Tier 2 Boundary
PSDC Channel - Tier 3 (GWAN) Boundary
WWW Server
Back OfficeSystem
RequesterInternet
ApplicationServer
HTTPS
SOAP/HTTP
InternalApplication
Server
SOAP/HTTP
SQL*net
ISIS
PSDC/PSAC
ApplicationDBMS
Auth DBMS
SQL*net
BPEC - Tier 1 Boundary
Tier 2 (GWAN) Boundary
Back OfficeSystem
Requester
Third PartyNetwork
ApplicationServer
SOAP/HTTP
InternalApplication
Server
SOAP/HTTP
SQL*net
ISIS
BPEC
ApplicationDBMS
Auth DBMS
SQL*net
Authentication
Identification
Auditing
Counter-party Authentication
Identification
Auditing
Interface mediation
EDI
Application Logic
User ID + Auth
Auditing
EDI
Application Logic
Internal Appl'n Brokerage
Tier 2’s Data Storage
Internal Appl'n Brokerage
Tier 1’s Data Storage
1BPN Illustrated
10
Connectivity Scenarios
Cost for HA-BPECIs 22% more
Cost for split-site HA-PSDC
Is 35% more
Costs dependenton Application
design
NOTE: This analysis ignores the combination of multiple solutions into a single firewall complex (typical for PSAC installations with Remote SCB Users/Internet Surfing/Email, etc).
NOTE: Total cost for 1000 Remote
Users
Components
Remote SCB Users (x1000)
Small Remote Office
Exchange Data Feed, ie BPEC
Staff Internet Surfing, ie PSAC
Electronic Bank ing System, ie HA-PSDC
Customer Information Transfer, ie PSAC or SS-PSDC
Network Switches - Tier 1&2 14 15 25 14 25 14Network Switches - Tier 3 2Load Balancing 28 28Traffic Shaping 11 11 11Firewalls - Tier 1&2 - Central 12 12 21 12 21 12Firewalls - Tier 1&2 - Remote 2Firewalls - Tier 3 7 4DNS Servers 5 5Proxy Servers 5 5Intrusion Detection Systems 32 32 32 43 40VPN Head-End 11 11VPN Client + Authenticator 50 0Authentication Servers (RADIUS & Ace) 10 10Remote Client Firewall 10Security S/w (eg URL blocking, Malw are Filtering) 10 10Application Web Servers ? ?Application Data Servers ? ? ?Application-Specific Proxy Servers ? ? ?
Component-only Cost Total 160 92 74 89 126 79Implementation Manpower (inc build, OAT, SAT, etc) 6 3 5 4 8 5
Build Cost Total 165 96 79 93 134 84Hardware Maintenance/yr 19 18 15 16 25 16Software Maintenance/yr 67 17 6 16 10 7Operating Manpower (1 yr) 1 1 0 1 1 0Penetration Testing Manpower (1 yr) 3 16 13 20 18
Operating Cost Total 88 39 37 45 55 40Total Costs ($k) 252.59 134.56 115.69 138.17 189.52 124.43
Firewalls - Tier 3 cost as % Total 0.0% 0.0% 0.0% 0.0% 4.6% 2.8%Firewalls cost as % Total 10.3% 21.2% 39.4% 18.9% 28.7% 23.6%
Unit Costs ($k)
11
The Death of the Perimeter
(Banking) Business is conducted over networks– Multitude of connection points– Multitude of traffic types (protocols, content)– Complication!
Traditional perimeter security doesn’t scale:– For filtering of addresses or protocols– For management of multiple gateways
Mobile & wireless technology (largely) ignores the perimeter control
Most large corporates have leaky perimeters Perimeter security does nothing about data flow
and residence
12
Fortress Firewall - Old Technology?
13
Terminology
“De-perimeterisation”vs
“Radical Externalisation”vs
Shrinking Perimeters
14
The Challenge
Business transactions– from any PC– on any network– anywhere– by anyone of a wide range of different personnel
Direct to one/more small corporate “island” core(s)
With fully “externalised” network
15
Scenarios
“Traditional” Internet B2B“Traditional” Trusted Third-PartyCore to Core over InternetBranch Office to Core over InternetRep Office to Core over InternetThird-Party Managed Office to CoreServer to Server over InternetHome PC to Core over InternetMobile Device to Core over InternetKiosk PC to Core over Internet
Sh
rin
kin
g P
erim
eter
Sh
rin
kin
g P
erim
eter
Incr
easi
ng
Man
agem
ent
& I
nte
gra
tio
n R
equ
ired
Incr
easi
ng
Man
agem
ent
& I
nte
gra
tio
n R
equ
ired
16
Branch Office to Core: Site-Site VPN
SCB GWAN
Ethernet Internet
FirewallFirewall
VPN box
VPN box
Printer
OuterFirewall
InnerFirewall
Server Log Server
Computer
17
Managed Office
SCB GWAN
Ethernet Internet
FirewallFirewallSSL VPN
with a“Sygate Security Portal” like
product
Laptop
Laptop
Secure ID
Secure ID
18
Cybercafe/Kiosk/Airport Lounge
SCB GWAN
Ethernet Internet
FirewallFirewallSSL VPN
with a “SygateSecurity Portal”
Like product
Secure ID
Secure ID
Computer
Computer
19
The Security Problem
The remote PC– Is it securely configured?– Is it infected with malware?– What about data stored locally?
The network– What happens to my data passing over it?
The island host– Who do I let in?– How to I exclude others?
The management– How to manage ‘000s of points of control to the same
standard with robustness
20
So What Do We Need to Do?
Vendors claim they have the answer BUT!
– Partial delivery– Proprietary solutions– No integration cross-vendors
We need:– Definition of business scenarios– Standard Technology Requirements Definitions
“Sell side” needs to listen– And integrate– Preferably cross their traditional boundaries!
So what is Jericho?– Over to Paul…..!
21
What is Jericho?
Paul Simmonds ICI Plc.
& Jericho Forum Board
22
Agenda
First, what actually is de-perimeterisation Then, the Jericho Forum
– How the two are related– It’s composition– It’s relationship with the Open Group– It’s charter– It’s remit
23
So what is de-perimeterisation?
It’s fundamentally an acceptance that; Most exploits will easily transit perimeter security
– We let through e-mail– We let through web– We will need to let through VoIP– We let through encrypted traffic (SSL, SMTP-TLS, VPN),
Your border has effectively become a QoS Boundary Protection has little/no benefit at the perimeter, That it’s easier to protect data the closer we get to it, That a hardened perimeter strategy is at odds with current
and/or future business needs, That a hardened perimeter strategy is un-sustainable.
24
So what is it actually?
It’s a concept; It’s how we solve the business needs for our businesses without
a hardened perimeter, Its how businesses leverage new opportunities when there is no
hardened perimeter, It’s a set of solutions within a framework that we can pick and
mix from, It’s defence in depth, It’s business-driven security solutions
It is not a single solution – it’s a way of thinking . . .Thus; There’s a need to challenge conventional thinking There’s the need to change existing mindsets
25
Why the Jericho Forum?
Why now? No one else was discussing the problem Everyone was fixated on perimeter based designs Somebody needed to point out the “Kings new clothes” to the
world Someone needed to start the discussion
What’s in it for us? Ultimately, we need products to implement We need to stimulate a market for solutions to
de-perimeterised problems
26
The Jericho Forum Composition
Initial Composition Initially only consumer (user) organisations
– To define the problem space– To create the vision– Free from perception of taint from vendors– With the promise of vendor involvement once the vision defined
That point is here now, and we have our first vendor members But with safeguards to ensure independence; User members own the Forum, vote on the deliverables and run
the Board of Managers Vendors have no voting rights on deliverables or the direction
and management of the Forum.
27
The Open Group relationship
Why the Open Group?– Experience with loose “groups” of companies
and individuals– Track record of delivery– Regarded as open and impartial– All output is free and Open Source– Existing framework with a good fit– Existing legal framework– Global organisation
28
The Jericho Forum Charter & Remit
What Jericho Is . . . There to start the discussion / change the mindset The arbiters of making de-perimeterised solutions work in the
corporate space There to refine what are Jericho Architectural principals vs. Good
Secure Design Building on the work in the visioning document To define key items aligned with the message that make this
specifically Jericho There to clarify that there is not just one “Jericho solution”What Jericho is not . . . Another standards body A cartel – this is not about buying a single solution There to compete with “good security”.
29
Dating & Secure System Design
When it comes to dating, at best you get to pick two out of the following three;– Clever– Beautiful / Handsome– Great Personality / Character Traits
So, given budget & development timelines, at best you have to pick two out of the following three;– Fast (Speed to market)– Feature Rich– Secure
With acknowledgement to Arian J Evans
30
Jericho Principals vs. Good Secure Design
Fast DeliveryCOTS
Secure Design
Feature Rich Business Driven
Inherently SecureSystems, Protocols
& Data
De-PerimeterisedArchitecture
31
The Jericho Forum Challenge
We believe, that in tomorrow’s worldthe only successful e-transactions &
e-businesses will utilise ade-perimeterised architecture
Thus you only have two choices; Do you sit back and let it happen to you?Or Do you help design the future to ensure it fits
YOUR business needs?
32
What has it achieved in the past year?
Andrew YeomansDresdner Kleinwort Wasserstein
& Chairman of the Jericho Technology & Standards Working Group
33
A year or so ago, a few good men….
Met over a few drinks, and the odd meal,and pondered the meaning of life,
but also why this security stuff they were buying wasn’t solving the problems they were encountering . . .
BP
Royal MailStandard Chartered Bank
ICI
34
ABN AMRO Bank Airbus Barclays Bank BAE SYSTEMS Boeing BBC BP Cabinet Office Cable & Wireless Credit Agricole Credit Suisse First Boston Deloitte Deutsche Bank Dresdner Kleinwort WassersteinEli Lilly Ernst & Young LLPGlaxoSmithKline
HSBC ICIING JPMorgan Chase KPMG LLP (UK) Lockheed MartinLloyds TSB National Australia Bank Group (Europe)PfizerProcter & Gamble QantasReuters Rolls-Royce Royal MailRBS
Royal Dutch/ShellStandard Chartered BankThe Open Group UBS Investment Bank UKCeB (Council for e-Business) Task Force Unilever University of Kent Computing LaboratoryYELL
= Founders
Got rather more (men and women) . . .
35
..with various roles…
Chief Information Security Officers IT Security Directors/Managers Director’s of Global Risk Management Senior Information Security Engineers Enterprise Risk Services Managers Directors of Architecture Global Security Services Managers Forward thinking, highly respected security
strategists
36
Everything runs on:• Same physical wires• Same logical network
General Users
Application
Systems
Admin
Customers Partners Suppliers
• Joint ventures• Outsourcers• Offshore
providers
…worked up about this…
37
CISO / Security
Team
Owners/ InvestorsBoard of
Directors
Executive Management
IT function
External Auditors
Internal Auditors
Customers Community
Governance
Avoid/Contain Enterprise Risks
Avoid/Contain Local/Personal Risks
Ach
ieve C
ontr
ol
and A
uth
ori
tyD
emonstrate A
ccount-ability and C
ompliance
Regulators
Other functions
Lines of Business
…and wider stakeholders and their goals…
38
…or in words…
The traditional model of a hard perimeter and soft centre is changing as :– Your people move outside the perimeter– They are not just ‘your’ people any more– Business partners move inside the perimeter
The policy is out of sync…– too restrictive at the perimeter (default deny)– lacking in the core (default allow)
39
40
Question What does a ‘corporate’ policy
look like for a virtual organization?
AnswerThe assumption of
‘organization’ breaks down: need granularity
…with wider general consequences, e.g.
Trust models – conventional thinking– Architecture-centric governance models lead us to
federated identity management and trusted second/third parties
– Stakeholder-centric governance models lead us to regulatory solutions and ‘industry’ initiatives,e.g. e-marketplaces
– Both approaches may be constrained, if not doomed!
41
1980s
Managed NetworksDirectoriesSingle sign-onPerimeter Security
1990sNetwork firewalls
Streetwise usersVirtual EnterprisesVirtual Security…?
?? 21st Century
Cyberspace road warriors
Secure buildingsPersonnel contractsPermissions/ VettingGuards and gates
…and we also agreed where we’re headed
42
…but – how soon will this hit us?
“People often overestimate what will happen in the next two years and underestimate what will happen in ten.I’m guilty of this myself.”
Attributed to Bill Gates
43
…the answer to which splits into these:
What’s changing Static, long term business
relationships Assumption that threats are
external – perimeters responsible for protecting all assets from all external attacks
Traditional client server environment used by an office based workforce
Operating System and Network based security controls
How soon…? Dynamic, global business
partnerships Threats are everywhere –
perimeters defend a network, but highly mobile devices must defend themselves: defence in depth needed
Growing use of multi-tier applications / services by an increasingly virtual user-base
Protection extended to applications and end user devices
44
…and led us to some initial conclusions…
Impacts of the information age are now well known: Network externalities, disintermediation Power of globalisation Information Risks and their impacts We have lessons from other infrastructure changes
(electricity, railways, etc) Tools such as Technology Road Mapping and Scenario
Planning can be used to explore the impact of key drivers, trends and events
IT products emerging in the next 3 -10 years are likely to be in today’s research labs…so this is about getting the rightproducts in place
45
…plus some observations on root causes…
Many IT ‘standards’ are broken in practice, e.g.: Certificate/CRL (non) processing in SSL Bug-compatible implementations of X.509 certificate
extensions processing in crypto software Representing collaborating/cooperating organisations in
X.500/LDAP; directory interoperability Re-inventing the wheel for security services for XML
(Signatures, Encryption, Key Management…) Repeated technical standards initiatives with little or no
‘user’ / vendor dialogue: Vendors supposedly understand ‘user’ requirements ‘Users’ can’t and/or don’t articulate what they want…
46
…as well as lively debate on what to call it…
De-Perimeterisation Re-Perimeterisation Radical Externalisation Security Without Frontiers Boundary-Less Information FlowTM
47
…with a key qualification on the “de-”
Why would you still have a perimeter?– Block external attacks in network infrastructure– IP spoofing– Block noise and control intranet– Denial of service attacks– Protection from random traffic– Routing and network address management– Legal barrier– Evidence of corporate boundary
Depending on business mission, criticality etc.
48
So, the Vision we agreed was:
Vision To enable business confidence for collaboration
and commerce beyond the constraint of the corporate, government, academic & home office perimeter, through; – Cross-organisational security processes and services– Products that conform to Open security standards– Assurance processes that when used in one organisation
can be trusted by others
Initial visioning whitepaper at:http://www.jerichoforum.org
49
…and the Mission and Milestones:
Mission Act as a catalyst to accelerate the achievement of the Vision,
by;– Defining the problem space– Communicating the collective Vision– Challenging constraints and creating an environment for
innovation– Demonstrating the market– Influencing future products and standards
Timetable A period of 3-5 years for the achievement of its Vision, whilst
accepting that its Mission will be ongoing beyond that.
50
We established Working Groups . . .
MetaArchitecture
TrustModels
Technology& Standards
Requirements& Ontology
Management& Monitoring
PR, Media& Lobbying
Conceptual scope, structure, dependencies and objectives for de-perimeterisation
Future business requirements for identity management and assurance
Intercepts with current/future vendor R&D and product roadmaps
Future business requirements for information management and security requirements management
Future business requirements for operational security management in de-perimeterised environments
Promotion of our programme in public affairs, relevant interest groups and regulatory/ legislative agendas; collaboration with these groups
51
. . . and defined an initial set of scenarios
Providelow-cost connectivity
Access over wireless/public networks Identity theft, phishing etc.
Domain inter-working via open networks Standards complexity and lack of interoperability; IPv6
Supportroaming personnel
Phoning home from a hostile environment On-demand trust validation; environment isolation/security
Enable portability of identities and data Credentials, attribute/ policy based access security
Allowexternalaccess
Application access by suppliers, distribution agents or business partners
Poor integration of strategic applications (ERP/CRM etc) with security standards
Outsourced help desk access to internal systems
Least privilege remote access
Improve flexibility
Connect organisations using secure XML Standards complexity / inadequate trust models
Consolidate/ interconnect identity and access management
Incomplete interoperability standards
Automate policy for controlled info sharing Securing the semantic web
Harmonize identities and trust relationships with individuals
‘Individual-centric’ security
52
…with ever-greater priorities
Provide low-cost connectivity
Access over wireless/public networks 1.9 1.3
Domain inter-working via open networks 3.1 2.0
Support roaming personnel
Phoning home from a hostile environment 2.1 1.6
Enable portability of identities and data 2.8 1.8
Allow external access
Application access by suppliers, distribution agents or business partners
2.0 1.8
Outsourced help desk access to int. systems
2.8 2.5
Improve flexibility Connect organisations using secure XML 2.6 1.9
Consolidate/ interconnect identity & access management
2.9 1.6
Automate policy for controlled info sharing 3.3 2.3
Harmonize identities and trust relationships with individuals
2.6 1.8
Score: 1 = high priority, 3 = medium, 5 = low priority
53
What are we doing going forwards
Adrian SeccombeEli Lilly
& Chairman, Trust Model Working Group
54
Jericho Forum Way Forward
Jericho will provide thought leadership on all aspects of de-perimeterisation
Strategies being deployed;– Formal working groups within Jericho– Foster academic links and research– Continue evangelisation– Promote independent discussion and research– Competitions– Conferences– Expand Membership
55
Jericho Forum Working Groups
Jericho Forum working groups will only exist for the necessary period of time
To date two have been convened and disbanded as their work is complete;– Jericho Forum Management & Transition to Open
Group– Visioning Working Group
Six currently exist
56
Jericho Forum Working Groups . . .
MetaArchitecture
TrustModels
Technology& Standards
Requirements& Ontology
Management& Monitoring
PR, Media& Lobbying
Conceptual scope, structure, dependencies and objectives for de-perimeterisation
Future business requirements for identity management and assurance
Intercepts with current/future vendor R&D and product roadmaps
Future business requirements for information management and security requirements management
Future business requirements for operational security management in de-perimeterised environments
Promotion of our programme in public affairs, relevant interest groups and regulatory/ legislative agendas; collaboration with these groups
57
What are Working Groups?
Tried and tested model for cooperative working– Used by Open Group
Products of working groups submitted for voting by Forum members
Method of working:– Few meetings – workshops– Telephone conferences– Email
Two current active working groups:– Trust Models– Technology & Standards
58
Work Group Participation
Membership of Jericho Forum required Four Levels of participation identified:
– Type 1• Physically Engaged << Commitment to attend occasional
TMWG meetings as well phone calls & email and being a Mentally Engaged Contributor
– Type 2• Mentally Engaged << Willingness to remotely engage in TMWG
meetings as well as contributing outside the meetings
– Type 3• Contributor << Willingness to occasionally contribute
– Type 4• Observer
59
Trust Models Working Group
Vision of Jericho Forum dependant on degree to which information requires to be trusted and protected
Model will identify various entities or assets involved in flow of protected, trusted information
Model will NOT attempt to define standards, or design solutions for these requirements
60
Why Model Trust?
In the past Trust based on Human Interaction and Written Legal Contract
Today information flows electronically at speeds that transcend these mechanisms
New model for electronic trust required– accelerate development and ensure
maintenance of trust in new electronic domain
61
Example Trust Model
62
Technology & Standards Work Group
Working out the “nuts & bolts” for Jericho… Requirements Roadmap
– Requirements based on Visioning White Paper– More explicit Business angle (What’s In It For Me)– More specific Threat landscape
Technology Roadmap Short-term, 6-month & Long-term deliverables 2-way communication with other Jericho WGs – particularly
Architecture, Trust Models, Requirements/Ontology Using outcomes from The Jericho Challenge
– representative from TSWG involved to validate definition & evaluate criteria for assessing submissions
63
Foster academic links and research
Jericho is providing assisted membership for suitable academic researchers
To date three links have been approved by the Jericho Forum Management Board– University of Kent Computing Laboratory– Royal Holloway College (in progress)– University of Auckland (in progress)
64
Promote independent discussion & research
Research into de-perimeterisation is not Jericho Forum exclusive territory;
Other publications;– PITAC– Butler Group
65
Cyber Security: A Crisis of Prioritization
Cyber Security: A Crisis of Prioritization(February 2005) http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
A broad consensus among computer scientists is emerging that the approach of patching and retrofitting networks, computing systems, and software to “add” security and reliability may be necessary in the short run but is inadequate for addressing the Nation’s cyber security needs.
66
Fundamentally New Security Models, Methods Needed– The vast majority of cyber security research conducted to date
has been based on the concept of perimeter defence. – This weakness of the perimeter defence strategy has
become painfully clear. But it is not the only problem with the model. The distinction between “outside” and “inside” breaks down amid the proliferation of wireless and embedded technologies connected to networks and the increasing complexity of networked “systems of systems.”
– Security add-ons will always be necessary to fix some security problems, but ultimately there is no substitute for system-wide end-to-end security that is minimally intrusive.
Cyber Security: A Crisis of Prioritization
67
April 2005 Butler Group Review
“Deperimeterisation has become more than an interesting idea it is now a requirement for many organisations”
“Vendors have shown an increasing willingness to listen to the user community, but in the absence of a coherent voice from the end-users themselves, may have been uncertain about to whom they should be listening.”
“As long as Jericho can continue to build upon its foundations and successfully integrate vendor input into its ongoing strategies, then we see no reason why this community should not become a strong and valuable voice in the years ahead.”
www.butlergroup.com/research
68
The Jericho Challenge
In collaboration with Black Hat, this global competition challenges any team of technology experts to design a secure architectural solution that is open, interoperable, viable, and operates in a de-perimeterised environment - alike to a top global corporation's existence on the Internet.
Deadline for notifying intent to submit entries is May 1st, with full submissions by May30th by arrangement. Selected papers may be presented in July 2005.
More information on the 'challenge', how to enter, prizes, etc. is available in the Jericho Forum website (www.jerichoforum.org).
69
The Jericho Forum USA conference
Thurs May 5th: 10.30 Welcome 10.45 The challenge YOU are
facing - the problem inbusiness terms
11.15 What is Jericho? 11.30 What has Jericho achieved 12.00 Going forwards – roadmap
& deliverables 12.25 How to join 14.00 Mutually beneficial vendor
involvement 14.30 Jericho future 15.30 Panel discussion
Fri May 6th: 09.00 Review of Jericho Forum
working groups – charters, activities
10.00 Breakout groups – parallel workshops
12.00 Plenary review – workshop feedback
12.30 Lunch 14.00 New breakout groups –
parallel workshops 15.30 Summary – feedback &
conclusions; next steps 16.00 Close
Thurs-Fri, May 5-6, 2005 Hosted by Procter & GambleExecutive Conference Centre, Cincinnati, Ohio, USA
70
Challenges Ahead
How to keep up momentum?– Market wants to see tangible, usable
deliverables Detailed work rooted in real-world
experience– Balancing active participation with “the day job”
Global working– Making effective use of phone & email
But when it’s all done…..
71
Lunch
Lunch
72
Mutually beneficial vendor involvement
Paul Simmonds ICI Plc.
& Jericho Forum Board
73
Agenda
Why has the Jericho Forum opened up to vendors?
Why become a vendor member? Rights of vendor members vs. user members How to engage
– What Forum membership is not– How to get best value from membership
74
Vendor membership of a user forum?– What’s that about?
Jericho Forum fundamental principle is to be user driven to get break-thorough in:– Solving problems that existing perimeter-based
solutions were not addressing– Interoperability and integration of security
across vendors– Giving vendors a user-community driven
business case
That principle has not changed and the Forum remains user owned and driven
75
Vendor membership of a user forum?– What’s that about?
Users don’t build solutions– Engage with vendors to solve the problems we
are defining We invite vendors to join with us;
– Get to grips with the difficult problems– Propose open standards to base products on– Propose new solutions– Change existing thinking & join the debate
Users will approve the standards.
76
Why become a vendor member?1. Making customers successful
A CISO gets a daily flood of solutions and most are rejected out of hand – why?– Too many solutions use ‘FUD’ – Claim to be the latest miracle cure– They may be bought in ignorance rather
than reasoned analysis– Disappointment is likely - not exactly a
repeatable business model!
– HIPPA! SOX! Phishing! Falling Sky! Of those that solve real problems;
– Too many are not integrated– Too proprietary, with limited architecture– At some point they will be thrown away– Perhaps along with the CISO buying them?
77
Why become a vendor member?2. Position in the Marketplace
There is uncertainty in the market - CNet, March 05: "Security, ultimately, will not be a standalone market," said one
investment banker ….. "It will just be just another layer of the infrastructure stack. It's no longer about just making the security products work together."
Software, services and hardware companies in the security sector will pull in $52.2 billion in sales in 2008, compared with $22.8 billion in 2003, predicts market research firm IDC. That makes those businesses attractive targets for acquirers in the networking, communications and systems management industries, among others.
Major CISO:“There are a few very successful security vendors, the remainder find a small niche and/or sell a few small pilots where expectations are far in excess of reality.”
78
What’s in it for me
Access to the thinking of leading security users in one place
No need to organise numerous strategy workshops with users
Access to Jericho thinking, ahead of it being published
Opportunities to grasp new markets ahead of the competition
Meet and understand where integration with other Jericho vendor members will enhance both offerings
79
What’s in it for me
Better opportunity for a larger take-up of customers at faster rate:– ‘viral’ effects of interoperability, users require it of
one another– faster sales-cycle as customers will already
understand the concepts & benefits of a particular security capability.
Do open standards give-away competitive advantage? – No– Jericho Forum requires open standards in
interoperability. ‘Inside the box’ capability and specific functionality can still be competitive issues.
80
Rights of vendor members vs. user members
User members own the Forum, work in the working groups, vote on the deliverables and run the Board of Managers
Vendors may;– Join in the work groups and contribute to design items
and open standards– Have full access to Jericho materials– Elect their own representative onto the vendor council
that represents vendor interests to the Board of Managers
Vendors have no voting rights on deliverables or the direction and management of the Forum.
81
How to engage
What Forum membership is not– A direct sales opportunity– Access to a mailing list– A chance to brand all products
‘Jericho approved’ Best value from membership
– Get involved in the working groups– Have technical contributors like
your CTO be the one who joins– Support open interoperability– Spread the word
82
Where could Jericho take us?
David LaceyRoyal Mail Plc.
& Jericho Forum Board
83
Thinking beyond Einstein …
“I never think about the future. It comes soon enough””
Einstein
84
Preparing for a different future …
We know only one thing about the future or, rather, the futures:“It will not look like the present”
Jorge Luis Borges
Author
85
The importance of Security increases …
Increasing Threats
from viruses, hackers, fraud,
espionage
Increasing Exposure
greater dependence on IT, increasing
connectivity
Increasing Expectations
from customers, partners, auditors,
regulators
86
As organisations continue to change …
Weak Internalrelationships
Strong
External relationships
‘Soft’ ‘Hard’
“Machine”
“Organism”
Trend
87
And existing solutions break down …
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
Outsource
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
OutsourceOutsource
Intranet
ASP
JV
Serviceprovider
ExtranetPartner
JV
OutsourceOutsource
88
As we experience the first security paradigm shift of the 21st Century …
89
Technology will transform our world …
Exploding connectivity and complexity (embedded Internet, IP convergence)
Machine-understandable information(Semantic Web)
De-fragmentation of computers intonetworks of smaller devices
Wireless, wearable computing Ubiquitous digital rights management Biometrics and novel user interfaces From deterministic to probabilistic systems
90
There are consequences for security …
Slow death of network perimeters Continuing blurring of business and personal
lifestyles Security migrates to the data level New languages and tools needed to express,
translate and negotiate security policies Intelligent monitoring systems
needed to maintain control ofcomplex, networked systems
Uncertain security - no guarantees Manage incidents as opportunities
91
How will we respond?
The loss of perimeter security will force us to shrink perimeters to clients, applications and ultimately data
IP Convergence will accelerate this process by challenging existing network security architectures
We will realise that securing our own backyard is no longer sufficient, and work together to develop federated solutions to secure data across boundaries
The Jericho Trust models willunderpin this migration
92
Further developments …
We will agree common policy languages to support cross-organisational processes, including federated identity and access management
This work will underpin the automation of security countermeasures and enable the exploitation of the Semantic Web
We will use the Semantic Web to interpret and secure data in context across organisations
Jericho Technology and Standards willdeliver the underpinning architecture
Jericho Requirements and Ontologymodels will enable its exploitation
93
We will increasingly design our own future …
“The best way to predict the future is to invent it”
Alan Kay
94
Using the power of our imagination …
“Imagination is more important than knowledge.”
Einstein
95
As we look ahead to the second paradigm shift of the 21st Century …
96
A world of increasing openness and complexity …
Exploding surveillance opportunities Limited opportunities for privacy-enhancing
technologies Proliferating data wakes and pervasive
circumstantial data about personal behaviour Intelligent monitoring software can highlight
unusual behaviour Data fusion, mining and visualisation software
can extract intelligence out of noise Exploitable for business, security,
fraud or espionage
97
Visibility & understanding will be key
Understanding and interpreting data in context
Exploit data mining, fusing and neural networks to crunch through complexity
Employ computational immunology to differentiate good transactions from bad
Data visualisation technology to enhance human understanding
98
Break
Coffee &Tea Served
99
Panel Debate & Audience Questions
Panel David Lacey John Meakin Paul Simmonds Shane Tully Andrew Yeomans
Moderator: Ron Condon
100
Wrap-up
Ron Condon Editor in Chief,SC Magazine
101
The Jericho Forum USA conference
Thurs May 5th: 10.30 Welcome 10.45 The challenge YOU are
facing - the problem inbusiness terms
11.15 What is Jericho? 11.30 What has Jericho achieved 12.00 Going forwards – roadmap
& deliverables 12.25 How to join 14.00 Mutually beneficial vendor
involvement 14.30 Jericho future 15.30 Panel discussion
Fri May 6th: 09.00 Review of Jericho Forum
working groups – charters, activities
10.00 Breakout groups – parallel workshops
12.00 Plenary review – workshop feedback
12.30 Lunch 14.00 New breakout groups –
parallel workshops 15.30 Summary – feedback &
conclusions; next steps 16.00 Close
Thurs-Fri, May 5-6, 2005 Hosted by Procter & GambleExecutive Conference Centre, Cincinnati, Ohio, USA
102
Jericho Forum Shaping security for tomorrow’s world
www.jerichoforum.org