8/14/2019 1st Jericho Forum Annual Conference 26th April
1/102
1
Welcome
1st Jericho Forum
Annual Conference26th April 2005
Riverbank Hotel, London
Hosted by SC Magazine
8/14/2019 1st Jericho Forum Annual Conference 26th April
2/102
2
Welcome
Richard Watts
Publishing Director,
SC Magazine
8/14/2019 1st Jericho Forum Annual Conference 26th April
3/102
3
Agenda
11:35: Welcome 11.45: The Challenge YOU are facing 12.05: What is Jericho? 12.25: What has it achieved in the past year?
12.45: What are we doing going forwards 13.00: Lunch 14.30: Mutually beneficial vendor involvement 14.50: Where could Jericho take us? 15.15: Break (Coffee & Teas)
15.45: Panel Debate & Audience Questionsmoderated by Ron Condon 16:45 Summing up the day 17:00 Close
8/14/2019 1st Jericho Forum Annual Conference 26th April
4/102
4
Welcome
Ron Condon
Editor in Chief,
SC Magazine
8/14/2019 1st Jericho Forum Annual Conference 26th April
5/102
5
The Challenge YOU are facing
John MeakinStandard Charter Bank
& Jericho Forum Board
8/14/2019 1st Jericho Forum Annual Conference 26th April
6/102
6
Tearing Down the Walls:The Business Case forJericho
Agenda
The Business Problem
The Death of the Perimeter The Security Problem
The Potential Solution
Scenarios The Future
8/14/2019 1st Jericho Forum Annual Conference 26th April
7/102
7
The Business Problem
Business trends & needs breaking traditionalnetwork perimeter
Cost effective networking
Collaborative business
Outsourcing
Joint venturing
For Standard Charter Bank:
Challenge of doing business in Africa
Network bandwidth availability
Challenge of grasping market opportunity
Eg Afghanistan, Iraq
8/14/2019 1st Jericho Forum Annual Conference 26th April
8/102
8
Current Network Security Strategy
Its all about the firewalls. Premise:
SCB internal network is open at network layer All restriction of access and protection of data occurs at higher
layers (host, application, etc) Control remote connectivity for:
off-network hosts/people via trusted/untrusted networks trusted third-parties via trusted third-party networks trusted third-parties via untrusted networks, ie Internet untrusted third-parties via Internet
Maintain same level of trust at each layer in multi-layerboundary model
Ensure that SCB network protected by defence in depth Provide range of cost-effective solutions for above scenarios Provide resilient connectivity as option where
business transaction requirements specify
8/14/2019 1st Jericho Forum Annual Conference 26th April
9/102
9
PSDC Channel - Tier 1 Boundary
PSDC Channel - Tier 2 Boundary
PSDC Channel - Tier 3 (GWAN) Boundary
WWW Server
Back OfficeSystem
RequesterInternet
Application
Server
HTTPS
SOAP/HTTP
InternalApplication
Server
SOAP/
HTTP
SQL*net
ISIS
PSDC/PSAC
Application
DBMS Auth DBMS
SQL*net
BPEC - Tier 1 Boundary
Tier 2 (GWAN) Boundary
Back Office
System
Requester
Third Party
Network
Application
Server
SOAP/
HTTP
Internal
ApplicationServer
SOAP/HTTP
SQL*net
ISIS
BPEC
Application
DBMSAuth DBMS
SQL*net
Authentication
Identification
Auditing
Counter-party
Authentication
Identification
Auditing
Interface
mediation
EDI
Application
Logic
User ID + Auth
Auditing
EDI
ApplicationLogic
Internal Appl'n
Brokerage
Tier 2s Data
Storage
Internal Appl'n
Brokerage
Tier 1s Data
Storage
1BPN Illustrated
8/14/2019 1st Jericho Forum Annual Conference 26th April
10/102
10
Connectivity Scenarios
Cost for HA-
BPECIs 22% more
Cost for split-siteHA-PSDC
Is 35% more
Costs dependenton Application
design
NOTE: This analysis ignoresthe combination of multiplesolutions into a singlefirewall complex (typical forPSAC installations withRemote SCB Users/InternetSurfing/Email, etc).
NOTE: Totalcost for 1000Remote Users
Components
Remote
SCB
Users(x1000)
Small
Remote
Office
Exchange
Data
Feed, ieBPEC
Staff
Internet
Surfing,ie PSAC
Electronic
Banking
System,ie HA-PSDC
Customer
Information
Transfer,ie PSAC or
SS-PSDC
Network Switches - Tier 1&2 14 15 25 14 25 14
Network Switches - Tier 3 2
Load Balancing 28 28
Traffic Shaping 11 11 11
Firewalls - Tier 1&2 - Central 12 12 21 12 21 12
Firewalls - Tier 1&2 - Remote 2
Firewalls - Tier 3 7 4
DNS Servers 5 5Proxy Servers 5 5
Intrusion Detection Systems 32 32 32 43 40
VPN Head-End 11 11
VPN Client + Authenticator 50 0
Authentication Servers (RADIUS & Ace) 10 10
Remote Client Firewall 10
Security S/w (eg URL blocking, Malware Filtering) 10 10
Application Web Servers ? ?
Application Data Servers ? ? ?
Application-Specific Proxy Servers ? ? ?
Component-only Cost Total 160 92 74 89 126 79
Implementation Manpower (inc build, OAT,
SAT, etc) 6 3 5 4 8 5
Build Cost Total 165 96 79 93 134 84
Hardware Maintenance/yr 19 18 15 16 25 16
Software Maintenance/yr 67 17 6 16 10 7
Operating Manpower (1 yr) 1 1 0 1 1 0
Penetration Testing Manpower (1 yr) 3 16 13 20 18
Operating Cost Total 88 39 37 45 55 40
Total Costs ($k) 252.59 134.56 115.69 138.17 189.52 124.43
Firewalls - Tier 3 cost as % Total 0.0% 0.0% 0.0% 0.0% 4.6% 2.8%
Firewalls cost as % Total 10.3% 21.2% 39.4% 18.9% 28.7% 23.6%
Unit Costs ($k)
8/14/2019 1st Jericho Forum Annual Conference 26th April
11/102
11
The Death of the Perimeter
(Banking) Business is conducted over networks Multitude of connection points
Multitude of traffic types (protocols, content)
Complication!
Traditional perimeter security doesnt scale:
For filtering of addresses or protocols
For management of multiple gateways
Mobile & wireless technology (largely) ignores theperimeter control
Most large corporates have leaky perimeters Perimeter security does nothing about data flow
and residence
8/14/2019 1st Jericho Forum Annual Conference 26th April
12/102
12
Fortress Firewall - Old Technology?
8/14/2019 1st Jericho Forum Annual Conference 26th April
13/102
13
Terminology
De-perimeterisation
vs
Radical Externalisation
vs
Shrinking Perimeters
8/14/2019 1st Jericho Forum Annual Conference 26th April
14/102
14
The Challenge
Business transactions
from any PC
on any network anywhere
by anyone of a wide range of different personnel
Direct to one/more small corporate island
core(s) With fully externalised network
8/14/2019 1st Jericho Forum Annual Conference 26th April
15/102
15
Scenarios
Traditional Internet B2BTraditional Trusted Third-PartyCore to Core over InternetBranch Office to Core over InternetRep Office to Core over InternetThird-Party Managed Office to CoreServer to Server over Internet
Home PC to Core over InternetMobile Device to Core over InternetKiosk PC to Core over Internet
Shrinking
Perimeter
Shrinking
Perime
ter
Increasin
gManagement&
In
tegrat i
onRequired
Increasin
gManag
ement&In
tegrat i
onRequired
8/14/2019 1st Jericho Forum Annual Conference 26th April
16/102
16
Branch Office to Core: Site-Site VPN
S C B G W A N
E th e r n e t In te r n e t
F ir e w a llF ir e w a ll
V P N b o x
V P N b o x
P r in te r
O u te rF ir e w a ll
I n n e rF ir e w a ll
S e r ve r L o g S e r v e r
C o m p u te r
8/14/2019 1st Jericho Forum Annual Conference 26th April
17/102
17
Managed Office
S C B G W A NE th e r n e t In te r n e t
F i r e w a l lF i r e w a l lS S L V P N
w i th a
S y g a t e S e c u r i ty P o r t a l l i k e
p r o d u c t
L a p t o p
L a p t o p
S e c u r e
ID
S e c u r e
ID
8/14/2019 1st Jericho Forum Annual Conference 26th April
18/102
18
Cybercafe/Kiosk/Airport Lounge
S C B G W A N
E th e rn e t In te rn e t
F i r e w a l lF i r e w a l lS S L V P N
w it h a S y g a t eS e c u r i ty P o r ta l
L i k e p r o d u c t
S e c u r eID
S e c u r eID
C o m p u t e r
C o m p u t e r
8/14/2019 1st Jericho Forum Annual Conference 26th April
19/102
19
The Security Problem
The remote PC Is it securely configured?
Is it infected with malware?
What about data stored locally?
The network What happens to my data passing over it?
The island host Who do I let in?
How to I exclude others?
The management How to manage 000s of points of control to the same
standard with robustness
8/14/2019 1st Jericho Forum Annual Conference 26th April
20/102
20
So What Do We Need to Do?
Vendors claim they have the answer BUT!
Partial delivery Proprietary solutions
No integration cross-vendors
We need: Definition of business scenarios Standard Technology Requirements Definitions
Sell side needs to listen
And integrate
Preferably cross their traditional boundaries!
So what is Jericho? Over to Paul..!
8/14/2019 1st Jericho Forum Annual Conference 26th April
21/102
21
What is Jericho?
Paul SimmondsICI Plc.
& Jericho Forum Board
8/14/2019 1st Jericho Forum Annual Conference 26th April
22/102
22
Agenda
First, what actually is de-perimeterisation
Then, the Jericho Forum How the two are related
Its composition
Its relationship with the Open Group
Its charter Its remit
8/14/2019 1st Jericho Forum Annual Conference 26th April
23/102
23
So what is de-perimeterisation?
Its fundamentally an acceptance that;
Most exploits will easily transit perimeter security
We let through e-mail
We let through web
We will need to let through VoIP We let through encrypted traffic (SSL, SMTP-TLS, VPN),
Your border has effectively become a QoS Boundary
Protection has little/no benefit at the perimeter,
That its easier to protect data the closer we get to it,
That a hardened perimeter strategy is at odds with currentand/or future business needs,
That a hardened perimeter strategy is un-sustainable.
8/14/2019 1st Jericho Forum Annual Conference 26th April
24/102
24
So what is it actually?
Its a concept;
Its how we solve the business needs for our businesses without ahardened perimeter,
Its how businesses leverage new opportunities when there is nohardened perimeter,
Its a set of solutions within a framework that we can pick andmix from,
Its defence in depth,
Its business-driven security solutions
It is not a single solution its a way of thinking . . .
Thus;
Theres a need to challenge conventional thinking
Theres the need to change existing mindsets
8/14/2019 1st Jericho Forum Annual Conference 26th April
25/102
25
Why the Jericho Forum?
Why now? No one else was discussing the problem
Everyone was fixated on perimeter based designs
Somebody needed to point out the Kings new clothes to theworld
Someone needed to start the discussion
Whats in it for us? Ultimately, we need products to implement
We need to stimulate a market for solutions tode-perimeterised problems
8/14/2019 1st Jericho Forum Annual Conference 26th April
26/102
26
The Jericho Forum Composition
Initial Composition
Initially only consumer (user) organisations
To define the problem space
To create the vision
Free from perception of taint from vendors With the promise of vendor involvement once the vision defined
That point is here now, and we have our first vendor members
But with safeguards to ensure independence;
User members own the Forum, vote on the deliverables and run
the Board of Managers Vendors have no voting rights on deliverables or the direction
and management of the Forum.
8/14/2019 1st Jericho Forum Annual Conference 26th April
27/102
27
The Open Group relationship
Why the Open Group? Experience with loose groups of companies and
individuals
Track record of delivery Regarded as open and impartial
All output is free and Open Source
Existing framework with a good fit
Existing legal framework
Global organisation
8/14/2019 1st Jericho Forum Annual Conference 26th April
28/102
28
The Jericho Forum Charter & Remit
What Jericho Is . . . There to start the discussion / change the mindset The arbiters of making de-perimeterised solutions work in the
corporate space There to refine what are Jericho Architectural principals vs. Good
Secure Design Building on the work in the visioning document To define key items aligned with the message that make this
specifically Jericho There to clarify that there is not just one Jericho solution
What Jericho is not . . . Another standards body A cartel this is not about buying a single solution There to compete with good security.
8/14/2019 1st Jericho Forum Annual Conference 26th April
29/102
29
Dating & Secure System Design
When it comes to dating, at best you get to picktwo out of the following three; Clever
Beautiful / Handsome
Great Personality / Character Traits
So, given budget & development timelines, at bestyou have to pick two out of the following three; Fast (Speed to market)
Feature Rich
SecureWith acknowledgement to Arian J Evans
8/14/2019 1st Jericho Forum Annual Conference 26th April
30/102
30
Jericho Principals vs. Good Secure Design
Fast DeliveryCOTS
Secure Design
Feature RichBusinessDriven
Inherently SecureSystems, Protocols
& Data
De-PerimeterisedArchitecture
8/14/2019 1st Jericho Forum Annual Conference 26th April
31/102
31
The Jericho Forum Challenge
We believe, that in tomorrows worldthe only successful e-transactions &
e-businesses will utilise a
de-perimeterised architectureThus you only have two choices;
Do you sit back and let it happen to you?
Or Do you help design the future to ensure it fits
YOUR business needs?
8/14/2019 1st Jericho Forum Annual Conference 26th April
32/102
32
What has it achieved in the past year?
Andrew Yeomans
Dresdner Kleinwort Wasserstein&
Chairman of the Jericho
Technology & Standards
Working Group
8/14/2019 1st Jericho Forum Annual Conference 26th April
33/102
33
A year or so ago, a few good men.
Met over a few drinks, and the odd meal,and pondered the meaning of life,
but also why this security stuff they werebuying wasnt solving the problems theywere encountering . . .
BP
Royal Mail
Standard
Chartered Bank
ICI
8/14/2019 1st Jericho Forum Annual Conference 26th April
34/102
34
ABN AMRO BankAirbus
Barclays Bank
BAE SYSTEMS
Boeing
BBC
BPCabinet Office
Cable & Wireless
Credit Agricole
Credit Suisse First Boston
Deloitte
Deutsche Bank
Dresdner Kleinwort Wasserstein
Eli Lilly
Ernst & Young LLP
GlaxoSmithKline
HSBCICI
ING
JPMorgan Chase
KPMG LLP (UK)
Lockheed Martin
Lloyds TSBNational AustraliaBank Group (Europe)
Pfizer
Procter & Gamble
Qantas
ReutersRolls-Royce
Royal Mail
RBS
Royal Dutch/ShellStandard CharteredBank
The Open Group
UBS Investment Bank
UKCeB (Council for e-
Business) Task ForceUnilever
University of KentComputing Laboratory
YELL
= Founders
Got rather more (men and women) . . .
8/14/2019 1st Jericho Forum Annual Conference 26th April
35/102
35
..with various roles
Chief Information Security Officers IT Security Directors/Managers Directors of Global Risk Management
Senior Information Security Engineers Enterprise Risk Services Managers Directors of Architecture Global Security Services Managers Forward thinking, highly respected security
strategists
8/14/2019 1st Jericho Forum Annual Conference 26th April
36/102
36
Everything runs on: Same physical wires Same logical network
General Users
ApplicationSystems
Admin
Customers
PartnersSuppliers
Joint ventures Outsourcers Offshore
providers
worked up about this
8/14/2019 1st Jericho Forum Annual Conference 26th April
37/102
37
CISO /Security
Team
Owners/InvestorsBoard of
Directors
ExecutiveManagement
IT function
External
Auditors
InternalAuditors
CustomersCommunity
Governance
Avoid/Contain Enterprise Risks
Avoid/ContainLocal/Personal Risks
Achieve
Contro
l
and
Au
thor
ity
Demons tra
teAccount-ab
ility
andCompliance
Regulators
Otherfunctions Lines ofBusiness
and wider stakeholders and their goals
8/14/2019 1st Jericho Forum Annual Conference 26th April
38/102
38
or in words
The traditional model of a hard perimeterand soft centre is changing as :
Your people move outside the perimeter
They are not just your people any more Business partners move inside the perimeter
The policy is out of sync
too restrictive at the perimeter (default deny)
lacking in the core (default allow)
8/14/2019 1st Jericho Forum Annual Conference 26th April
39/102
39
8/14/2019 1st Jericho Forum Annual Conference 26th April
40/102
40
Question
What does a corporate policylook like for a virtual
organization?
Answer
The assumption oforganization breaks down:
need granularity
with wider general consequences, e.g.
Trust models conventional thinking Architecture-centric governance models lead us to
federated identity management and trusted second/thirdparties
Stakeholder-centric governance models lead us to
regulatory solutions and industry initiatives,e.g. e-marketplaces
Both approaches may be constrained, if not doomed!
8/14/2019 1st Jericho Forum Annual Conference 26th April
41/102
41
1980s
Managed NetworksDirectoriesSingle sign-onPerimeter Security
1990sNetwork
firewalls
Streetwise usersVirtual EnterprisesVirtual Security?
?? 21st CenturyCyberspaceroad warriors
Secure buildingsPersonnel contractsPermissions/ VettingGuards and gates
and we also agreed where were headed
8/14/2019 1st Jericho Forum Annual Conference 26th April
42/102
42
but how soon will this hit us?
People often overestimate what willhappen in the next two years and
underestimate what will happen in ten.Im guilty of this myself.
Attributed to Bill Gates
8/14/2019 1st Jericho Forum Annual Conference 26th April
43/102
43
the answer to which splits into these:
Whats changing Static, long term business
relationships
Assumption that threats areexternal perimeters
responsible for protectingall assets from all externalattacks
Traditional client serverenvironment used by anoffice based workforce
Operating System andNetwork based securitycontrols
How soon? Dynamic, global business
partnerships
Threats are everywhere perimeters defend a network,
but highly mobile devicesmust defend themselves:defence in depth needed
Growing use of multi-tierapplications / services by anincreasingly virtual user-base
Protection extended toapplications and end userdevices
8/14/2019 1st Jericho Forum Annual Conference 26th April
44/102
44
and led us to some initial conclusions
Impacts of the information age are now well known: Network externalities, disintermediation Power of globalisation Information Risks and their impacts We have lessons from other infrastructure changes (electricity,
railways, etc) Tools such as Technology Road Mapping and Scenario Planning
can be used to explore the impact of key drivers, trends andevents
IT products emerging in the next 3 -10 years
are likely to be in todays research labsso this is about getting the rightproducts in place
8/14/2019 1st Jericho Forum Annual Conference 26th April
45/102
45
plus some observations on root causes
Many IT standards are broken in practice, e.g.:
Certificate/CRL (non) processing in SSL
Bug-compatible implementations of X.509 certificateextensions processing in crypto software
Representing collaborating/cooperating organisations inX.500/LDAP; directory interoperability
Re-inventing the wheel for security services for XML(Signatures, Encryption, Key Management)
Repeated technical standards initiatives with little or no
user / vendor dialogue: Vendors supposedly understand user requirements
Users cant and/or dont articulate what they want
8/14/2019 1st Jericho Forum Annual Conference 26th April
46/102
46
as well as lively debate on what to call it
De-Perimeterisation
Re-Perimeterisation
Radical Externalisation
Security Without Frontiers
Boundary-Less Information FlowTM
8/14/2019 1st Jericho Forum Annual Conference 26th April
47/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
48/102
48
So, the Vision we agreed was:
Vision To enable business confidence for collaboration
and commerce beyond the constraint of thecorporate, government, academic & home office
perimeter, through; Cross-organisational security processes and services
Products that conform to Open security standards
Assurance processes that when used in one organisationcan be trusted by others
Initial visioning whitepaper at:http://www.jerichoforum.org
http://www.jerichoforum.org/http://www.jerichoforum.org/8/14/2019 1st Jericho Forum Annual Conference 26th April
49/102
49
and the Mission and Milestones:
Mission Act as a catalyst to accelerate the achievement of the Vision,
by;
Defining the problem space
Communicating the collective Vision
Challenging constraints and creating an environment forinnovation
Demonstrating the market
Influencing future products and standards
Timetable A period of 3-5 years for the achievement of its Vision, whilst
accepting that its Mission will be ongoing beyond that.
8/14/2019 1st Jericho Forum Annual Conference 26th April
50/102
50
We established Working Groups . . .
MetaArchitecture
TrustModels
Technology
& Standards
Requirements& Ontology
Management& Monitoring
PR, Media& Lobbying
Conceptual scope, structure, dependencies andobjectives for de-perimeterisation
Future business requirements for identity managementand assurance
Intercepts with current/future vendor R&D and
product roadmaps
Future business requirements for informationmanagement and security requirements management
Future business requirements for operational securitymanagement in de-perimeterised environments
Promotion of our programme in public affairs, relevantinterest groups and regulatory/ legislative agendas;collaboration with these groups
8/14/2019 1st Jericho Forum Annual Conference 26th April
51/102
51
. . . and defined an initial set of scenarios
Providelow-costconnectivity
Access over wireless/public networks Identity theft, phishing etc.
Domain inter-working via open networks Standards complexity and lack ofinteroperability; IPv6
Supportroamingpersonnel
Phoning home from a hostile environment On-demand trust validation; environmentisolation/security
Enable portability of identities and data Credentials, attribute/ policy based accesssecurity
Allowexternalaccess
Application access by suppliers, distributionagents or business partners
Poor integration of strategic applications(ERP/CRM etc) with security standards
Outsourced help desk access to internalsystems
Least privilege remote access
Improveflexibility
Connect organisations using secure XML Standards complexity / inadequate trustmodels
Consolidate/ interconnect identity and access
management
Incomplete interoperability standards
Automate policy for controlled info sharing Securing the semantic web
Harmonize identities and trust relationshipswith individuals
Individual-centric security
8/14/2019 1st Jericho Forum Annual Conference 26th April
52/102
52
with ever-greater priorities
Provide low-costconnectivity
Access over wireless/public networks
1.9
1.3 Domain inter-working via open networks 3.1 2.0
Support roamingpersonnel
Phoning home from a hostile environment 2.1 1.6
Enable portability of identities and data 2.8 1.8
Allow externalaccess
Application access by suppliers, distributionagents or business partners
2.0
1.8
Outsourced help desk access to int. systems 2.8 2.5
Improve flexibility Connect organisations using secure XML 2.6 1.9
Consolidate/ interconnect identity & access
management
2.9 1.6
Automate policy for controlled info sharing 3.3 2.3
Harmonize identities and trust relationships
with individuals
2.6 1.8
Score: 1 = high priority, 3 = medium, 5 = low priority
8/14/2019 1st Jericho Forum Annual Conference 26th April
53/102
53
What are we doing going forwards
Adrian Seccombe
Eli Lilly
& Chairman, Trust Model
Working Group
8/14/2019 1st Jericho Forum Annual Conference 26th April
54/102
54
Jericho Forum Way Forward
Jericho will provide thought leadership onall aspects of de-perimeterisation
Strategies being deployed;
Formal working groups within Jericho Foster academic links and research
Continue evangelisation
Promote independent discussion and research
Competitions Conferences
Expand Membership
8/14/2019 1st Jericho Forum Annual Conference 26th April
55/102
55
Jericho Forum Working Groups
Jericho Forum working groups will onlyexist for the necessary period of time
To date two have been convened anddisbanded as their work is complete;
Jericho Forum Management & Transition toOpen Group
Visioning Working Group Six currently exist
8/14/2019 1st Jericho Forum Annual Conference 26th April
56/102
56
Jericho Forum Working Groups . . .
MetaArchitecture
TrustModels
Technology
& Standards
Requirements& Ontology
Management& Monitoring
PR, Media& Lobbying
Conceptual scope, structure, dependencies andobjectives for de-perimeterisation
Future business requirements for identity managementand assurance
Intercepts with current/future vendor R&D and
product roadmaps
Future business requirements for informationmanagement and security requirements management
Future business requirements for operational securitymanagement in de-perimeterised environments
Promotion of our programme in public affairs, relevantinterest groups and regulatory/ legislative agendas;collaboration with these groups
8/14/2019 1st Jericho Forum Annual Conference 26th April
57/102
57
What are Working Groups?
Tried and tested model for cooperative working Used by Open Group
Products of working groups submitted for voting byForum members
Method of working: Few meetings workshops
Telephone conferences
Two current active working groups: Trust Models
Technology & Standards
8/14/2019 1st Jericho Forum Annual Conference 26th April
58/102
58
Work Group Participation
Membership of Jericho Forum required Four Levels of participation identified:
Type 1
Physically Engaged
8/14/2019 1st Jericho Forum Annual Conference 26th April
59/102
59
Trust Models Working Group
Vision of Jericho Forum dependant ondegree to which information requires to betrusted and protected
Model will identify various entities or assetsinvolved in flow of protected, trustedinformation
Model will NOT attempt to define standards,or design solutions for these requirements
8/14/2019 1st Jericho Forum Annual Conference 26th April
60/102
60
Why Model Trust?
In the past Trust based on HumanInteraction and Written Legal Contract
Today information flows electronically atspeeds that transcend these mechanisms
New model for electronic trust required
accelerate development and ensure
maintenance of trust in new electronic domain
8/14/2019 1st Jericho Forum Annual Conference 26th April
61/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
62/102
62
Technology & Standards Work Group
Working out the nuts & bolts for Jericho
Requirements Roadmap
Requirements based on Visioning White Paper
More explicit Business angle (Whats In It For Me)
More specific Threat landscape Technology Roadmap
Short-term, 6-month & Long-term deliverables
2-way communication with other Jericho WGs particularlyArchitecture, Trust Models, Requirements/Ontology
Using outcomes from The Jericho Challenge representative from TSWG involved to validate definition &
evaluate criteria for assessing submissions
8/14/2019 1st Jericho Forum Annual Conference 26th April
63/102
63
Foster academic links and research
Jericho is providing assisted membershipfor suitable academic researchers
To date three links have been approved bythe Jericho Forum Management Board
University of Kent Computing Laboratory
Royal Holloway College (in progress)
University of Auckland (in progress)
8/14/2019 1st Jericho Forum Annual Conference 26th April
64/102
64
Promote independent discussion & research
Research into de-perimeterisation is not
Jericho Forum exclusive territory; Other publications;
PITAC
Butler Group
8/14/2019 1st Jericho Forum Annual Conference 26th April
65/102
65
Cyber Security: A Crisis of Prioritization
Cyber Security:A Crisis of Prioritization(February 2005)http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
A broad consensus among computerscientists is emerging that theapproach of patching and retrofittingnetworks, computing systems, andsoftware to add security andreliability may be necessary in the
short run but is inadequate foraddressing the Nations cyber securityneeds.
http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdfhttp://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf8/14/2019 1st Jericho Forum Annual Conference 26th April
66/102
66
Fundamentally New Security Models, MethodsNeeded The vast majority of cyber security research conducted to date
has been based on the concept of perimeter defence.
This weakness of the perimeter defence strategy hasbecome painfully clear. But it is not the only problem with themodel. The distinction between outside and inside breaksdown amid the proliferation of wireless and embeddedtechnologies connected to networks and the increasingcomplexity of networked systems of systems.
Security add-ons will always be necessary to fix some securityproblems, but ultimately there is no substitute for system-wideend-to-end security that is minimally intrusive.
Cyber Security: A Crisis of Prioritization
8/14/2019 1st Jericho Forum Annual Conference 26th April
67/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
68/102
68
The Jericho Challenge
In collaboration with Black Hat, this global competitionchallenges any team of technology experts to design asecure architectural solution that is open, interoperable,viable, and operates in a de-perimeterised environment -
alike to a top global corporation's existence on the Internet. Deadline for notifying intent to submit entries is May 1st,
with full submissions by May30th by arrangement. Selectedpapers may be presented in July 2005.
More information on the 'challenge', how to enter, prizes,
etc. is available in the Jericho Forum website(www.jerichoforum.org).
8/14/2019 1st Jericho Forum Annual Conference 26th April
69/102
69
The Jericho Forum USA conference
Thurs May 5th: 10.30 Welcome 10.45 The challenge YOU are
facing - the problem inbusiness terms 11.15 What is Jericho? 11.30 What has Jericho achieved 12.00 Going forwards roadmap
& deliverables 12.25 How to join
14.00 Mutually beneficial vendorinvolvement
14.30 Jericho future 15.30 Panel discussion
Fri May 6th: 09.00 Review of Jericho Forum
working groups
charters, activities 10.00 Breakout groups parallel workshops
12.00 Plenary review workshop feedback
12.30 Lunch 14.00 New breakout groups
parallel workshops 15.30 Summary feedback &
conclusions; next steps 16.00 Close
Thurs-Fri, May 5-6, 2005 Hosted by Procter & GambleExecutive Conference Centre, Cincinnati, Ohio, USA
8/14/2019 1st Jericho Forum Annual Conference 26th April
70/102
70
Challenges Ahead
How to keep up momentum?
Market wants to see tangible, usabledeliverables
Detailed work rooted in real-worldexperience
Balancing active participation with the day job
Global working
Making effective use of phone & email
But when its all done..
8/14/2019 1st Jericho Forum Annual Conference 26th April
71/102
71
Lunch
Lunch
8/14/2019 1st Jericho Forum Annual Conference 26th April
72/102
72
Mutually beneficial vendor involvement
Paul SimmondsICI Plc.
& Jericho Forum Board
8/14/2019 1st Jericho Forum Annual Conference 26th April
73/102
73
Agenda
Why has the Jericho Forum opened up tovendors?
Why become a vendor member? Rights of vendor members vs. user members
How to engage
What Forum membership is not
How to get best value from membership
V d b hi f f ?
8/14/2019 1st Jericho Forum Annual Conference 26th April
74/102
74
Vendor membership of a user forum? Whats that about?
Jericho Forum fundamental principle is to beuser driven to get break-thorough in: Solving problems that existing perimeter-based
solutions were not addressing
Interoperability and integration of securityacross vendors Giving vendors a user-community driven
business case
That principle has not changedand theForum remains user owned and driven
8/14/2019 1st Jericho Forum Annual Conference 26th April
75/102
Why become a vendor member?
8/14/2019 1st Jericho Forum Annual Conference 26th April
76/102
76
Why become a vendor member?1. Making customers successful
A CISO gets a daily flood of solutions andmost are rejected out of hand why? Too many solutions use FUD
Claim to be the latest miracle cure
They may be bought in ignorance rather
than reasoned analysis Disappointment is likely - not exactly a repeatable
business model!
HIPPA! SOX! Phishing! Falling Sky!
Of those that solve real problems; Too many are not integrated
Too proprietary, with limited architecture
At some point they will be thrown away
Perhaps along with the CISO buying them?
Why become a vendor member?
8/14/2019 1st Jericho Forum Annual Conference 26th April
77/102
77
Why become a vendor member?2. Position in the Marketplace
There is uncertainty in the market - CNet, March 05: "Security, ultimately, will not be a standalone market," said one
investment banker .. "It will just be just another layer of theinfrastructure stack. It's no longer about just making the securityproducts work together."
Software, services and hardware companies in the security sector willpull in $52.2 billion in sales in 2008, compared with $22.8 billion in2003, predicts market research firm IDC. That makes thosebusinesses attractive targets for acquirers in the networking,communications and systems management industries, among others.
Major CISO:
There are a few very successful security vendors, the remainder finda small niche and/or sell a few small pilots where expectations are farin excess of reality.
8/14/2019 1st Jericho Forum Annual Conference 26th April
78/102
78
Whats in it for me
Access to the thinking of leading security users inone place
No need to organise numerous strategy workshopswith users
Access to Jericho thinking, ahead of it beingpublished
Opportunities to grasp new markets ahead of thecompetition
Meet and understand where integration with otherJericho vendor members will enhance bothofferings
8/14/2019 1st Jericho Forum Annual Conference 26th April
79/102
79
Whats in it for me
Better opportunity for a larger take-up ofcustomers at faster rate:
viral effects of interoperability, users require it ofone another
faster sales-cycle as customers will alreadyunderstand the concepts & benefits of a particularsecurity capability.
Do open standards give-away competitiveadvantage? No
Jericho Forum requires open standards ininteroperability. Inside the box capability andspecific functionality can still be competitive issues.
8/14/2019 1st Jericho Forum Annual Conference 26th April
80/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
81/102
81
How to engage
What Forum membership is not A direct sales opportunity
Access to a mailing list
A chance to brand all products
Jericho approved Best value from membership
Get involved in the working groups
Have technical contributors like
your CTO be the one who joins Support open interoperability
Spread the word
8/14/2019 1st Jericho Forum Annual Conference 26th April
82/102
82
Where could Jericho take us?
David LaceyRoyal Mail Plc.
& Jericho Forum Board
8/14/2019 1st Jericho Forum Annual Conference 26th April
83/102
83
Thinking beyond Einstein
I never think about the future. Itcomes soon enough
Einstein
8/14/2019 1st Jericho Forum Annual Conference 26th April
84/102
84
Preparing for a different future
We know only one thing about the future or, rather,the futures:
It will not look like the present
Jorge Luis Borges
Author
8/14/2019 1st Jericho Forum Annual Conference 26th April
85/102
85
The importance of Security increases
IncreasingThreats
from viruses,hackers, fraud,
espionage
IncreasingExposure
greater dependenceon IT, increasing
connectivity
Increasing
Expectationsfrom customers,
partners, auditors,
regulators
8/14/2019 1st Jericho Forum Annual Conference 26th April
86/102
86
As organisations continue to change
Weak
Internal
relationships
Strong
Externalrelationships
Soft Hard
Machine
Organism
Trend
8/14/2019 1st Jericho Forum Annual Conference 26th April
87/102
87
And existing solutions break down
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
Outsource
Intranet
ASP
JV
Service provider
ExtranetPartner
JV
OutsourceOutsource
Intranet
ASP
JV
Serviceprovider
ExtranetPartner
JV
OutsourceOutsource
As we experience the first security paradigm
8/14/2019 1st Jericho Forum Annual Conference 26th April
88/102
88
As we experience the first security paradigmshift of the 21st Century
T h l ill f ld
8/14/2019 1st Jericho Forum Annual Conference 26th April
89/102
89
Technology will transform our world
Exploding connectivity and complexity (embeddedInternet, IP convergence)
Machine-understandable information(Semantic Web)
De-fragmentation of computers intonetworks of smaller devices
Wireless, wearable computing
Ubiquitous digital rights management
Biometrics and novel user interfaces
From deterministic to probabilistic systems
Th f it
8/14/2019 1st Jericho Forum Annual Conference 26th April
90/102
90
There are consequences for security
Slow death of network perimeters
Continuing blurring of business and personallifestyles
Security migrates to the data level
New languages and tools needed to express,translate and negotiate security policies
Intelligent monitoring systemsneeded to maintain control of
complex, networked systems Uncertain security - no guarantees Manage incidents as opportunities
ll d
8/14/2019 1st Jericho Forum Annual Conference 26th April
91/102
91
How will we respond?
The loss of perimeter security will force us to shrinkperimeters to clients, applications and ultimatelydata
IP Convergence will accelerate this process by
challenging existing network security architectures We will realise that securing our own backyard is no
longer sufficient, and work together to developfederated solutions to secure data across
boundaries The Jericho Trust models will
underpin this migration
F h d l
8/14/2019 1st Jericho Forum Annual Conference 26th April
92/102
92
Further developments
We will agree common policy languages to supportcross-organisational processes, including federatedidentity and access management
This work will underpin the automation of securitycountermeasures and enable the exploitation of the
Semantic Web We will use the Semantic Web to interpret and secure
data in context across organisations
Jericho Technology and Standards will
deliver the underpinning architecture Jericho Requirements and Ontology
models will enable its exploitation
8/14/2019 1st Jericho Forum Annual Conference 26th April
93/102
U i th f i i ti
8/14/2019 1st Jericho Forum Annual Conference 26th April
94/102
94
Using the power of our imagination
Imagination is more important than
knowledge.
Einstein
As we look ahead to the second paradigm
8/14/2019 1st Jericho Forum Annual Conference 26th April
95/102
95
As we look ahead to the second paradigmshift of the 21st Century
A world of increasing openness and
8/14/2019 1st Jericho Forum Annual Conference 26th April
96/102
96
A world of increasing openness andcomplexity
Exploding surveillance opportunities Limited opportunities for privacy-enhancing
technologies Proliferating data wakes and pervasive
circumstantial data about personal behaviour Intelligent monitoring software can highlightunusual behaviour
Data fusion, mining and visualisation softwarecan extract intelligence out of noise
Exploitable for business, security,fraud or espionage
Visibility & understanding will be key
8/14/2019 1st Jericho Forum Annual Conference 26th April
97/102
97
Visibility & understanding will be key
Understanding and interpreting data incontext
Exploit data mining, fusing and neuralnetworks to crunch through complexity
Employ computational immunology todifferentiate good transactions from bad
Data visualisation technology to enhance
human understanding
B k
8/14/2019 1st Jericho Forum Annual Conference 26th April
98/102
98
Break
Coffee &
Tea Served
8/14/2019 1st Jericho Forum Annual Conference 26th April
99/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
100/102
8/14/2019 1st Jericho Forum Annual Conference 26th April
101/102
Jericho Forum
8/14/2019 1st Jericho Forum Annual Conference 26th April
102/102
Shaping security for tomorrows world
www.jerichoforum.org