1st Jericho Forum Annual Conference 26th April

8/14/2019 1st Jericho Forum Annual Conference 26th April

1/102

1

Welcome

1st Jericho Forum

Annual Conference26th April 2005

Riverbank Hotel, London

Hosted by SC Magazine


2/102

2

Welcome

Richard Watts

Publishing Director,

SC Magazine


3/102

3

Agenda

11:35: Welcome 11.45: The Challenge YOU are facing 12.05: What is Jericho? 12.25: What has it achieved in the past year?

12.45: What are we doing going forwards 13.00: Lunch 14.30: Mutually beneficial vendor involvement 14.50: Where could Jericho take us? 15.15: Break (Coffee & Teas)

15.45: Panel Debate & Audience Questionsmoderated by Ron Condon 16:45 Summing up the day 17:00 Close


4/102

4

Welcome

Ron Condon

Editor in Chief,

SC Magazine


5/102

5

The Challenge YOU are facing

John MeakinStandard Charter Bank

& Jericho Forum Board


6/102

6

Tearing Down the Walls:The Business Case forJericho

Agenda

The Business Problem

The Death of the Perimeter The Security Problem

The Potential Solution

Scenarios The Future


7/102

7

The Business Problem

Business trends & needs breaking traditionalnetwork perimeter

Cost effective networking

Collaborative business

Outsourcing

Joint venturing

For Standard Charter Bank:

Challenge of doing business in Africa

Network bandwidth availability

Challenge of grasping market opportunity

Eg Afghanistan, Iraq


8/102

8

Current Network Security Strategy

Its all about the firewalls. Premise:

SCB internal network is open at network layer All restriction of access and protection of data occurs at higher

layers (host, application, etc) Control remote connectivity for:

off-network hosts/people via trusted/untrusted networks trusted third-parties via trusted third-party networks trusted third-parties via untrusted networks, ie Internet untrusted third-parties via Internet

Maintain same level of trust at each layer in multi-layerboundary model

Ensure that SCB network protected by defence in depth Provide range of cost-effective solutions for above scenarios Provide resilient connectivity as option where

business transaction requirements specify


9/102

9

PSDC Channel - Tier 1 Boundary

PSDC Channel - Tier 2 Boundary

PSDC Channel - Tier 3 (GWAN) Boundary

WWW Server

Back OfficeSystem

RequesterInternet

Application

Server

HTTPS

SOAP/HTTP

InternalApplication

Server

SOAP/

HTTP

SQL*net

ISIS

PSDC/PSAC

Application

DBMS Auth DBMS

SQL*net

BPEC - Tier 1 Boundary

Tier 2 (GWAN) Boundary

Back Office

System

Requester

Third Party

Network

Application

Server

SOAP/

HTTP

Internal

ApplicationServer

SOAP/HTTP

SQL*net

ISIS

BPEC

Application

DBMSAuth DBMS

SQL*net

Authentication

Identification

Auditing

Counter-party

Authentication

Identification

Auditing

Interface

mediation

EDI

Application

Logic

User ID + Auth

Auditing

EDI

ApplicationLogic

Internal Appl'n

Brokerage

Tier 2s Data

Storage

Internal Appl'n

Brokerage

Tier 1s Data

Storage

1BPN Illustrated


10/102

10

Connectivity Scenarios

Cost for HA-

BPECIs 22% more

Cost for split-siteHA-PSDC

Is 35% more

Costs dependenton Application

design

NOTE: This analysis ignoresthe combination of multiplesolutions into a singlefirewall complex (typical forPSAC installations withRemote SCB Users/InternetSurfing/Email, etc).

NOTE: Totalcost for 1000Remote Users

Components

Remote

SCB

Users(x1000)

Small

Remote

Office

Exchange

Data

Feed, ieBPEC

Staff

Internet

Surfing,ie PSAC

Electronic

Banking

System,ie HA-PSDC

Customer

Information

Transfer,ie PSAC or

SS-PSDC

Network Switches - Tier 1&2 14 15 25 14 25 14

Network Switches - Tier 3 2

Load Balancing 28 28

Traffic Shaping 11 11 11

Firewalls - Tier 1&2 - Central 12 12 21 12 21 12

Firewalls - Tier 1&2 - Remote 2

Firewalls - Tier 3 7 4

DNS Servers 5 5Proxy Servers 5 5

Intrusion Detection Systems 32 32 32 43 40

VPN Head-End 11 11

VPN Client + Authenticator 50 0

Authentication Servers (RADIUS & Ace) 10 10

Remote Client Firewall 10

Security S/w (eg URL blocking, Malware Filtering) 10 10

Application Web Servers ? ?

Application Data Servers ? ? ?

Application-Specific Proxy Servers ? ? ?

Component-only Cost Total 160 92 74 89 126 79

Implementation Manpower (inc build, OAT,

SAT, etc) 6 3 5 4 8 5

Build Cost Total 165 96 79 93 134 84

Hardware Maintenance/yr 19 18 15 16 25 16

Software Maintenance/yr 67 17 6 16 10 7

Operating Manpower (1 yr) 1 1 0 1 1 0

Penetration Testing Manpower (1 yr) 3 16 13 20 18

Operating Cost Total 88 39 37 45 55 40

Total Costs ($k) 252.59 134.56 115.69 138.17 189.52 124.43

Firewalls - Tier 3 cost as % Total 0.0% 0.0% 0.0% 0.0% 4.6% 2.8%

Firewalls cost as % Total 10.3% 21.2% 39.4% 18.9% 28.7% 23.6%

Unit Costs ($k)


11/102

11

The Death of the Perimeter

(Banking) Business is conducted over networks Multitude of connection points

Multitude of traffic types (protocols, content)

Complication!

Traditional perimeter security doesnt scale:

For filtering of addresses or protocols

For management of multiple gateways

Mobile & wireless technology (largely) ignores theperimeter control

Most large corporates have leaky perimeters Perimeter security does nothing about data flow

and residence


12/102

12

Fortress Firewall - Old Technology?


13/102

13

Terminology

De-perimeterisation

vs

Radical Externalisation

vs

Shrinking Perimeters


14/102

14

The Challenge

Business transactions

from any PC

on any network anywhere

by anyone of a wide range of different personnel

Direct to one/more small corporate island

core(s) With fully externalised network


15/102

15

Scenarios

Traditional Internet B2BTraditional Trusted Third-PartyCore to Core over InternetBranch Office to Core over InternetRep Office to Core over InternetThird-Party Managed Office to CoreServer to Server over Internet

Home PC to Core over InternetMobile Device to Core over InternetKiosk PC to Core over Internet

Shrinking

Perimeter

Shrinking

Perime

ter

Increasin

gManagement&

In

tegrat i

onRequired

Increasin

gManag

ement&In

tegrat i

onRequired


16/102

16

Branch Office to Core: Site-Site VPN

S C B G W A N

E th e r n e t In te r n e t

F ir e w a llF ir e w a ll

V P N b o x

V P N b o x

P r in te r

O u te rF ir e w a ll

I n n e rF ir e w a ll

S e r ve r L o g S e r v e r

C o m p u te r


17/102

17

Managed Office

S C B G W A NE th e r n e t In te r n e t

F i r e w a l lF i r e w a l lS S L V P N

w i th a

S y g a t e S e c u r i ty P o r t a l l i k e

p r o d u c t

L a p t o p

L a p t o p

S e c u r e

ID

S e c u r e

ID


18/102

18

Cybercafe/Kiosk/Airport Lounge

S C B G W A N

E th e rn e t In te rn e t

F i r e w a l lF i r e w a l lS S L V P N

w it h a S y g a t eS e c u r i ty P o r ta l

L i k e p r o d u c t

S e c u r eID

S e c u r eID

C o m p u t e r

C o m p u t e r


19/102

19

The Security Problem

The remote PC Is it securely configured?

Is it infected with malware?

What about data stored locally?

The network What happens to my data passing over it?

The island host Who do I let in?

How to I exclude others?

The management How to manage 000s of points of control to the same

standard with robustness


20/102

20

So What Do We Need to Do?

Vendors claim they have the answer BUT!

Partial delivery Proprietary solutions

No integration cross-vendors

We need: Definition of business scenarios Standard Technology Requirements Definitions

Sell side needs to listen

And integrate

Preferably cross their traditional boundaries!

So what is Jericho? Over to Paul..!


21/102

21

What is Jericho?

Paul SimmondsICI Plc.



22/102

22

Agenda

First, what actually is de-perimeterisation

Then, the Jericho Forum How the two are related

Its composition

Its relationship with the Open Group

Its charter Its remit


23/102

23

So what is de-perimeterisation?

Its fundamentally an acceptance that;

Most exploits will easily transit perimeter security

We let through e-mail

We let through web

We will need to let through VoIP We let through encrypted traffic (SSL, SMTP-TLS, VPN),

Your border has effectively become a QoS Boundary

Protection has little/no benefit at the perimeter,

That its easier to protect data the closer we get to it,

That a hardened perimeter strategy is at odds with currentand/or future business needs,

That a hardened perimeter strategy is un-sustainable.


24/102

24

So what is it actually?

Its a concept;

Its how we solve the business needs for our businesses without ahardened perimeter,

Its how businesses leverage new opportunities when there is nohardened perimeter,

Its a set of solutions within a framework that we can pick andmix from,

Its defence in depth,

Its business-driven security solutions

It is not a single solution its a way of thinking . . .

Thus;

Theres a need to challenge conventional thinking

Theres the need to change existing mindsets


25/102

25

Why the Jericho Forum?

Why now? No one else was discussing the problem

Everyone was fixated on perimeter based designs

Somebody needed to point out the Kings new clothes to theworld

Someone needed to start the discussion

Whats in it for us? Ultimately, we need products to implement

We need to stimulate a market for solutions tode-perimeterised problems


26/102

26

The Jericho Forum Composition

Initial Composition

Initially only consumer (user) organisations

To define the problem space

To create the vision

Free from perception of taint from vendors With the promise of vendor involvement once the vision defined

That point is here now, and we have our first vendor members

But with safeguards to ensure independence;

User members own the Forum, vote on the deliverables and run

the Board of Managers Vendors have no voting rights on deliverables or the direction

and management of the Forum.


27/102

27

The Open Group relationship

Why the Open Group? Experience with loose groups of companies and

individuals

Track record of delivery Regarded as open and impartial

All output is free and Open Source

Existing framework with a good fit

Existing legal framework

Global organisation


28/102

28

The Jericho Forum Charter & Remit

What Jericho Is . . . There to start the discussion / change the mindset The arbiters of making de-perimeterised solutions work in the

corporate space There to refine what are Jericho Architectural principals vs. Good

Secure Design Building on the work in the visioning document To define key items aligned with the message that make this

specifically Jericho There to clarify that there is not just one Jericho solution

What Jericho is not . . . Another standards body A cartel this is not about buying a single solution There to compete with good security.


29/102

29

Dating & Secure System Design

When it comes to dating, at best you get to picktwo out of the following three; Clever

Beautiful / Handsome

Great Personality / Character Traits

So, given budget & development timelines, at bestyou have to pick two out of the following three; Fast (Speed to market)

Feature Rich

SecureWith acknowledgement to Arian J Evans


30/102

30

Jericho Principals vs. Good Secure Design

Fast DeliveryCOTS

Secure Design

Feature RichBusinessDriven

Inherently SecureSystems, Protocols

& Data

De-PerimeterisedArchitecture


31/102

31

The Jericho Forum Challenge

We believe, that in tomorrows worldthe only successful e-transactions &

e-businesses will utilise a

de-perimeterised architectureThus you only have two choices;

Do you sit back and let it happen to you?

Or Do you help design the future to ensure it fits

YOUR business needs?


32/102

32

What has it achieved in the past year?

Andrew Yeomans

Dresdner Kleinwort Wasserstein&

Chairman of the Jericho

Technology & Standards

Working Group


33/102

33

A year or so ago, a few good men.

Met over a few drinks, and the odd meal,and pondered the meaning of life,

but also why this security stuff they werebuying wasnt solving the problems theywere encountering . . .

BP

Royal Mail

Standard

Chartered Bank

ICI


34/102

34

ABN AMRO BankAirbus

Barclays Bank

BAE SYSTEMS

Boeing

BBC

BPCabinet Office

Cable & Wireless

Credit Agricole

Credit Suisse First Boston

Deloitte

Deutsche Bank

Dresdner Kleinwort Wasserstein

Eli Lilly

Ernst & Young LLP

GlaxoSmithKline

HSBCICI

ING

JPMorgan Chase

KPMG LLP (UK)

Lockheed Martin

Lloyds TSBNational AustraliaBank Group (Europe)

Pfizer

Procter & Gamble

Qantas

ReutersRolls-Royce

Royal Mail

RBS

Royal Dutch/ShellStandard CharteredBank

The Open Group

UBS Investment Bank

UKCeB (Council for e-

Business) Task ForceUnilever

University of KentComputing Laboratory

YELL

= Founders

Got rather more (men and women) . . .


35/102

35

..with various roles

Chief Information Security Officers IT Security Directors/Managers Directors of Global Risk Management

Senior Information Security Engineers Enterprise Risk Services Managers Directors of Architecture Global Security Services Managers Forward thinking, highly respected security

strategists


36/102

36

Everything runs on: Same physical wires Same logical network

General Users

ApplicationSystems

Admin

Customers

PartnersSuppliers

Joint ventures Outsourcers Offshore

providers

worked up about this


37/102

37

CISO /Security

Team

Owners/InvestorsBoard of

Directors

ExecutiveManagement

IT function

External

Auditors

InternalAuditors

CustomersCommunity

Governance

Avoid/Contain Enterprise Risks

Avoid/ContainLocal/Personal Risks

Achieve

Contro

l

and

Au

thor

ity

Demons tra

teAccount-ab

ility

andCompliance

Regulators

Otherfunctions Lines ofBusiness

and wider stakeholders and their goals


38/102

38

or in words

The traditional model of a hard perimeterand soft centre is changing as :

Your people move outside the perimeter

They are not just your people any more Business partners move inside the perimeter

The policy is out of sync

too restrictive at the perimeter (default deny)

lacking in the core (default allow)


39/102

39


40/102

40

Question

What does a corporate policylook like for a virtual

organization?

Answer

The assumption oforganization breaks down:

need granularity

with wider general consequences, e.g.

Trust models conventional thinking Architecture-centric governance models lead us to

federated identity management and trusted second/thirdparties

Stakeholder-centric governance models lead us to

regulatory solutions and industry initiatives,e.g. e-marketplaces

Both approaches may be constrained, if not doomed!


41/102

41

1980s

Managed NetworksDirectoriesSingle sign-onPerimeter Security

1990sNetwork

firewalls

Streetwise usersVirtual EnterprisesVirtual Security?

?? 21st CenturyCyberspaceroad warriors

Secure buildingsPersonnel contractsPermissions/ VettingGuards and gates

and we also agreed where were headed


42/102

42

but how soon will this hit us?

People often overestimate what willhappen in the next two years and

underestimate what will happen in ten.Im guilty of this myself.

Attributed to Bill Gates


43/102

43

the answer to which splits into these:

Whats changing Static, long term business

relationships

Assumption that threats areexternal perimeters

responsible for protectingall assets from all externalattacks

Traditional client serverenvironment used by anoffice based workforce

Operating System andNetwork based securitycontrols

How soon? Dynamic, global business

partnerships

Threats are everywhere perimeters defend a network,

but highly mobile devicesmust defend themselves:defence in depth needed

Growing use of multi-tierapplications / services by anincreasingly virtual user-base

Protection extended toapplications and end userdevices


44/102

44

and led us to some initial conclusions

Impacts of the information age are now well known: Network externalities, disintermediation Power of globalisation Information Risks and their impacts We have lessons from other infrastructure changes (electricity,

railways, etc) Tools such as Technology Road Mapping and Scenario Planning

can be used to explore the impact of key drivers, trends andevents

IT products emerging in the next 3 -10 years

are likely to be in todays research labsso this is about getting the rightproducts in place


45/102

45

plus some observations on root causes

Many IT standards are broken in practice, e.g.:

Certificate/CRL (non) processing in SSL

Bug-compatible implementations of X.509 certificateextensions processing in crypto software

Representing collaborating/cooperating organisations inX.500/LDAP; directory interoperability

Re-inventing the wheel for security services for XML(Signatures, Encryption, Key Management)

Repeated technical standards initiatives with little or no

user / vendor dialogue: Vendors supposedly understand user requirements

Users cant and/or dont articulate what they want


46/102

46

as well as lively debate on what to call it

De-Perimeterisation

Re-Perimeterisation

Radical Externalisation

Security Without Frontiers

Boundary-Less Information FlowTM


47/102


48/102

48

So, the Vision we agreed was:

Vision To enable business confidence for collaboration

and commerce beyond the constraint of thecorporate, government, academic & home office

perimeter, through; Cross-organisational security processes and services

Products that conform to Open security standards

Assurance processes that when used in one organisationcan be trusted by others

Initial visioning whitepaper at:http://www.jerichoforum.org
http://www.jerichoforum.org/http://www.jerichoforum.org/


49/102

49

and the Mission and Milestones:

Mission Act as a catalyst to accelerate the achievement of the Vision,

by;

Defining the problem space

Communicating the collective Vision

Challenging constraints and creating an environment forinnovation

Demonstrating the market

Influencing future products and standards

Timetable A period of 3-5 years for the achievement of its Vision, whilst

accepting that its Mission will be ongoing beyond that.


50/102

50

We established Working Groups . . .

MetaArchitecture

TrustModels

Technology

& Standards

Requirements& Ontology

Management& Monitoring

PR, Media& Lobbying

Conceptual scope, structure, dependencies andobjectives for de-perimeterisation

Future business requirements for identity managementand assurance

Intercepts with current/future vendor R&D and

product roadmaps

Future business requirements for informationmanagement and security requirements management

Future business requirements for operational securitymanagement in de-perimeterised environments

Promotion of our programme in public affairs, relevantinterest groups and regulatory/ legislative agendas;collaboration with these groups


51/102

51

. . . and defined an initial set of scenarios

Providelow-costconnectivity

Access over wireless/public networks Identity theft, phishing etc.

Domain inter-working via open networks Standards complexity and lack ofinteroperability; IPv6

Supportroamingpersonnel

Phoning home from a hostile environment On-demand trust validation; environmentisolation/security

Enable portability of identities and data Credentials, attribute/ policy based accesssecurity

Allowexternalaccess

Application access by suppliers, distributionagents or business partners

Poor integration of strategic applications(ERP/CRM etc) with security standards

Outsourced help desk access to internalsystems

Least privilege remote access

Improveflexibility

Connect organisations using secure XML Standards complexity / inadequate trustmodels

Consolidate/ interconnect identity and access

management

Incomplete interoperability standards

Automate policy for controlled info sharing Securing the semantic web

Harmonize identities and trust relationshipswith individuals

Individual-centric security


52/102

52

with ever-greater priorities

Provide low-costconnectivity

Access over wireless/public networks

1.9

1.3 Domain inter-working via open networks 3.1 2.0

Support roamingpersonnel

Phoning home from a hostile environment 2.1 1.6

Enable portability of identities and data 2.8 1.8

Allow externalaccess

Application access by suppliers, distributionagents or business partners

2.0

1.8

Outsourced help desk access to int. systems 2.8 2.5

Improve flexibility Connect organisations using secure XML 2.6 1.9

Consolidate/ interconnect identity & access

management

2.9 1.6

Automate policy for controlled info sharing 3.3 2.3

Harmonize identities and trust relationships

with individuals

2.6 1.8

Score: 1 = high priority, 3 = medium, 5 = low priority


53/102

53

What are we doing going forwards

Adrian Seccombe

Eli Lilly

& Chairman, Trust Model

Working Group


54/102

54

Jericho Forum Way Forward

Jericho will provide thought leadership onall aspects of de-perimeterisation

Strategies being deployed;

Formal working groups within Jericho Foster academic links and research

Continue evangelisation

Promote independent discussion and research

Competitions Conferences

Expand Membership


55/102

55

Jericho Forum Working Groups

Jericho Forum working groups will onlyexist for the necessary period of time

To date two have been convened anddisbanded as their work is complete;

Jericho Forum Management & Transition toOpen Group

Visioning Working Group Six currently exist


56/102

56

Jericho Forum Working Groups . . .

MetaArchitecture

TrustModels

Technology

& Standards

Requirements& Ontology

Management& Monitoring

PR, Media& Lobbying

Conceptual scope, structure, dependencies andobjectives for de-perimeterisation

Future business requirements for identity managementand assurance

Intercepts with current/future vendor R&D and

product roadmaps

Future business requirements for informationmanagement and security requirements management

Future business requirements for operational securitymanagement in de-perimeterised environments

Promotion of our programme in public affairs, relevantinterest groups and regulatory/ legislative agendas;collaboration with these groups


57/102

57

What are Working Groups?

Tried and tested model for cooperative working Used by Open Group

Products of working groups submitted for voting byForum members

Method of working: Few meetings workshops

Telephone conferences

Email

Two current active working groups: Trust Models

Technology & Standards


58/102

58

Work Group Participation

Membership of Jericho Forum required Four Levels of participation identified:

Type 1

Physically Engaged


59/102

59

Trust Models Working Group

Vision of Jericho Forum dependant ondegree to which information requires to betrusted and protected

Model will identify various entities or assetsinvolved in flow of protected, trustedinformation

Model will NOT attempt to define standards,or design solutions for these requirements


60/102

60

Why Model Trust?

In the past Trust based on HumanInteraction and Written Legal Contract

Today information flows electronically atspeeds that transcend these mechanisms

New model for electronic trust required

accelerate development and ensure

maintenance of trust in new electronic domain


61/102


62/102

62

Technology & Standards Work Group

Working out the nuts & bolts for Jericho

Requirements Roadmap

Requirements based on Visioning White Paper

More explicit Business angle (Whats In It For Me)

More specific Threat landscape Technology Roadmap

Short-term, 6-month & Long-term deliverables

2-way communication with other Jericho WGs particularlyArchitecture, Trust Models, Requirements/Ontology

Using outcomes from The Jericho Challenge representative from TSWG involved to validate definition &

evaluate criteria for assessing submissions


63/102

63

Foster academic links and research

Jericho is providing assisted membershipfor suitable academic researchers

To date three links have been approved bythe Jericho Forum Management Board

University of Kent Computing Laboratory

Royal Holloway College (in progress)

University of Auckland (in progress)


64/102

64

Promote independent discussion & research

Research into de-perimeterisation is not

Jericho Forum exclusive territory; Other publications;

PITAC

Butler Group


65/102

65

Cyber Security: A Crisis of Prioritization

Cyber Security:A Crisis of Prioritization(February 2005)http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf

A broad consensus among computerscientists is emerging that theapproach of patching and retrofittingnetworks, computing systems, andsoftware to add security andreliability may be necessary in the

short run but is inadequate foraddressing the Nations cyber securityneeds.
http://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdfhttp://www.itrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf


66/102

66

Fundamentally New Security Models, MethodsNeeded The vast majority of cyber security research conducted to date

has been based on the concept of perimeter defence.

This weakness of the perimeter defence strategy hasbecome painfully clear. But it is not the only problem with themodel. The distinction between outside and inside breaksdown amid the proliferation of wireless and embeddedtechnologies connected to networks and the increasingcomplexity of networked systems of systems.

Security add-ons will always be necessary to fix some securityproblems, but ultimately there is no substitute for system-wideend-to-end security that is minimally intrusive.

Cyber Security: A Crisis of Prioritization


67/102


68/102

68

The Jericho Challenge

In collaboration with Black Hat, this global competitionchallenges any team of technology experts to design asecure architectural solution that is open, interoperable,viable, and operates in a de-perimeterised environment -

alike to a top global corporation's existence on the Internet. Deadline for notifying intent to submit entries is May 1st,

with full submissions by May30th by arrangement. Selectedpapers may be presented in July 2005.

More information on the 'challenge', how to enter, prizes,

etc. is available in the Jericho Forum website(www.jerichoforum.org).


69/102

69

The Jericho Forum USA conference

Thurs May 5th: 10.30 Welcome 10.45 The challenge YOU are

facing - the problem inbusiness terms 11.15 What is Jericho? 11.30 What has Jericho achieved 12.00 Going forwards roadmap

& deliverables 12.25 How to join

14.00 Mutually beneficial vendorinvolvement

14.30 Jericho future 15.30 Panel discussion

Fri May 6th: 09.00 Review of Jericho Forum

working groups

charters, activities 10.00 Breakout groups parallel workshops

12.00 Plenary review workshop feedback

12.30 Lunch 14.00 New breakout groups

parallel workshops 15.30 Summary feedback &

conclusions; next steps 16.00 Close

Thurs-Fri, May 5-6, 2005 Hosted by Procter & GambleExecutive Conference Centre, Cincinnati, Ohio, USA


70/102

70

Challenges Ahead

How to keep up momentum?

Market wants to see tangible, usabledeliverables

Detailed work rooted in real-worldexperience

Balancing active participation with the day job

Global working

Making effective use of phone & email

But when its all done..


71/102

71

Lunch

Lunch


72/102

72

Mutually beneficial vendor involvement

Paul SimmondsICI Plc.



73/102

73

Agenda

Why has the Jericho Forum opened up tovendors?

Why become a vendor member? Rights of vendor members vs. user members

How to engage

What Forum membership is not

How to get best value from membership

V d b hi f f ?


74/102

74

Vendor membership of a user forum? Whats that about?

Jericho Forum fundamental principle is to beuser driven to get break-thorough in: Solving problems that existing perimeter-based

solutions were not addressing

Interoperability and integration of securityacross vendors Giving vendors a user-community driven

business case

That principle has not changedand theForum remains user owned and driven


75/102

Why become a vendor member?


76/102

76

Why become a vendor member?1. Making customers successful

A CISO gets a daily flood of solutions andmost are rejected out of hand why? Too many solutions use FUD

Claim to be the latest miracle cure

They may be bought in ignorance rather

than reasoned analysis Disappointment is likely - not exactly a repeatable

business model!

HIPPA! SOX! Phishing! Falling Sky!

Of those that solve real problems; Too many are not integrated

Too proprietary, with limited architecture

At some point they will be thrown away

Perhaps along with the CISO buying them?

Why become a vendor member?


77/102

77

Why become a vendor member?2. Position in the Marketplace

There is uncertainty in the market - CNet, March 05: "Security, ultimately, will not be a standalone market," said one

investment banker .. "It will just be just another layer of theinfrastructure stack. It's no longer about just making the securityproducts work together."

Software, services and hardware companies in the security sector willpull in $52.2 billion in sales in 2008, compared with $22.8 billion in2003, predicts market research firm IDC. That makes thosebusinesses attractive targets for acquirers in the networking,communications and systems management industries, among others.

Major CISO:

There are a few very successful security vendors, the remainder finda small niche and/or sell a few small pilots where expectations are farin excess of reality.


78/102

78

Whats in it for me

Access to the thinking of leading security users inone place

No need to organise numerous strategy workshopswith users

Access to Jericho thinking, ahead of it beingpublished

Opportunities to grasp new markets ahead of thecompetition

Meet and understand where integration with otherJericho vendor members will enhance bothofferings


79/102

79

Whats in it for me

Better opportunity for a larger take-up ofcustomers at faster rate:

viral effects of interoperability, users require it ofone another

faster sales-cycle as customers will alreadyunderstand the concepts & benefits of a particularsecurity capability.

Do open standards give-away competitiveadvantage? No

Jericho Forum requires open standards ininteroperability. Inside the box capability andspecific functionality can still be competitive issues.


80/102


81/102

81

How to engage

What Forum membership is not A direct sales opportunity

Access to a mailing list

A chance to brand all products

Jericho approved Best value from membership

Get involved in the working groups

Have technical contributors like

your CTO be the one who joins Support open interoperability

Spread the word


82/102

82

Where could Jericho take us?

David LaceyRoyal Mail Plc.



83/102

83

Thinking beyond Einstein

I never think about the future. Itcomes soon enough

Einstein


84/102

84

Preparing for a different future

We know only one thing about the future or, rather,the futures:

It will not look like the present

Jorge Luis Borges

Author


85/102

85

The importance of Security increases

IncreasingThreats

from viruses,hackers, fraud,

espionage

IncreasingExposure

greater dependenceon IT, increasing

connectivity

Increasing

Expectationsfrom customers,

partners, auditors,

regulators


86/102

86

As organisations continue to change

Weak

Internal

relationships

Strong

Externalrelationships

Soft Hard

Machine

Organism

Trend


87/102

87

And existing solutions break down

Intranet

ASP

JV

Service provider

ExtranetPartner

JV

Outsource

Intranet

ASP

JV

Service provider

ExtranetPartner

JV

OutsourceOutsource

Intranet

ASP

JV

Serviceprovider

ExtranetPartner

JV

OutsourceOutsource

As we experience the first security paradigm


88/102

88

As we experience the first security paradigmshift of the 21st Century

T h l ill f ld


89/102

89

Technology will transform our world

Exploding connectivity and complexity (embeddedInternet, IP convergence)

Machine-understandable information(Semantic Web)

De-fragmentation of computers intonetworks of smaller devices

Wireless, wearable computing

Ubiquitous digital rights management

Biometrics and novel user interfaces

From deterministic to probabilistic systems

Th f it


90/102

90

There are consequences for security

Slow death of network perimeters

Continuing blurring of business and personallifestyles

Security migrates to the data level

New languages and tools needed to express,translate and negotiate security policies

Intelligent monitoring systemsneeded to maintain control of

complex, networked systems Uncertain security - no guarantees Manage incidents as opportunities

ll d


91/102

91

How will we respond?

The loss of perimeter security will force us to shrinkperimeters to clients, applications and ultimatelydata

IP Convergence will accelerate this process by

challenging existing network security architectures We will realise that securing our own backyard is no

longer sufficient, and work together to developfederated solutions to secure data across

boundaries The Jericho Trust models will

underpin this migration

F h d l


92/102

92

Further developments

We will agree common policy languages to supportcross-organisational processes, including federatedidentity and access management

This work will underpin the automation of securitycountermeasures and enable the exploitation of the

Semantic Web We will use the Semantic Web to interpret and secure

data in context across organisations

Jericho Technology and Standards will

deliver the underpinning architecture Jericho Requirements and Ontology

models will enable its exploitation


93/102

U i th f i i ti


94/102

94

Using the power of our imagination

Imagination is more important than

knowledge.

Einstein

As we look ahead to the second paradigm


95/102

95

As we look ahead to the second paradigmshift of the 21st Century

A world of increasing openness and


96/102

96

A world of increasing openness andcomplexity

Exploding surveillance opportunities Limited opportunities for privacy-enhancing

technologies Proliferating data wakes and pervasive

circumstantial data about personal behaviour Intelligent monitoring software can highlightunusual behaviour

Data fusion, mining and visualisation softwarecan extract intelligence out of noise

Exploitable for business, security,fraud or espionage

Visibility & understanding will be key


97/102

97

Visibility & understanding will be key

Understanding and interpreting data incontext

Exploit data mining, fusing and neuralnetworks to crunch through complexity

Employ computational immunology todifferentiate good transactions from bad

Data visualisation technology to enhance

human understanding

B k


98/102

98

Break

Coffee &

Tea Served


99/102


100/102


101/102

Jericho Forum


102/102

Shaping security for tomorrows world

www.jerichoforum.org

1st Jericho Forum Annual Conference 26th April

Documents