Jericho Forum Report Back What's been achieved through 2009, and
how we will continue to make a difference in 2010. Paul Simmonds
& Adrian Seccombe Board of Management, Jericho Forum Slide 2
How we got to here a brief review of the decade 2001 The
de-perimeterisation word coined [Royal Mails Jon Measham] 2002
Discussion started among like minded CISOs who saw the upcoming
problem 2003 Paul Simmonds & David Lacey present at RSA Europe,
caused front page headlines 2004 January: Jericho Forum founded at
The Open Group Office in Reading interim board formed, and agree to
Open Group taking over day-to-day running 2004 December: Interim
board form as a Jericho Forum membership group, with an elected
Board of Managers 2005 February: White paper published 2005 April:
First Jericho Conference held alongside Info Security & SC
Awards 2005 Interim board agree to Open Group to take over
day-to-day running 2006 - Trade mark issued 2006 April: First
position paper published 2006 April: Commandments published 2008
April: COA Published 2009 April: Cloud Paper Published 2009
De-perimeterisation an established concept, now accepted as
relevant to the cloud 2009 Commandments seen to Stand up to the
rigours of the Clouds In computing terms the Noughties was the
decade of de-perimeterisation Slide 3 Key Publications Business
rationale for de-perimeterisation Jericho Forum Commandments White
Paper Freely available at www.jerichoforum.org Slide 4 Key
Publications The need for Inherently Secure Protocols Cloud Cube
Freely available at www.jerichoforum.org Collaboration Oriented
Architectures Slide 5 And its not just us! Forrester Paul Stamp
July 2005 ISSA Journal De-perimeterized Architecture The end to the
edge August 2009 ISF Architectural Responses to the Disappearing
Network Boundary February 2009 Slide 6 2009 & Up-coming work
Self Assessment Scheme Cloud current work CSA memorandum of
understanding Commandments still valid for cloud Identity &
Access Management The cloud identity crisis - why cloud won't take
off without Id & AM Risk based access Slide 7 Self Assessment
Scheme Rationale Based on the Commandments the set of nasty
questions to ask your security vendors Check if they provide the
security solutions you need and, Expose shortcomings in the
features they may be claiming their offerings provide Can be used
stand-alone, or relevant parts simply incorporated into an RFQ
Release Timeline Beta Testing with vendors - Jan 2010 US Release,
1st March @ RSA Europe, 27 th April @ Info Security Slide 8 From
Connectivity to Collaboration Full de-perimeterised working Full
Internet-based Collaboration Consumerisation [Cheap IP based
devices] Limited Internet-based Collaboration External Working VPN
based External collaboration [Private connections] Internet
Connectivity Web, e-Mail, Telnet, FTP Connectivity for Internet
e-Mail Connected LANs interoperating protocols Local Area Networks
Islands by technology Stand-alone Computing [Mainframe, Mini, PCs]
Time Connectivity Business Value Risk Today Effective Perimeter
Breakdown Slide 9 Externalisation of Data
InternalDe-perimeterisedCOASecured Cloud OldData ThenData NowData
Near Future Data Future?Data The security of the network becomes
increasingly irrelevant, and the security and integrity of the data
becomes everything. Slide 10 Jericho Forum Cloud Cube Model
ProprietaryOpen External Internal Perimeterised De-perimeterised
Location Architecture The Cloud Ownership -
technology/services/code Dimension Four: Insourced / Outsourced
Slide 11 Cloud & the Cloud Cube model CSA memorandum of
understanding Commandments still valid for the cloud Hybrid
Computing will be the norm (A mix of traditional and various cloud
computing) Private Clouds are Perimeterised Collaborative Clouds
are best de-perimeterised Select the four types of either with
care! Slide 12 Identity & Access Management Key is to separate
Identity Management from Access Management, and Audit the
activities Identify: I am he/she! Authenticate: You are indeed! or
not Access: Id like to do that Authorisation: Yes you are allowed
or not Monitor: What did you do Audit: You did the right things,
right! or not Slide 13 The Cloud Identity Crisis The Cloud won't
take off fully without appropriate Identity and Access Management
Private Clouds will be able to take advantage of the old
Perimeterised Identity and Access Management models Collaborative
Clouds will need a significant shift from Enterprise Centric
security to User Centric Security Clouds also will benefit greatly
from the shift from Access by Lists to Access by Claims Slide 14
Risk Based Access Current access methods Do not support business
needs / granularity Do not support real cloud working Do not
support the move the securing the data Trust but verify Basic trust
models for devices & users exist But; How do you verify
environments you do not own? How do you verify that environments
you do not own are cleaned up after use? Slide 15 2010 Planned /
Proposed Work Publish Self Assessment Scheme for RSA Represent
Jericho Forum thinking in 2010 RSA Conference Refine linkages to
CSA and ENISA, and develop new linkages to other bodies (like ISSA)
Identity and Access Management De-perimeterised wireless network
implications Slide 16 A reminder of how we work Thought Leadership
Blue-sky thinking Define Problem Solutions Tools Few people 100%
occupied More people, some vendors 60/40 split Many people, users
& vendors Widest Jericho forum community and non-members
De-perimeterisation COA Cloud Thought Leaders User Members Vendor
Members IT / Business Leaders Slide 17 Conclusions
De-perimeterisation still a relevant topic with plenty to be
highlighted and addressed Commandments are both relevant and still
relevant as we move to cloud issues There is a shift from
Enterprise Centric to User Centric IAM There needs to be a shift
from ACLs to Claims based access Slide 18 Questions & Comments
ions & Comments Questions & Comments Questions & Com
omments Questions & Comments Slide 19 Shaping security for
tomorrows world www.jerichoforum.org
