The English are coming...and you need to give them a break. I have.
Back in 2006, after numerous frustrating discussions dating back almost three years without a convincing conclusion, I was quoted in an SC Magazine article titled "World Without Frontiers" which debated quite harshly the Jericho Forum's evangelism of a security mindset and architecture dubbed as "de-perimeterization."
Here's part of what I said:
Some people dismiss Jericho as trying to re-invent the wheel. "While the group does an admirable job raising awareness, there is nothing particularly new either in what it suggests or even how it suggests we get there," says Chris Hoff, chief security strategist at Crossbeam Systems.
"There is a need for some additional technology and process re-tooling, some of which is here already – in fact, we now have an incredibly robust palette of resources to use. But why do we need such a long word for something we already know? You can dress something up as pretty as you like, but in my world that's not called 'deperimeterisation', it's called a common sense application of rational risk management aligned to the needs of the business."
Hoff insists the Forum's vision is outmoded. "Its definition speaks to what amounts to a very technically focused set of IT security practices, rather than data survivability. What we should come to terms with is that confidentiality, integrity and availability will be compromised. It's not a case of if, it's a case of when.
The focus should be less on IT security and more on information survivability; a pervasive enterprise-wide risk management strategy and not a narrowly-focused excuse for more complex end-point products," he says.
But is Jericho just offering insight into the obvious? "Of course," says Hoff. "Its suggestion that "deperimeterisation" is somehow a new answer to a set of really diverse, complex and long-standing IT security issues... simply ignores the present and blames the past," he says.
"We don't need to radically deconstruct the solutions universe to arrive at a more secure future. We just need to learn how to appropriately measure risk and quantify how and why we deploy technology to manage it. I admire Jericho's effort, and identify with the need. But the problem needs to be solved, not renamed."
I have stated previously that this was an unfortunate reaction to the marketing of the message and not the message itself, and I've come to understand what the Jericho Forum's mission and its messaging actually represents. It's a shame that it took me that long and that others continue to miss the point.
Today Mike Rothman commented about NetworkWorld's coverage of the latest Jericho Forum in New York last week. The byline of the article suggested that "U.S. network execs clinging to firewalls" and it seems we're right back on the Hamster Wheel of Pain, perpetuating a cruel myth.
After all this time, it appears that the Jericho Forum is apparently still suffering from a failure to communicate -- there exists a language gap -- probably due to that allergic issue we had once to an English King and his wacky ideas relating to the governance of our "little island." Shame, that.
This is one problem that this transplanted Kiwi-American (same Queen after-all) is motivated to fix.
Unfortunately, the Jericho Forum's message has become polluted and marginalized thanks to a perpetuated imprecise suggestion that the Forum recommends that folks simply turn off their firewalls and IPS's and plug their systems directly into the Internet, as-is.
That's simply not the case, and in fact the Forum has recognized some of this messaging mess, and both softened and clarified the definition by way of the issuance of their "10 Commandments."
You can call it what you like: de-perimeterization, re-perimeterization or radical externalization, but here's what the Jericho Forum actually advocates, which you can read about here:
De-perimeterization explained
The huge explosion in business use of the Web protocols means that:
- today the traditional "firewalled" approach to securing a network boundary is at best flawed, and at worst ineffective. Examples include:
- business demands that tunnel through perimeters or bypass them altogether
- IT products that cross the boundary, encapsulating their protocols within Web protocols
- security exploits that use e-mail and Web to get through the perimeter.
- to respond to future business needs, the break-down of the traditional distinctions between “your” network and “ours” is inevitable
- increasingly, information will flow between business organizations over shared and third-party networks, so that ultimately the only reliable security strategy is to protect the information itself, rather than the network and the rest of the IT infrastructure
This trend is what we call “de-perimeterization”. It has been developing for several years now. We believe it must be central to all IT security strategies today.
The de-perimeterization solution
While traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of
- encryption
- inherently-secure computer protocols
- inherently-secure computer systems
- data-level authentication
The design principles that guide the development of such technology solutions are what we call our “Commandments”, which capture the essential requirements for IT security in a de-perimeterized world.
I was discussing these exact points today in a session at an Institute for Applied Network Security conference today (and as I have before here) wherein I summarized this as the capability to:
Take a host with a secured OS, connect it into any network using whatever means you find appropriate, without regard for having to think about whether you're on the "inside" or "outside." Communicate securely, access and exchange data in policy-defined "zones of trust" using open, secure, authenticated and encrypted protocols.
Did you know that one of the largest eCommerce sites on the planet doesn't even bother with firewalls in front of its webservers!? Why? Because with 10+ Gb/s of incoming HTTP and HTTP/S connections using port 80 and 443 specifically, what would a firewall add that a set of ACLs that only allows port 80/443 through to the webservers cannot?
Nothing. Could a WAF add value? Perhaps. But until then, this is a clear example of a U.S. company that gets the utility of not adding security in terms of a firewall just because that's the way it's always been done.
From the NetworkWorld article, this is a clear example of the following:
The forum’s view of firewalls is that they no longer meet the needs of businesses that increasingly need to let in traffic to do business. Its deperimeterization thrust calls for using secure applications and firewall protections closer to user devices and servers.
It's not about tossing away prior investment or abandoning one's core beliefs, it's about about being honest as to the status of information security/protection/assurance, and adapting appropriately.
Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms.
That is the message.
So consider me the self-appointed U.S. Ambassador to our friends across the pond. The Jericho Forum's message is worth considering and deserves your attention.
/Hoff