The British Are Coming! In Defense (Again) of the Jericho Forum…
Back in 2006, after numerous frustrating discussions dating back almost three years without a convincing conclusion, I was quoted in an SC Magazine article titled "World Without Frontiers" which debated quite harshly the Jericho Forum’s evangelism of a security mindset and architecture dubbed as "de-perimeterization."
Here’s part of what I said:
Some people dismiss Jericho as trying to re-invent the wheel. "While
the group does an admirable job raising awareness, there is nothing
particularly new either in what it suggests or even how it suggests we
get there," says Chris Hoff, chief security strategist at Crossbeam
"There is a need for some additional technology and
process re-tooling, some of which is here already – in fact, we now
have an incredibly robust palette of resources to use. But why do we
need such a long word for something we already know? You can dress
something up as pretty as you like, but in my world that’s not called
‘deperimeterisation’, it’s called a common sense application of
rational risk management aligned to the needs of the business."
insists the Forum’s vision is outmoded. "Its definition speaks to what
amounts to a very technically focused set of IT security practices,
rather than data survivability. What we should come to terms with is
that confidentiality, integrity and availability will be compromised.
It’s not a case of if, it’s a case of when.
The focus should
be less on IT security and more on information survivability; a
pervasive enterprise-wide risk management strategy and not a
narrowly-focused excuse for more complex end-point products," he says.
But is Jericho just offering insight into the obvious? "Of course,"
says Hoff. "Its suggestion that "deperimeterisation" is somehow a new
answer to a set of really diverse, complex and long-standing IT
security issues… simply ignores the present and blames the past," he
"We don’t need to radically deconstruct the solutions
universe to arrive at a more secure future. We just need to learn how
to appropriately measure risk and quantify how and why we deploy
technology to manage it. I admire Jericho’s effort, and identify with
the need. But the problem needs to be solved, not renamed."
I have stated previously that this was an unfortunate reaction to the marketing of the message and not the message itself, and I’ve come to understand what the Jericho Forum’s mission and its messaging actually represents. It’s a shame that it took me that long and that others continue to miss the point.
Today Mike Rothman commented about NetworkWorld’s coverage of the latest Jericho Forum in New York last week. The byline of the article suggested that "U.S. network execs clinging to firewalls" and it seems we’re right back on the Hamster Wheel of Pain, perpetuating a cruel myth.
After all this time, it appears that the Jericho Forum is apparently still suffering from a failure to communicate — there exists a language gap — probably due to that allergic issue we had once to an English King and his wacky ideas relating to the governance of our "little island." Shame, that.
This is one problem that this transplanted Kiwi-American (same Queen after-all) is motivated to fix.
Unfortunately, the Jericho Forum’s message has become polluted and marginalized thanks to a perpetuated imprecise suggestion that the Forum recommends that folks simply turn off their firewalls and IPS’s and plug their systems directly into the Internet, as-is.
That’s simply not the case, and in fact the Forum has recognized some of this messaging mess, and both softened and clarified the definition by way of the issuance of their "10 Commandments."
You can call it what you like: de-perimeterization, re-perimeterization or radical externalization, but here’s what the Jericho Forum actually advocates, which you can read about here:
The huge explosion in business use of the Web protocols means that:
- today the traditional "firewalled" approach to securing a network boundary is at best flawed, and at worst ineffective. Examples include:
- business demands that tunnel through perimeters or bypass them altogether
- IT products that cross the boundary, encapsulating their protocols within Web protocols
- security exploits that use e-mail and Web to get through the perimeter.
- to respond to future business needs, the break-down of the traditional
distinctions between “your” network and “ours” is inevitable
- increasingly, information will flow between business organizations over
shared and third-party networks, so that ultimately the only reliable
security strategy is to protect the information itself, rather than the
network and the rest of the IT infrastructure
trend is what we call “de-perimeterization”. It has been developing for
several years now. We believe it must be central to all IT security
The de-perimeterization solution
traditional security solutions like network boundary technology will
continue to have their roles, we must respond to their limitations. In
a fully de-perimeterized network, every component will be independently
secure, requiring systems and data protection on multiple levels, using
a mixture of
- inherently-secure computer protocols
- inherently-secure computer systems
- data-level authentication
The design principles that guide the development of such technology solutions are what we call our “Commandments”, which capture the essential requirements for IT security in a de-perimeterized world.
Take a host with a secured OS, connect it into any network using whatever means you find appropriate,
without regard for having to think about whether you’re on the "inside"
or "outside." Communicate securely, access and exchange data in
policy-defined "zones of trust" using open, secure, authenticated and
Did you know that one of the largest eCommerce sites on the planet doesn’t even bother with firewalls in front of its webservers!? Why? Because with 10+ Gb/s of incoming HTTP and HTTP/S connections using port 80 and 443 specifically, what would a firewall add that a set of ACLs that only allows port 80/443 through to the webservers cannot?
Nothing. Could a WAF add value? Perhaps. But until then, this is a clear example of a U.S. company that gets the utility of not adding security in terms of a firewall just because that’s the way it’s always been done.
From the NetworkWorld article, this is a clear example of the following:
The forum’s view of firewalls is that they no longer meet the needs of businesses that increasingly need to let in traffic
to do business. Its deperimeterization thrust calls for using secure applications and firewall protections closer to user devices and servers.
It’s not about tossing away prior investment or abandoning one’s core beliefs, it’s about about being honest as to the status of information security/protection/assurance, and adapting appropriately.
Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms.
That is the message.
So consider me the self-appointed U.S. Ambassador to our friends across the pond. The Jericho Forum’s message is worth considering and deserves your attention.