The Jericho Forum expects to disband within two years when it anticipates that its work on de-perimeterisation will be done.
But over the coming 12 months, the organisation plans to make a concerted push to evangelise its message in the US and to work with a range of universities to develop modules on the subject.
The basic premise of the forum is that the traditional "firewalled" approach to securing a network boundary is at best flawed, and at worst ineffective.
Instead of simple focussing on defending network boundary of an enterpise, the Forum’s commandments argue for a fully de-perimeterised network where every component is independently secure, requiring systems and data protection on multiple levels, using a mixture of encryption, inherently-secure computer protocols and systems and data-level authentication.
Paul Simmonds, co-founder and board member of the Forum, which was set up in early 2005, explains: “We agreed at the outset that we wouldn’t let the Jericho Forum morph into is another ‘let’s discuss security forum’. Our aim is to plan for our own demise, and our measure of success ultimately is to disband when we’ve achieved our goals. My hope is that we’re two years away from that.”
A key plank in achieving this aim is raising awareness of the concept in the US. While the majority of security practitioners in Europe have an opinion on de-perimeterisation - whether they agree with it or not - Simmonds indicates that the ratio in the US is more like one in five.
“We have a number of plans underway, but we’re still sounding people out in terms of the best way to move forward. What we’re putting in place is, in effect, US co-ordination. It’s going to be facilitation for Jericho Forum members to collaborate in their own time zone,” he says.
The reason for the US focus is simple. “The computer industry is driven by large US companies”. As a result, local members will be encouraged to put pressure on large US vendors to take on board the de-perimeterisation message and incorporate the principles behind its architectural blueprint into their offerings.
The forum is now entering its third year and the aim “is to have the vendors stepping up and saying ‘here are the solutions you require’. The end-game was always about getting the vendors to produce solutions that we could deliver to the business,” Simmonds says.
The first year, was about defining the business problem and increasing awareness of it, while year two was about defining how to tackle the issue by publishing the architectural blueprint and various positioning papers. As a result, if organisations architect their infrastructure properly today, they “can probably get well in excess of 80 to 90 per cent of the way there”, Simmonds believes.
But another important means of moving de-perimeterisation into the mainstream is to work with universities to ensure that the topic is on the curriculum.
The Forum already has the Universities of Kent and Auckland in New Zealand as well as Macquarie University in Australia and the Republic Polytechnic in Singapore on its membership list, but is also talking to others with which it has formal relationships.
“It’s a thought exercise at the moment, but we’re doing a bit of work on education and training for future generations,” Simmonds explains. “We want to work with some of the leading universities to develop a pro-forma module that they can take and tailor around ‘architecting for a de-perimeterised future’.
"If this works, the objective is to use the module for the professional development and training of existing security personnel.”
What is de-perimiterisation?
De-perimeterisation involves creating a secure architecture to help safeguard core systems and data against leakage using a defence-in-depth approach. This means that the emphasis is on organisations defending sensitive corporate data and data flows rather than focusing the majority of their security efforts at the network boundary to protect the systems within.
The idea is that, if such systems and data are protected effectively, internal staff, remote workers and external stakeholders should be able to securely exploit public infrastructure and services such as the internet in order to access the systems and information they need and to collaborate with each other.