This is the start of a number of articles designed to explain them from a more practical standpoint. The Jericho Forum originally adopted the concept of ‘de-perimiterisation’ a few years ago, which in essence said that the security edge of a corporate was no longer necesssarily where the firewall resided physically and so an alternative approach was needed.
Today, with the advent of cloud computing and IT consumerisation, the commandments and de-perimeterisation have never seemed more relevant. If IT has spread beyond traditional boundaries then so too have its users. How many different usernames and passwords do you have? A couple, tens or even hundreds?
From a corporate perspective it is no longer about systems but about the data. Users require access to information from different devices and locations, and those users may be employees or consultants or even customers. How is an organisation going to ensure that the information is kept safe in this new world?
The answer is identity, that is the identity of the user (requesting access) and of the device (being used for access). Currently the model is username/password and then the user has access to everything they are allowed to see and use. The new Jericho Forum commandment model, however, talks about entitlement, that adds additional conditions that should be met before access to the data or device is given.
For example, if a user is sitting in an Internet cafe, logging in to an Internet Bank account, a new restriction would be that they can only transfer money to known accounts, whereas from home the same user would have more leeway. A user's entitlement to functions is no longer black and white and can now be different shades of grey based on the risk profile and location.
For this to happen, each user must have additional attributes that the system can work with. Currently all systems have their own databases of information containing a name, email address, username, password and all sorts of information, which is why most people now have so much to remember.
In the new world, what if we could remove all that and replace it with a de-perimeterised identity? Then users would have one set of attributes for marketing websites, another for shopping and another for banking. These sets of attributes are what Jericho refers to as ‘personas’. Some of the information is shared, but importantly some of it is not. So, your email address might be common to all of them, but your credit card details would only be part of the ‘shopping’ persona. This would make life much easier to manage.
From a corporate perspective, the effect would be that instead of holding copious quantities of personal data, this model could be replaced by a service which did it for them. Instead, the company would hold a reference to a persona provided by the user - no more data to lose. More importantly, if the attributes were verified - let’s say they confirm education, address and bank details - then that person could be more rapidly given a job. In a collaborative cloud world that would be a benefit because short-term contracts of even a few hours could become a possible.
So the Jericho Forum commandments are really a set of principles which will enable scalability and effectiveness of identity for both individuals and organisations in the future without compromising an individual’s core identity and privacy.
More on this next time.
Guy Bunker, Jericho Forum board member