Redefining the enterprise security perimeter
By Nishant Kaushik on Sep 12, 2007
Yesterday I got to speak at an interesting conference hosted by the Jericho Forum. I talked about them in a post last week, but after spending some time with executives of the group and listening to them speak at the conference, I have a better understanding of their goals. They are noble goals, and like all things noble, they are going to be hard.
The members of the Jericho Forum are senior information security managers from large organizations like Boeing, ICI and Standard Chartered that have reached the conclusion that the state of security today is fundamentally at odds with the business needs of their organization. Innovation and security have become mutually exclusive, which has resulted in traditional security mechanisms becoming increasingly complex, flawed and vulnerable. The goal of the forum is de-perimeterisation (a lot of speakers stumbled on trying to pronounce that one), which some analysts and press folk have interpreted to mean as the removal of the security perimeter and the death of firewalls. But that is way off-base.
As the forum members are fond of saying, the current idea of concentrating all security at the network perimeter has created an enterprise environment that looks like a single hard shell around a soft chewy center (an analogy that was used so much during the day that I developed a hankering for some Ferrero Rocher). Their idea is to bring security closer to the data and the services it is trying to protect, so that corporate networks can be safely opened up to customers, suppliers, partners and, essentially, the internet. They are looking to influence the development of security standards and produce blueprints for enterprise architectures that will make this possible.
It was in this context that I talked about Identity as a Service. The idea of externalizing identity into a service layer in enterprise architecture seemed to resonate with the group. It makes identity a key security artifact on which to base security decisions wherever they need to be made, making it possible to build security at the network perimeter, at the application perimeter, or even at the data store perimeter. At the same time, it provides centralized management of security policies and scalable management of the massively distributed identity data that is part of this architecture. I was actually able to pull together a slide that mapped the fundamentals of de-perimeterisation to the fundamentals of IDaaS.
It was kind of cool to be part of a speaker lineup that included Bill Cheswick, a firewall pioneer from his days at Bell Labs, and Carl Ellison of Microsoft. The Jericho Forum is quite well known in Europe (where most of their members come from) but is relatively unknown in here in the States, and this conference was a good first step towards introducing them to the US market. They are a good group to get involved with if you are passionate about enterprise architecture. And they make everything that they produce available for free on their website, where you can also get all the presentations that were given yesterday, including mine (I have also provided a direct link to mine on my Speaking Engagements + Media Library page).