I’m going to continue looking at the Jericho Forum’s concept of de-perimeterization (god, that’s a bitch to type…) and its commandments. In this “chunk,” I’m taking the “de-perimeterization solution” section of their main page.
While traditional security solutions like network boundary technology will continue to have their roles, we must respond to their limitations. In a fully de-perimeterized network, every component will be independently secure, requiring systems and data protection on multiple levels, using a mixture of:
I like that they concede that boundary technology will continue to have their roles. They don’t stress this enough to address the knee-jerk reaction they get of “oh my god they want us to remove our firewalls!” Sadly, they follow this up with saying every component needs to be independently secure. Ugh…why bother with the first statement, then? Is that network boundary only good for logging now? I think this is a great goal, however, but it should be the juxtaposition of these two ideas: strong boundary with strong systems. This is called defense in depth, which Jericho Forum is seemingly avoiding in exchange for their more dramatic “de-perimeterization” term.
-encryption
-inherently-secure computer protocols
-inherently-secure computer systems
-data-level authentication
That first item is good, but it definitely is a fly in being able to monitor your networks. The role of encryption alone is powerful enough to shape the direction of security for the coming 50 years. They have a big point with this, and if it continues, the effect will be a de-perimeterization for deeper level attacks which we just won’t be able to decrypt and inspect without each system becoming an island fortress. Yikes!
The middle two…just make me sigh in bliss. I wish we could do that, but it won’t happen. Even things we think are inherently secure today have holes found years from now. This is an ideal, and just won’t happen because we’re not perfect, but more importantly because it is not economical for most of business. The software and web developer industries are excellent illustrations that there is not enough drive to get things secure up front. The drive is to get things done first, prove that it can make the company money, and later scramble for an SDLC that includes security testing and design near the start. Unless the world turns topsy-turvy in the next 50 years, I just can’t see this changing; it’s a basic effect of technology, progress, and change.
I’m not sure what is meant by “data-level authentication.” Does this mean the data will inherently authenticate users accessing it? I can only guess at this one. It sounds catchy, but could be just empty speak.
The design principles that guide the development of such technology solutions are what we call our “Commandments”, which capture the essential requirements for IT security in a de-perimeterized world.
Great!
jericho 1 – de-perimeterization and the jericho forum commandments
jericho 2 – the jericho forum and the de-perimeterization solution
jericho 3 – the first three commandments: the fundamentals
jericho 4 – commandments 4 – 8
jericho 5 – commandments 9-11
jericho 6 – my conclusions