X

On the security road to 'de-perimeterization'

Jericho Forum is a group dedicated to open standards that make global data sharing and collaboration more secure. Analyst Jon Oltsik suggests a few standards to aid in that effort.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
2 min read

I first heard the term "de-perimeterization" back around 2004. This expression was attributed to the Jericho Forum, a group of chief information security officers and industry leaders who anticipated a new business requirement and security challenge. Jericho Forum knew that ubiquitous global connectivity spelled the end of the network "walled garden"--private corporate networks protected by perimeter devices like security gateways and firewalls. As more and more organizations opened their networks, developed externally focused applications, and welcomed new, untrusted users, information security was bound to get a lot more difficult.

According to ESG Research, the 2004 Jericho Forum vision is now a solid reality. In a recent survey, 60 percent of enterprise (i.e. organizations with more than 1,000 employees) share confidential data with non-employees. In other words, the data is flowing beyond the "walled garden" on a regular and increasing basis.

Jericho Forum now makes its home at the Open Group office in Reading, U.K., and is dedicated to open standards that make global data sharing and collaboration more secure. For my part, I fully support this effort. Here are a few standards that would help in this effort:

  1. Key Management Interoperability Protocol (KMIP). This standard is being driven by EMC, IBM, Hewlett-Packard, Thales, and a few other vendors. The thought here is to provide any-to-any connectivity between cryptographic devices and key management systems. This could pave the way for encryption key sharing and key management system communication across disparate organizations.

  2. Open Authentication (OATH). The thought here is to provide a reference architecture for strong authentication (i.e. tokens, smart cards, biometrics, etc.). Good idea but industry wrangling and politics seem to be holding this one back. I don't really care if OATH itself succeeds but we need an open authentication reference model ASAP.

  3. Extensible Access Control Markup Language (XACML). Authentication gets you by the bouncer and in the club. Not everyone who gets inside has equal privileges however. How do you separate the VIPs from Joe Average? Entitlement management. XACMLhas the potential to make entitlement management much easier and responsive than it is today.

This is just a sample. Please comment on others that should be included on a more exhaustive list.

We also need standard tags for data classification and confidential data security policy enforcement. If an Excel spreadsheet contains Social Security numbers, the file should have a standard meta data tag that tells operating systems, e-mail, and gateway filters to take special actions like encrypting the file or preventing a user from making a copy to a USB drive. This type of standard would make enterprise rights management far more mainstream. If Microsoft and Adobe Systems teamed up, they could really accelerate a standard in this area.

Jericho Forum was spot on in 2004, but as an industry we are still dragging our feet. If this continues, the security industry could actually become a real, not just a perceived, business bottleneck.