Jericho co-founder Paul Simmonds, head of security at chemical giant ICI plc, told an audience of over 100 chief security officers yesterday that current perimeter security systems are failing to protect data, and better technologies are needed.
We’ve lost the war on security, Simmonds said at the first CSO Interchange gathering in San Francisco yesterday. Look at where all the decent exploits are, they’re coming in through email and the web.
Perimeter security products, such as firewalls, are not effective at stopping threats, and act more as sieves to keep the lumps out he told reporters. Lumps being overt script kiddies, and the general background noise of the internet.
Jericho is expounding the concept of the de-perimeterized network, and intends to be an influential pressure group, urging security vendors to deemphasize the perimeter and make their products more interoperable.
In effect, organizations already have abandoned the perimeter, Jericho suggests. There are few companies not connected to partners, remote workers and branch offices via the internet. ICI has over 3,000 external connections, Simmonds said.
Jericho’s plan is to create frameworks and maps of how security products interrelate, and to encourage vendors to improve interoperability. A rough four phases to de-perimeterization’ idea has been sketched out.
In a nutshell, the plan calls for ubiquitous transport and data level encryption, connection level authentication and data level authentication. Simmonds said this latter technology is fairly high-concept and maybe four to ten years away.
Simmonds told ComputerWire that interoperability is also crucial. Jericho plans to release framework documents into which products can be inserted to illustrate their interdependencies, he said. Vendors will be expected to provide compatibility, he said.
Jericho currently has about 50 organizations participating, including Boeing, Proctor & Gamble, the BBC, Pfizer, GlaxoSmithKline, Deutsche Bank, Credit Suisse First Boston, the Royal Mail and the UK Cabinet Office.
Support in the US, where most of the software industry is based, is critical. Just as important will be the support of national governments, which can leverage their vast purchasing power to influence product development.
Jericho has secured the implicit support of vulnerability scanning firm Qualys Inc, which is hosting the CSO Interchange, and, by extension, of Qualys director Howard Schmidt, an influential player in security groups and a former White House advisor.
It seems likely that the Schmidt-led Global CSO Council, a think tank comprised of a dozen CSOs from major US corporations, will shortly express support for Jericho’s goals. Schmidt suggested as much at the Interchange event yesterday.
