FireStarter: Nasty or Not, Jericho Is Irrelevant

What Rich said... He is much more diplomatic, which is why I am becoming accustomed to letting him clean up my messes and leave everyone with a smile on their faces. But alas, some of the perspectives need to be clarified. First of all @adrius42, who I presume is Adrian Seccombe, I don't write stuff to be controversial. And amazingly enough, I'm that guy that actually believes what I write. I do believe that Jericho is largely irrelevant as a thought construct, and I think all of your considerable talents (yes, that means you @Paul Simmonds and @Andrew Yeomans) would be better suited by moving past Jericho and thinking more holistically about how to solve the problem of information-centric security. Sorry @Jim Hietala, I know you'll end up holding the Open Group bag, but oh well. I just don't think the concept of Jericho is viable, and yes that is my opinion. Now to be clear, and something I stated in the post - Jericho did call out the fact that the perimeter was changing. It clearly didn't change as much as they bet, and as a result ended up looking like Chicken Little for the most part, but now is the time to apply that kind of thought-leadership to how we protect the **data**, not just make sure our current applications use secure protocols and adhere to some kind of realistic trust model. Yes, those are incremental steps, but we don't need groups of smart guys spending a lot of time evangelizing incremental steps. We need a group of thought leaders to examine how we will get to the true concept of information-centric security. It's about securing the fundamental element of data, regardless of where that data resides and how it is consumed. The so-called "inside out" approach, which I believe in. It's not about de-perimeterization or re-perimeterization or perimeters at all. The network clearly cannot provide all the protection one needs, nor have we ever said that. In the emerging (5-7 years) cloud based reality, we don't know where the data is, we don't know how it will be consumed, and we certainly can't assume what computing platforms will be in play. The Cloud Security Alliance, assisted by the politically correct Mr. Mogull and a lot of other smart guys, are doing good work to illustrate the problems. But it's about more than just protecting data stored in the cloud. I think we all realize that. And to highlight your point Andrew, we guys at Securosis are happy to help drive this thought leadership and brainstorm some architectural constructs for how this new world order will look. I just don't think it's interesting to undertake such an effort under the auspices of Jericho. The good news is that some guys have a bit of experience in positioning big ideas for broad market consumption without alienating lots of folks in the process. More good news is that we can look to the early days of Jericho for valuable lessons in what not to do relative to driving ideas that will be uncomfortable for a lot of folks. Although it would be fun to debate (I'm always up for an intellectual scrap), I think it would be much more productive to brainstorm. If that's of interest, we can work on getting something set up. You know where to find us.

I'm not sure what the criticism is here. Are our commandments too obvious? Everything's obvious whemn someone's explained it to you. Are we not making enough noise? Perhaps not, but that has nothing to to with whether we're right or not. Thanks anyway for giving us some free publicity! Nearly every competent security person I talk to about Jericho and de-perimeterisation gets it immediately. What to do about it? Please remember that we're a user organisation rather than a vendor organisation. I see our job as being to winge when things are wrong rather than to develop the solution. The solution is a 10-year or 20-year project and Jericho can't solve it on its own.

Having just read the RFI response from a major software vendor, who's marketing B***S*** manages to side-step all the questions designed to get to the bottom of "is this secure", then the answer is YES, we do need the nasty questions. More importantly they may be obvious but we as purchasers are not asking them, and the vendors are not voluntering the information (mainly because what they supply is inherently insecure). And then we wonder why we are in the state we are in??

Adrius42 (Adrian?), Mike is out so I'll drop a quick response and I know he plans on responding as well since it's his post. For myself I've read nearly everything you have published, and if you are the Adrian I think you might be we've talked in person and shared the stage for at least one event. None of us here believes that firewall-centric security is the answer. If you read our content, as we've read yours, that will be clear. The issue is how Jericho communicates that, and the lack of specifics that the industry craves. We've been writing about specific architectures to implement information-centric security and about secure application development and collaboration for years. Deperimeterization is simple a silly term- this is about collapsing and moving perimeters, and using "de" demeans what I think is your goal and creates a bunch of confusion. By clinging to branding and not providing specifics, such as implementable reference architectures and real world use cases, you are hurting your own positions. My personal criticisms of Jericho have always been around the terminology and lack of details issues. I won't argue that the traditional concept of a perimeter is long dead, but neither will any serious security folks. In terms of identity that's one interesting perimeter, but realistically the OS/VM and Data are where they are really collapsing to, with Identity being a key component to properly associate security controls on those perimeters. Don't assume that because w criticize you that we believe in stale security mantras. Read our stuff, we read yours. To be honest, we've published far more practical guidance on actually implementing for this new world than Jericho, and I for one really wish you would step a level down to provide users the guidance they crave. You could do a heck of a lot of good, and have the right people and thinking, to pull that off.

As with all good bloggers the best thing to do to get noticed is be controversial. I am sitting here wondering if you really do believe what you typed or you just wanted to start the fire to get some "well deserved?" Blog Hits. After all that was the name of the piece. Did you attend this years RSA? If you did then the widespread recognition for the underlying shift in thinking must have passed you by. The tide has quietly turned on you, while it used to be quite hip to bash Jericho Forum thinking as being the foolish dismantling of firewalls, which it never actually was... more folks are coming to realise that IT architectures that are designed from the outset to enable organisations to securely interact might just add economic value. Have you read of the Jericho Forums Cloud Cube Model? Which of the Jericho Forum Commandments do you disagree with? Do you really believe that the only use case for architectures that enable collaboration and protect information when it is outside the "Corporate Walls" are the "Public Cloud" whatever that is?! Have you actually read the Jericho Forum Commandments? The Jericho Forum is a group founded by a bunch of CISO's that are working to get across the need to change the mindset and have IT Vendors of all stripes deliver products and services that "Enable Collaboration" not stifle it. The group does not intend to design and build such new services, more help the world understand the need for them. After much thought, if you are not simply wanting to boost blog hits, I suspect you might be one of those that believe that the Network provides ALL the security anyone needs, in which case yes, Jericho Forum thinking will be a little hard for you to swallow. I am happy to discourse further. The Jericho Forum is currently working on the concept of Identity (or more correctly Credentials) being the new Perimeter. Of course as always the Network will have a part to play, which is as a transport! And yes I am a member of said group. And I do believe in securing from the inside-out, rather than the outside-in. The trouble with bolt-on security is that it can too easily be unbolted. PS Having read your various blog posts I see you as a pragmatic security player, ie take what we have here and use it. The Jericho Forum takes a different approach , take what we have here and improve it. Look forward to a more effective dialogue, what about on a Panel at RSA in London this year?

Mike, like you, I have spent a fair amount of my career on the vendor side of the industry, and I have seen a whole lot of aggressive marketing that distorts/misleads customers. There's just an almost complete void in the infosec industry of objective information about the design goals and actual effectiveness of various products. IMHO, the industry needs MORE customer-driven initiatives (like the Jericho Self-Assessment Scheme) that attempt to assess or to make obvious the effectiveness of security technologies. Arguing about the specific assessment questions and the effect/market impact of a program like this is a healthy thing. Initiatives like this one that drive vendors to be more transparent to customers are a step forward. Jim

Besides Amazon's virtual private cloud, what other perimeterized public cloud solutions are there? And really, Mike, does one NEED to spin a document full of buzzwords like "cloud computing" in order to be relevant or on-target? There are other more interesting cloud security assessment projects, but I think that JerichoForum definitely got the ball rolling a few years ago. They at least deserve some credit for "first post".

1. I think more in terms in "re"-perimeterization than "de"-perimeterization. It's playing into our planning but more from a "the bad guys can get through the layers, how do we detect/respond" than a "Yay, turn the firewall off!". 2. <slams back a Cuervo upon reading "Cloud"> I think we need to define what cloud is before we start talking perimeters. If we're talking *aaS then, yeah - the Jericho ideas work pretty well. If we're talking "private cloud" then not any more than legacy architectures we already have in place. 3. It might help give me a fuzzy that the vendor is thinking about it but it's not going to get any major weight during RFP...

1. My take-away from Jericho Forum has been more an understanding of shifting focus to securing data and transactions than it has been on the whole deperimeterization mantra. Yes, the perimeter still exists, but it's also generally swiss cheese. So what do you do to secure data and transactions for traffic that comes through those holes? It's almost like that data-centric notion some other analyst guy around here has been known to talk about a lot. ;) 2. & 3. Who really cares about the self-assessment? Does Jericho Forum have enough standing and influence in the industry to prevent all but a few zealots from completely ignoring this thing? Seriously doubtful...

I pretty much agree with your (Mike's) take on the Jericho Forum's relevance, but it's worth knowing what they're up to since on rare occasions one will run into a true believer. When that happens, having some background on JF's latest push is useful in helping guide the conversation back to reality. Bob

@dre - the point wasn't that JF's piece wasn't interesting because it didn't mention cloud amongst other buzzword soup. More to the point that public cloud is pretty much the only use case where de-perimeterization holds water. Agree with @armorguy about the reality that private cloud doesn't involve a vanishing perimeter, unless your network architects suck. And most of the initial comments validate my point, which is Jericho has become irrelvant. Yes, they were early on talking about the fact that data will not be restricted to our own little walled gardens forever. Good for them. But crap, Peter Tippett of TruSecure (now Verizon Business) was talking about the "disappearing perimeter" in 2003.

An area I didn't see above is the direct customer-vendor interaction and influence jericho provides (or at least used to). At msft in 03-04, I saw jericho provide a voice and bullhorn to challenge and encourage vendors to advance security and management. I didn't see silliness to pull the perimeter. I did see norms being challenged and a group asking vendors to think harder about solutions across IPSec, federation, QoS, NAC, DRM, etc. I hope to re-engage someday when I can. Active participation is much more powerful than content generation. To another experienced security pro, how much of your content could be labeled from "captain obvious?" Re: self-assessment. It doesn't look to have legs however what harm can come from more customer-vendor dialogue? I think it would be pretty cool to have a customer ask me to respond. I plan to do preemptively anyway.

Mike, I'm sure *you* don't have to worry about that application that roots your datacentre, your firewall will surely stop it? ;-) Which states the problem in a nutshell, figuratively - one small crack and your kernel is exposed. And data-centric protection is one way forward. If you already are doing it for those removable USB sticks and laptops, why not do it in the data centre too, and benefit from the depth of your defence? Then maybe that crack won't expose your data. Now many of the self-assessment questions may be obvious, but in my experience, the (honest) answers are not. We don't often enough get manageable APIs that work when as you grow. I've seen products that force you through "user friendly" drop-down lists, work nicely in the demo but fail for 6,000 servers. Products that force you to trace network packets as they don't document what protocols are required. That still use protocols such as FTP as "everyone supports it". And so on... The Jericho Forum Self-Assessment Scheme clearly isn't a complete set of questions. It doesn't explicitly cover coding practices and testing, but does ask whether devices can survive in a hostile network - which implies penetration testing with fuzzing. But it does concentrate on the need for security by design, not afterthought. We hope to raise the product procurement level to "adequate", at least. I'd genuinely love to see *your* list of nasty questions to vendors. You have some in "The Pragmatic CSO", and Project Quant is doing great work to help validate the answers and show the value of different approaches with its metrics. It will be great if we can all work together to help improve security products. Even if you don't like de-perimeterisation!