• No results found

Jericho Forum Report Back

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Jericho Forum Report Back"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Jericho Forum

®

– Report Back

What's been achieved through 2009,

and how we will continue to make a difference in 2010.

Paul Simmonds & Adrian Seccombe

(2)

How we got to here – a brief review of the decade

§ 2001 – The “de-perimeterisation” word coined [Royal Mail’s Jon Measham]

§ 2002 – Discussion started among like minded CISO’s who saw the upcoming problem

§ 2003 – Paul Simmonds & David Lacey present at RSA Europe, caused front page headlines

§ 2004 – January: Jericho Forum founded at The Open Group Office in Reading

interim board formed, and agree to Open Group taking over day-to-day running

§ 2004 – December: Interim board form as a Jericho Forum membership group, with an

elected Board of Managers

§ 2005 – February: White paper published

§ 2005 – April: First Jericho Conference held alongside Info Security & SC Awards

§ 2005 – Interim board agree to Open Group to take over day-to-day running § 2006 - Trade mark issued

§ 2006 – April: First position paper published

§ 2006 – April: Commandments published

§ 2008 – April: COA Published

§ 2009 – April: Cloud Paper Published

§ 2009 – De-perimeterisation an established concept, now accepted as relevant to the cloud § 2009 – Commandments seen to “Stand up to the rigours of the Clouds

(3)

Key Publications

Business rationale for de-perimeterisation

Jericho Forum Commandments

White Paper

(4)

Key Publications

The need for Inherently Secure Protocols

Cloud Cube

Freely available at www.jerichoforum.org

Collaboration Oriented Architectures

(5)

And it’s not just us!

Forrester – Paul Stamp July 2005

ISSA Journal

De-perimeterized Architecture The end to the edge

August 2009 ISF – Architectural Responses to the Disappearing Network Boundary February 2009

(6)

2009 & Up-coming work

§ Self Assessment Scheme

§ Cloud current work

§ CSA memorandum of understanding

§ Commandments still valid for cloud

§ Identity & Access Management

§ The cloud identity crisis - why cloud won't take off without Id & AM

(7)

Self Assessment Scheme

§ Rationale

– Based on the “Commandments”

– “the set of nasty questions to ask your security vendors”

– Check if they provide the security solutions you need and,

– Expose shortcomings in the features they may be claiming their offerings provide – Can be used stand-alone, or relevant

parts simply incorporated into an RFQ

§ Release Timeline

– Beta Testing with vendors - Jan 2010 – US Release, 1st March @ RSA

(8)

From Connectivity to Collaboration

Full de-perimeterised working Full Internet-based

Collaboration Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration External Working VPN based External collaboration [Private connections] Internet Connectivity

Web, e-Mail, Telnet, FTP Connectivity for

Internet e-Mail Connected LANs

interoperating protocols Local Area Networks

Islands by technology Stand-alone Computing [Mainframe, Mini, PC’s] Time Connectivity Today

(9)

Externalisation of Data

Internal De-perimeterised COA Secured Cloud

Old Data Then Data Now Data Near Future Data Future? Data

The security of the network becomes increasingly irrelevant, and the security and integrity of the data becomes everything.

(10)

Jericho Forum Cloud Cube Model Proprietary Open External Internal Perimeterised De-perimeterised Location Architecture “The Cloud” Ownership - technology/services/code Dimension Four: Insourced / Outsourced

(11)

Cloud & the Cloud Cube model

§ CSA memorandum of understanding

§ Commandments still valid for the cloud

§ Hybrid Computing will be the norm

(A mix of traditional and various cloud computing)

• Private Clouds are Perimeterised

• Collaborative Clouds are best de-perimeterised

(12)

Identity & Access Management

§ Key is to separate Identity Management from Access Management, and Audit the activities

§ Identify: ”I am he/she!”

§ Authenticate: “You are indeed!” …or not § Access: I’d like to… do that

§ Authorisation: Yes you are allowed …or not

§ Monitor: What did you do

(13)

The Cloud Identity Crisis

§ The Cloud won't take off fully without appropriate Identity and Access Management

§ Private Clouds will be able to take advantage of the old Perimeterised Identity and Access

Management models

§ Collaborative Clouds will need a significant shift from Enterprise Centric security to User Centric Security

§ Clouds also will benefit greatly from the shift from Access by Lists to Access by Claims

(14)

Risk Based Access

§ Current access methods

– Do not support business needs / granularity – Do not support “real” cloud working

– Do not support the move the securing the data § Trust but verify

– Basic trust models for devices & users exist

But;

– How do you verify environments you do not own?

– How do you verify that environments you do not own are cleaned up after use?

(15)

2010 Planned / Proposed Work

§ Publish Self Assessment Scheme for RSA

§ Represent Jericho Forum thinking in 2010 RSA Conference

§ Refine linkages to CSA and ENISA, and develop new linkages to other bodies (like ISSA)

§ Identity and Access Management

(16)

A reminder of how we work Few people 100% occupied More people, some vendors 60/40 split Many people, users & vendors

Widest Jericho forum community and non-members De -perimeterisation De -perimeterisation COA Cloud

Thought Thought Leaders

User Members

Vendor Members

(17)

Conclusions

§ De-perimeterisation still a relevant topic with plenty to be highlighted and addressed

§ Commandments are both relevant and still relevant as we move to cloud issues

§ There is a shift from Enterprise Centric to User Centric IAM

§ There needs to be a shift from ACL’s to Claims

(18)

Questions & Comments

ions & Comments

Questions & Comments

Questions & Com

omments

(19)

Shaping security for tomorrow’s world

References

Download now ( PDF - 19 Page - 2.15 MB )

Related documents

Myanmar: sectarian violence in Rakhine - issues, humanitarian consequences, and regional responses

The UNHCR estimates that, as a direct result of the 2012 violence, there were, as at June 2013, up to 140,000 internally displaced persons (IDPs) in Rakhine—the overwhelming

Korupsi Dalam Pengadaan Barang/jasa Secara Elektronik Corruption in the Electronic Government Procurement

Namun praktek penyimpangan masih terjadi dalam sistem e-procurement yaitu persyaratan lelang bersifat diskriminatif sehingga mengakibatkan para pelaku usaha yang

CHAPTER 800 FEE-FOR-SERVICE QUALITY AND UTILIZATION MANAGEMENT 800 CHAPTER OVERVIEW UTILIZATION MANAGEMENT OVERVIEW...

A non-IHS/638 provider or facility rendering AHCCCS covered services must obtain PA from the AHCCCS/Division of Fee-For-Service Management Utilization Management/Care

Accounting Considerations for Winter 2007* A discussion for the consumer finance industry

Under the current accounting framework governing mortgage servicing rights (“MSR”) and mortgage loans held for sale (“LHFS”), there is a challenge for companies that are trying

MINIMUM STANDARDS FOR INTENSIVE CARE UNITS

9.2.1 A medical director with a full time commitment to the operation of the ICU and who is a Fellow of the College of Intensive Care Medicine. The medical director must have

Integrating the Internet and enterprise resource planning (ERP) systems in South African electricity utility companies

implementation support, change control, product support, and process design and ownership will impact the process of integrating of the Internet and ERP systems in the

CRICKET AUSTRALIA JUNIOR CRICKET POLICY APRIL 2004 CRICKET AUSTRALIA JUNIOR CRICKET POLICY 1

Representative Cricket Medium and Fast Bowlers – maximum of 6 overs per spell and. maximum of 16 overs per day Batters