Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jericho Forum Achievements  Steve Whitlock Board of Management, Jericho Forum ®

Similar presentations


Presentation on theme: "Jericho Forum Achievements  Steve Whitlock Board of Management, Jericho Forum ®"— Presentation transcript:

1 Jericho Forum Achievements  Steve Whitlock Board of Management, Jericho Forum ®

2 Activities  Role: Define problem and raise awareness  Papers  Conferences & Events  Relationships  http://www.jerichoforum.org/ http://www.jerichoforum.org/

3 Vision Statement  To enable success in today's business environment, which is dependant upon the ability to collaborate and do business, by enabling the secure flow of data over the Internet, principally through: –Universal standards for cross-organizational security processes and services –Products that conform to open security standards and profiles –Assurance processes that, when used in one organization, can be trusted by others  Note: The Jericho Forum is business-driven, but recognizes that the issues it tackles affect all types of organization and individuals. Issues such as privacy and civil liberty can be just as important as the needs of the corporate.

4 Mission Statement  Jericho Forum members will, as a group, influence and impact solutions that will enable secure and cost-effective business collaboration over the Internet by: –Defining the problem and directions for solutions –Communicating the collective vision –Challenging constraints and creating an environment for innovation –Demonstrating the market needs –Influencing future products and standards  Note: The Jericho Forum does not intend to become a security standards development group, but will encourage established relevant standards groups to extend existing standards and produce new standards where there are gaps to fill.

5 Publications General Papers  Vision White Paper  Business Case for Deperimeterization  Jericho Forum Commandments Newsletters Brochure FAQ Press article references

6 Position Papers  Inherently Secure Communications –Protocols –Endpoint Security  Architecture  Voice over IP  Wireless  Internet Filtering and Reporting

7 More Position Papers  Enterprise Information Protection & Control (DRM)  Trust & Cooperation  Federated Identity  Information Access Policy Management  Principles for Managing Data Privacy  IT Audit  Data / Information Management  Collaboration Oriented Architectures (COA)

8 Position Papers in Development  Encryption & Encapsulation  Regulation: Compliance & Certification  Network Security & QoS  Mobile Management

9 An Introduction to the Commandments The principles: Our benchmark by which concepts, solutions, standards and systems can be assessed and measured  Fundamentals (3)  Surviving in a hostile world (2)  The need for trust (2)  Identity, management and federation (1)  Access to data (3)

10 Fundamentals 1. The scope and level of protection must be specific and appropriate to the asset at risk  Business demands that security enables business agility and is cost effective.  Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves.  In general, it’s easier to protect an asset the closer protection is provided.

11 Fundamentals 2. Security mechanisms must be pervasive, simple, scalable and easy to manage  Unnecessary complexity is a threat to good security.  Coherent security principles are required which span all tiers of the architecture.  Security mechanisms must scale: –from small objects to large objects.  To be both simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms.

12 Fundamentals 3. Assume context at your peril  Security solutions designed for one environment may not be transferable to work in another: –thus it is important to understand the limitations of any security solution.  Problems, limitations and issues can come from a variety of sources, including: –Geographic –Legal –Technical –Acceptability of risk, etc.

13 Surviving in a hostile world 4. Devices and applications must communicate using open, secure protocols. 5. All devices must be capable of maintaining their security policy on an untrusted network.

14 The need for trust 6. All people, processes, technology must have declared and transparent levels of trust for any transaction to take place. 7. Mutual trust assurance levels must be determinable.

15 Identity, Management and Federation 8. Authentication, authorisation and accountability must interoperate / exchange outside of your locus / area of control.

16 Access to data 9.Access to data should be controlled by security attributes of the data itself. 10.Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges. 11.By default, data must be appropriately secured both in storage and in transit.

17 Paper available from the Jericho Forum  The Jericho Forum “Commandments” are freely available from the Jericho Forum Website http://www.jerichoforum.org

18 VoIP  Flawed assumption that voice & data sharing same infrastructure is acceptable –because internal network is secure (isn’t it?)  Therefore little or no security built-in  Internal VoIP –Security entirely dependent on internal network –Very poor authentication  External VoIP –Some proprietary security, even Skype –Still poor authentication –BUT, new insecurities

19 VoIP Insecurity Wannabe VoIP Security Moron Cries VoIP Isn’t Safe Friday, August 31 st, 2007 @ 8:38 am | News  An idiot named Paul Simmonds (a member of Jericho Forum’s board of management) says: VoIP is not yet ready for use in businesses. “We don’t consider VoIP to be enterprise-ready,” Simmonds said. Anon (http://www.infiltrated.net/?p=10)

20 Secure “Out of the Box”  Challenge is secure VoIP without boundaries  Therefore… –All components must be secure out of box –Must be capable of withstanding attack –“Phones” must be remotely & securely maintained –Must have strong (flexible) mutual authentication –“Phones” must filter/ignore extraneous protocols –Protocol must allow for “phone” security mgt –Must allow for (flexible) data encryption –Must allow for IP stack identification & protection

21 VoIP Business Requirements  Return on Investment for; –Specific Computer to Telephony Integration –Greenfield site / refresh –Toll-bypass via the WAN / Internet –Distributed workforce –Integrated home/mobile workers  Rarely a Return on Investment for; –Rip & replace existing office phone systems –More expensive (and complex) end devices –Patch process for all system components

22 VoIP vs. Jericho Forum Principles 1Specific & appropriate to the asset at riskIf all low risk  2Security, simple, scalable & manageableNot in Corp.  3Assume context at your perilPots vs VoIP  4Open & secure protocols.No  5Maintain security policy on un-trusted net.Web, TFTP etc.  6Transparent trustNone  7Mutual trust assurance levelsNone  8Authentication outside of locus of controlNone  9Access by security attributes of the dataNone  10Data privacy requires segregation of dutiesNone  11Data appropriately securedNo 

23 Paper available from the Jericho Forum  The Jericho Forum Position Paper “VoIP in a de- perimeterized world” is freely available from the Jericho Forum website http://www.jerichoforum.org

24 Inherently Secure Communications  In the real world nearly every enterprise; –Uses computers regularly connected to the Internet; Web connections, E-mail, IM etc. –Employing wireless communications internally –The majority of their users connecting to services outside the enterprise perimeter  In this de-perimeterised world the use of inherently secure protocols is essential to provide protection from the insecure data transport environment.

25 Inherently Secure Protocol Characteristics  Not a general purpose tunnel  An application level protocol that protects the client / server association –Integrity –Confidentiality –Endpoint authentication  Examples –Outlook – RPC / TLS –AS2 – EDI / TLS –RDP / TLS, SMB / TLS pending –MS Direct Access replacing Remote Access

26 Paper available from the Jericho Forum  The Jericho Forum Position Paper “The need for Inherently Secure Protocols” is freely available from the Jericho Forum website http://www.jerichoforum.org

27 Wireless (Wi-Fi) 1. Companies should regard wireless security on the air- interface as a stop-gap measure until inherently secure protocols are widely available 2. The use of 802.1x integration to corporate authentication mechanisms should be the out-of the box default for all Wi- Fi infrastructure 3. Companies should adopt an “any-IP address, anytime, anywhere” (what Europeans refer to as a “Martini-model”) approach to remote and wireless connectivity. 4. Provision of full roaming mobility solutions that allow seamless transition between connection providers

28 Paper available from the Jericho Forum  The Jericho Forum Position Paper “Wireless in a de- perimeterised world” is freely available from the Jericho Forum website http://www.jerichoforum.org

29 Web Access – The Issues  Filters in the “Cloud”  Single Corporate Access Policy –Regardless of location –Regardless of connectivity method –With multiple egress methods  Need to protect all web access from malicious content –Mobile users especially at risk

30 Paper available from the Jericho Forum  The Jericho Forum Position Paper “Internet Filtering & Reporting” is freely available from the Jericho Forum website (Make sure you get Version 1.1) http://www.jerichoforum.org

31 Data Control & Protection  Digital Rights Management has historically focused exclusively on copy protection of entertainment content.  ‘Enterprise’ DRM as an extension of PKI technology now generally available as point solutions. –Microsoft, Adobe, EMC, Oracle, etc. –Copy ‘protection’, non-repudiation, strong authentication & authorisation. –‘Labelling’ is a traditional computer security preoccupation.  Business problems to solve need articulating. –The wider problem is enforcement of agreements, undertakings and contracts; implies data plus associated ‘intelligence’ should be bound together.  Almost complete absence of standards.

32 Limitations with Current Systems  No enterprise to enterprise capability  An Enterprise to Enterprise Capability Needs: –Standard, published API for manipulating information –Standard associated information container –Standard protocols for communicating between client, server and rights management servers.

33 Paper available soon from the Jericho Forum  The Jericho Forum Position Paper on “DRM” is currently being prepared by Jericho forum members http://www.jerichoforum.org

34 End Point Security  NAC generally relies on a connection –Protocols do not make a connection in the same way as a device  Trust is variable –Trust has a temporal component –Trust has a user integrity (& integrity strength) –Trust has a system integrity  Two approaches; –Truly secure sandbox (system mistrust) –System integrity checking

35 End Point Security  Standard are required so that agents placed on devices can interoperate, and a device only requires a single agent. –This allows agents to expand onto a wide variety of devices such as phones, PDA’s, network devices and all PC’s not just WinTel PC’s.  Standards are required for bi-directionally secure sandboxes. –This probably is a good subject for academic study.  Collaboration is required to develop a secure protocol such that agents can securely be validated by the system with which it is trying to communicate.

36 Paper available soon from the Jericho Forum  The Jericho Forum Position Paper on “End Point Security” is freely available from the Jericho Forum website http://www.jerichoforum.org

37 Conferences & Events  Annual Conference, London, April 2005, 6, 7, 8  Regional Conferences –2005: Cincinnati, US; Sydney, AUS –2006: Schaumberg, US; Seattle, US –2007: NYC, US –2008: San Francisco, US; Planned for NYC, US  ~8 Members meetings per year, greater London

38 Relationships  Monthly NetWork World Column  Analyst Community  Vendor Community  Other Industry Bodies  Universities  Open Group Security & Identity Management Forums

39 Cabinet OfficeForeign & Commonwealth Office Some of our members


Download ppt "Jericho Forum Achievements  Steve Whitlock Board of Management, Jericho Forum ®"

Similar presentations


Ads by Google