Download presentation
Presentation is loading. Please wait.
Published byRandolph Lawson Modified over 9 years ago
1
Jericho Forum Achievements Steve Whitlock Board of Management, Jericho Forum ®
2
Activities Role: Define problem and raise awareness Papers Conferences & Events Relationships http://www.jerichoforum.org/ http://www.jerichoforum.org/
3
Vision Statement To enable success in today's business environment, which is dependant upon the ability to collaborate and do business, by enabling the secure flow of data over the Internet, principally through: –Universal standards for cross-organizational security processes and services –Products that conform to open security standards and profiles –Assurance processes that, when used in one organization, can be trusted by others Note: The Jericho Forum is business-driven, but recognizes that the issues it tackles affect all types of organization and individuals. Issues such as privacy and civil liberty can be just as important as the needs of the corporate.
4
Mission Statement Jericho Forum members will, as a group, influence and impact solutions that will enable secure and cost-effective business collaboration over the Internet by: –Defining the problem and directions for solutions –Communicating the collective vision –Challenging constraints and creating an environment for innovation –Demonstrating the market needs –Influencing future products and standards Note: The Jericho Forum does not intend to become a security standards development group, but will encourage established relevant standards groups to extend existing standards and produce new standards where there are gaps to fill.
5
Publications General Papers Vision White Paper Business Case for Deperimeterization Jericho Forum Commandments Newsletters Brochure FAQ Press article references
6
Position Papers Inherently Secure Communications –Protocols –Endpoint Security Architecture Voice over IP Wireless Internet Filtering and Reporting
7
More Position Papers Enterprise Information Protection & Control (DRM) Trust & Cooperation Federated Identity Information Access Policy Management Principles for Managing Data Privacy IT Audit Data / Information Management Collaboration Oriented Architectures (COA)
8
Position Papers in Development Encryption & Encapsulation Regulation: Compliance & Certification Network Security & QoS Mobile Management
9
An Introduction to the Commandments The principles: Our benchmark by which concepts, solutions, standards and systems can be assessed and measured Fundamentals (3) Surviving in a hostile world (2) The need for trust (2) Identity, management and federation (1) Access to data (3)
10
Fundamentals 1. The scope and level of protection must be specific and appropriate to the asset at risk Business demands that security enables business agility and is cost effective. Whereas boundary firewalls may continue to provide basic network protection, individual systems and data will need to be capable of protecting themselves. In general, it’s easier to protect an asset the closer protection is provided.
11
Fundamentals 2. Security mechanisms must be pervasive, simple, scalable and easy to manage Unnecessary complexity is a threat to good security. Coherent security principles are required which span all tiers of the architecture. Security mechanisms must scale: –from small objects to large objects. To be both simple and scalable, interoperable security “building blocks” need to be capable of being combined to provide the required security mechanisms.
12
Fundamentals 3. Assume context at your peril Security solutions designed for one environment may not be transferable to work in another: –thus it is important to understand the limitations of any security solution. Problems, limitations and issues can come from a variety of sources, including: –Geographic –Legal –Technical –Acceptability of risk, etc.
13
Surviving in a hostile world 4. Devices and applications must communicate using open, secure protocols. 5. All devices must be capable of maintaining their security policy on an untrusted network.
14
The need for trust 6. All people, processes, technology must have declared and transparent levels of trust for any transaction to take place. 7. Mutual trust assurance levels must be determinable.
15
Identity, Management and Federation 8. Authentication, authorisation and accountability must interoperate / exchange outside of your locus / area of control.
16
Access to data 9.Access to data should be controlled by security attributes of the data itself. 10.Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges. 11.By default, data must be appropriately secured both in storage and in transit.
17
Paper available from the Jericho Forum The Jericho Forum “Commandments” are freely available from the Jericho Forum Website http://www.jerichoforum.org
18
VoIP Flawed assumption that voice & data sharing same infrastructure is acceptable –because internal network is secure (isn’t it?) Therefore little or no security built-in Internal VoIP –Security entirely dependent on internal network –Very poor authentication External VoIP –Some proprietary security, even Skype –Still poor authentication –BUT, new insecurities
19
VoIP Insecurity Wannabe VoIP Security Moron Cries VoIP Isn’t Safe Friday, August 31 st, 2007 @ 8:38 am | News An idiot named Paul Simmonds (a member of Jericho Forum’s board of management) says: VoIP is not yet ready for use in businesses. “We don’t consider VoIP to be enterprise-ready,” Simmonds said. Anon (http://www.infiltrated.net/?p=10)
20
Secure “Out of the Box” Challenge is secure VoIP without boundaries Therefore… –All components must be secure out of box –Must be capable of withstanding attack –“Phones” must be remotely & securely maintained –Must have strong (flexible) mutual authentication –“Phones” must filter/ignore extraneous protocols –Protocol must allow for “phone” security mgt –Must allow for (flexible) data encryption –Must allow for IP stack identification & protection
21
VoIP Business Requirements Return on Investment for; –Specific Computer to Telephony Integration –Greenfield site / refresh –Toll-bypass via the WAN / Internet –Distributed workforce –Integrated home/mobile workers Rarely a Return on Investment for; –Rip & replace existing office phone systems –More expensive (and complex) end devices –Patch process for all system components
22
VoIP vs. Jericho Forum Principles 1Specific & appropriate to the asset at riskIf all low risk 2Security, simple, scalable & manageableNot in Corp. 3Assume context at your perilPots vs VoIP 4Open & secure protocols.No 5Maintain security policy on un-trusted net.Web, TFTP etc. 6Transparent trustNone 7Mutual trust assurance levelsNone 8Authentication outside of locus of controlNone 9Access by security attributes of the dataNone 10Data privacy requires segregation of dutiesNone 11Data appropriately securedNo
23
Paper available from the Jericho Forum The Jericho Forum Position Paper “VoIP in a de- perimeterized world” is freely available from the Jericho Forum website http://www.jerichoforum.org
24
Inherently Secure Communications In the real world nearly every enterprise; –Uses computers regularly connected to the Internet; Web connections, E-mail, IM etc. –Employing wireless communications internally –The majority of their users connecting to services outside the enterprise perimeter In this de-perimeterised world the use of inherently secure protocols is essential to provide protection from the insecure data transport environment.
25
Inherently Secure Protocol Characteristics Not a general purpose tunnel An application level protocol that protects the client / server association –Integrity –Confidentiality –Endpoint authentication Examples –Outlook – RPC / TLS –AS2 – EDI / TLS –RDP / TLS, SMB / TLS pending –MS Direct Access replacing Remote Access
26
Paper available from the Jericho Forum The Jericho Forum Position Paper “The need for Inherently Secure Protocols” is freely available from the Jericho Forum website http://www.jerichoforum.org
27
Wireless (Wi-Fi) 1. Companies should regard wireless security on the air- interface as a stop-gap measure until inherently secure protocols are widely available 2. The use of 802.1x integration to corporate authentication mechanisms should be the out-of the box default for all Wi- Fi infrastructure 3. Companies should adopt an “any-IP address, anytime, anywhere” (what Europeans refer to as a “Martini-model”) approach to remote and wireless connectivity. 4. Provision of full roaming mobility solutions that allow seamless transition between connection providers
28
Paper available from the Jericho Forum The Jericho Forum Position Paper “Wireless in a de- perimeterised world” is freely available from the Jericho Forum website http://www.jerichoforum.org
29
Web Access – The Issues Filters in the “Cloud” Single Corporate Access Policy –Regardless of location –Regardless of connectivity method –With multiple egress methods Need to protect all web access from malicious content –Mobile users especially at risk
30
Paper available from the Jericho Forum The Jericho Forum Position Paper “Internet Filtering & Reporting” is freely available from the Jericho Forum website (Make sure you get Version 1.1) http://www.jerichoforum.org
31
Data Control & Protection Digital Rights Management has historically focused exclusively on copy protection of entertainment content. ‘Enterprise’ DRM as an extension of PKI technology now generally available as point solutions. –Microsoft, Adobe, EMC, Oracle, etc. –Copy ‘protection’, non-repudiation, strong authentication & authorisation. –‘Labelling’ is a traditional computer security preoccupation. Business problems to solve need articulating. –The wider problem is enforcement of agreements, undertakings and contracts; implies data plus associated ‘intelligence’ should be bound together. Almost complete absence of standards.
32
Limitations with Current Systems No enterprise to enterprise capability An Enterprise to Enterprise Capability Needs: –Standard, published API for manipulating information –Standard associated information container –Standard protocols for communicating between client, server and rights management servers.
33
Paper available soon from the Jericho Forum The Jericho Forum Position Paper on “DRM” is currently being prepared by Jericho forum members http://www.jerichoforum.org
34
End Point Security NAC generally relies on a connection –Protocols do not make a connection in the same way as a device Trust is variable –Trust has a temporal component –Trust has a user integrity (& integrity strength) –Trust has a system integrity Two approaches; –Truly secure sandbox (system mistrust) –System integrity checking
35
End Point Security Standard are required so that agents placed on devices can interoperate, and a device only requires a single agent. –This allows agents to expand onto a wide variety of devices such as phones, PDA’s, network devices and all PC’s not just WinTel PC’s. Standards are required for bi-directionally secure sandboxes. –This probably is a good subject for academic study. Collaboration is required to develop a secure protocol such that agents can securely be validated by the system with which it is trying to communicate.
36
Paper available soon from the Jericho Forum The Jericho Forum Position Paper on “End Point Security” is freely available from the Jericho Forum website http://www.jerichoforum.org
37
Conferences & Events Annual Conference, London, April 2005, 6, 7, 8 Regional Conferences –2005: Cincinnati, US; Sydney, AUS –2006: Schaumberg, US; Seattle, US –2007: NYC, US –2008: San Francisco, US; Planned for NYC, US ~8 Members meetings per year, greater London
38
Relationships Monthly NetWork World Column Analyst Community Vendor Community Other Industry Bodies Universities Open Group Security & Identity Management Forums
39
Cabinet OfficeForeign & Commonwealth Office Some of our members
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.