Tear the walls down: Jericho and the future of enterprise tech
Yesterday I gave the keynote on The Future of Information Technology at the Local Government IT2011 conference in Coffs Harbour, which this year had the theme of mobility.
Given the ambitious scope of my keynote title, I covered a lot of territory including fundamental technology shifts and the evolving shape of organizational technology. In looking at how to respond to the forces of the ‘consumerization’ of IT, power to the user, and mobility I raised the ideas put forward by the Jericho Forum. I asked for a show of hands, and no-one had heard of it, which I hope is not representative.
Jericho Forum, as the name implies, is intent on bringinging down the walls that surrounds enterprise technology. The key concept is “de-perimeterization“, which is basically a multi-syllabic way of saying tear down the walls. In a world in which users are anywhere, connecting from any device, it is crazy to try to put up and defend walls. The boundaries of organizations are blurring beyond recognition, which I and others have been saying for over a decade, so it is completely dysfunctional for technology to try to maintain boundaries. As Jericho Forum puts it:
The huge explosion in business collaboration and commerce on the Web means that today’s traditional approaches to securing a network boundary are at best flawed, and at worst ineffective.
To respond to current and future business needs, the breakdown of the traditional distinctions between “your” network and “ours” is inevitable. Increasingly, information will flow between business organizations over shared and third-party networks, so that ultimately the only reliable security strategy is to protect the information itself, rather than the network and the IT infrastructure.
This perimeter erosion trend is what Jericho Forum calls “de-perimeterization” and has been developing, largely unchecked, for several years. The forum believes responding to the challenges of de-perimeterization must be central to all IT security strategies.
What this requires is that every component is independently secure. This means:
* Encryption everywhere
* Data-level authentication
* Inherently secure communication protocols
In other words, your IT security for outside the organization, including the Internet and distributed devices, will be exactly the same as your IT security for inside the organization, including the Intranet and what is usually called ‘behind the firewall’. But it won’t be, because there are no longer any walls.
They also use the term Collaboration Oriented Architecture, because this is all about enabling the collaboration that is essential for all organizations today.
It can seem like a bold and startling way of thinking about enterprise IT security. But when you look at what is happening in how organizations use technology today, there is no other tenable solution. No wall is defensible, because every wall needs holes to allow the organization to function. As a wonderful side benefit, this enables the bring-your-own-tech movement, as it is device independent, and means anyone can use the technology they want, once it has been brought into the system.
Tear down the walls!
These are the Jericho Forum™ Commandments:
1. The scope and level of protection should be specific and appropriate to the asset at risk.
2. Security mechanisms must be pervasive, simple, scalable, and easy to manage.
3. Assume context at your peril.
4. Devices and applications must communicate using open, secure protocols.
5. All devices must be capable of maintaining their security policy on an un-trusted network.
6. All people, processes, and technology must have declared and transparent levels of trust for any transaction to take place.
7. Mutual trust assurance levels must be determinable.
8. Authentication, authorization, and accountability must interoperate/exchange outside of your locus/area of control.
9. Access to data should be controlled by security attributes of the data itself.
10. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties/privileges.
11. By default, data must be appropriately secured when stored, in transit, and in use.