Although attracting support worldwide, American businesses aren’t necessarily buying into the Jericho Forum’s urging to rely less on hardened perimeter security — firewalls and intrusion detection — in favour of tougher internal security.
The forum, which is made up of CSOs from some of the largest international corporations, says it sees growing adoption of its once-radical idea that businesses should reduce dependence on firewalls as a way to defend against Internet threats. Nearly half — 45 per cent — of those polled by the forum say they are implementing network security that complies with forum recommendations. Forty-eighty per cent say they agree strongly that such a security realignment actually improves their companies’ ability to do business, according to a survey of forum members. About half the members responded to the survey, 64 per cent European and 29 per cent North American.
The forum met recently in New York, in part to prod U.S. businesses to alter their security architectures in order to defend against deperimeterization, the opening up of corporate networks to let in business partners, contractors, customers and guests.
“The Jericho Forum felt we needed to make a big push to get the message out to our American colleagues,” says Paul Simmonds, a Jericho Forum board member and the global information security director at ICI, a U.K.-based paint and chemical manufacturer. “America isn’t up to speed. Absolutely.”
The forum’s keynote address, “40 Years of Internet Security and the Future for Firewalls,” is being delivered by Bill Cheswick, lead member of technical staff at AT&T Research.
The forum’s view of firewalls is that they no longer meet the needs of businesses that increasingly need to let in traffic to do business. Its deperimeterization thrust calls for using secure applications and firewall protections closer to user devices and servers.
But even some of the speakers at the Jericho Forum conference advise moderation. “Deperimeterization is never going to be all or nothing,” says Daniel Blum, an analyst with the Burton Group, who is speaking at the conference. Blum acknowledges that relying on perimeter security too much creates insecurity, but says firewalls and the traditional perimeter will still have a place. “It shouldn’t mean throwing away the perimeter, but it also shouldn’t mean they’re all-knowing and all-effective. You have to have a sense of depth,” he says. “Enterprises must shift controls to the endpoints, data centre repositories and applications.”
Jeffrey Wheatman, an analyst with Gartner, says his firm agrees that businesses need to open up their perimeters more, but Gartner focuses less on endpoint and host security than the Jericho Forum does.
“Their ideas are very good in theory, I just think they’re depending on something that is opportunity to provide perfect endpoint security,” he says. “We need to take whatever limited security dollars we have and spend them in the most expeditious and efficient manner until we run out of that money.”
In many cases Jericho recommendations rely on technology that is not available and that ignores cost-effective and efficient technologies that can significantly reduce risk, he says. “So if there are certain types of attacks and threats that you can stop at a single or two or three choke points or entry points Gartner feels that is not a bad way — in fact, in many cases it’s a good first step — of deciding where you make your security investments,” Wheatman says.
He characterizes Jericho’s deperimeterization as a good theory that doesn’t address the reality of corporate networking today. Jericho says firewalls are not necessary and 100 per cent of security should be focused on endpoints. “You’re making the assumption that 100 per cent of your endpoints are managed, and in real business that’s just not the case,” he says.