ICI
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Organisations are struggling to defend themselves from hackers, viruses, denial of service and other cyber-attacks. Information Age asks Paul Simmonds, chief information security officer at chemical giant ICI, to divine a way forward.
| |||
Information Age (IA: Why did you feel it was necessary to focus on the question of perimeter security?
Paul Simmonds (PS): We are hit at the corporate border by a lot of stuff. The border is only partially effective and [current protection] doesn't keep out such things as viruses and ActiveX exploits; it didn't keep out the Sasser worm. It just keeps out 'script kiddies' and denial of service attacks.
That's the issue we're facing as corporates. What we're saying is, you need to start looking at the border as purely a quality of service boundary. Then the next step is to ask what do you need to do to actually deliver that? It requires a philosophical mind shift.
Our borders are less and less successful, more porous, and we are going to be forced to do something about it. On the other side the business is forcing us that way anyway as the [controls at the] borders are inhibiting the ability to do business fast. If we didn't have a border we could do business direct from one company to another. There are protocols around that do this.
Wal-Mart and UPS are backing AS2, for example, which is an encrypted, authenticated, non-repudiated protocol for e-transactions. [AS1 and AS2 are draft specifications developed by the Internet Engineering Task Force (IETF) for securely exchanging business documents and business-to-business (B2B) transactions, over the Internet.] It's coming, lots of people are trying to do it. But the problem is we need to shift the mindset.
The Jericho Forum [which Simmonds co-founded] is all about looking at operating without a hardened perimeter, defining a framework by which [security product] manufacturers can start developing stuff to meet our business needs, rather than letting them dictate it all.
(IA): Why is the current perimeter-based approach untenable?
(PS): The reason we have all this [network] stuff is to enable us to do business, and we can't put in solutions that make that hard or slow it down. The instant you start doing perimeter-based security you make things complex and you inhibit business. Vendors come to me trying to flog deeper firewalls and that's not what my business is telling me it wants to do in the future.
Jericho is about starting the debate on this, as it wasn't on anyone's agenda. It's about big businesses saying: "This is a problem for us, let's start discussing it."
The vendors need to get their act together. Rather than products that try to repel attacks at the border, they need to design inherently secure systems. That's the key to this.
In the early days of the Internet, when it was just on a university level, everyone trusted each other. There were no locks on the doors. Now we're in this big nasty world but the computer industry hasn't caught up - we're still using SMTP and HTTP, which are unauthenticated, unencrypted protocols. We've got to start verifying who we let into our houses and start putting the locks on the door. We should be using SSL or some kind of identity management or federated identities to make sure Paul Simmonds is Paul Simmonds. But everyone needs to get behind it and start using it. With the old model of trusting everyone, [potentially] anyone can get in.
(IA): How helpful are IT industry organisations working in this area?
(PS): Ultimately they should be listening to their customers, not forming their own perspective from their business point of view. It's like the story where three blind men are all feeling different parts of the elephant but identify it differently. The vendors will all tell a different story.
One of benefits of Jericho is we're working without vendors there to queer the pitch. We each might only operate at the leg level, but with all of us there we stand a good chance of defining the elephant.
(IA): The Jericho members are mostly from multinationals. Does it speak to the problems of small and mid-sized businesses (SMBs) too?
(PS): Probably not - but if we can scale to a corporate environment it will scale down to SMBs. Historically large corporations have to fix large problems. Smaller businesses are not suffering the same pain we are. We'll solve the problem and small companies will pick it up.
(IA): What are the most recent developments to emerge from the Jericho Forum?
(PS): At the last meeting at the end of August, we had 26 major companies represented - from Europe, US and Australasia. We wanted to define the entire problem scope and to outline the whole area in a white paper, giving a 'soup to nuts' definition of the problem.
| ||
At the moment we're defining what CSOs really want. And always under discussion is when we should involve the [information security] vendors. We would hope it will be shortly after the white paper is published.
(IA): How does the vision of perimeterless security relate to the real-world challenges of security at ICI?
(PS): The key things that we've been doing is talking and listening to the people within our internal businesses, assessing what we might deliver through de-perimeterisation and trying to align security policy with the business requirements.
This is not the tail wagging the dog. I'm not going to say that the whole of ICI is going to de-perimeterise. This is [simply] an option for the businesses to consider as a strategy. It must fit in with what ICI and the other businesses say they want.
(IA): Are there some elements of de-perimeterisation that will come sooner than others?
(PS): There are bits you won't have a choice about because we all use the Internet and we have to implement certain bits - secure authenticated email would be a good one, if nothing else to stop the spam menace. It's a hot topic at the moment. It's not particularly a Jericho thing but it's tied up with how you authenticate users from other businesses using federated identity - which is the same problem as we're facing with spam. There's an awful lot of overlap.
We continue to operate in a perimeter environment. Jericho is more revolution, but business as usual is more evolution.
(IA): Do you have any security advice that you would give to other CIOs?
(PS): Watch what's going on with de-perimeterisation, get involved, understand it. And you've got to start changing your mindset in how you look at information security. We've preached around it for the last 10 years. We've got to do defence in-depth and build security from the ground up. Security is not a bolt-on option.
