Maybe it’s because we’ve been hiding behind oceans for the past few hundred years, or maybe it’s because we’ve never gotten to experience fixed fortifications failing in practice, but I would say that America is generally lagging Europe in thinking about deperimeterization.

Yesterday was another Jericho Forum meeting, this one in Chicago. Nowhere near as much attendance, although part of that was almost certainly the fact that it was not in close physical and temporal proximity to a major security trade show.

Jericho is going to have a major presence at Black Hat, including a half-day session as part of the training courses. I don’t have any more information than that, but I’m interested to see what the interest level and turn-out look like there.

Also, in late September, Boeing will be hosting a Jericho meeting and work session in Seattle, Washington and at least the first day of it will be open to all interested parties, meaning you have plenty of time to convince your boss to approve travel.

No great quotes this time around, but I’m starting to feel like I have a pretty firm grasp of what enterprises reasonably can and can’t expect to accomplish at both the business and technical levels around deperimeterization at this time.

I’m also noting a couple of trends that I’m seeing play out, both in my own efforts as well as at other companies. These are based on some work sessions held before the main meeting as well as lunch/drinks/dinner conversations over the past few days.

Things we can do:

• Protect an application’s infrastructure by applying the principle of Least Privilege at the network layer.

  This is done at the perimeter today with the granularity pretty much being “in the building or possessing a VPN account” and “everyone else in the world.” This is a level of granularity historically chosen because anything more complex was unmanagable (see “Things we can’t do”).

  Diana Kelly of the Burton group referred to this as “Deep Perimeterization” last year, referring to the fact that in its crudest form, it’s just sticking a firewall between the application and the internal network. I agree that’s a part of it, but only a small part.

  Firewalls were a stop gap until secure protocols were developed twelve years ago, and they still are today.

• Protect applications, even insecure and poorly-written applications. This is where application layer gateways and protocol-aware inspection comes to play.
• Utilize secure (Confidential, authenticated, integrity maintained) protocols (i.e. ssh over telnet) or wrap less secure protocols to achieve an acceptable level of security (i.e. tunneling things inside SSL), even without ubiquitous authentication or robust applications.

Things we can’t do:

• Pretty much any of these things cheaply or without exotic (start-up) technology
• Manage access effectively. This problem will only be solved once we’re able to provision access based on structures that are meaningful to The Business. This will be a painful process, but it’s do-able.

  For example, all provisioning of user privilege within my corporate financial systems is performed by “Functional,” not IT people. It works because Oracle defines roles (”responsibilities,” in Oracle-speak) which are meaningful to those functional people. The responsibility is something like “Accounts Payable Approver,” not GRANT EXECUTE ON PROC ORA_FIN_P.AP_APPROV TO howellc–that’s the magic of provisioning (along with approval workflow, unified views of access, and lots of other neat bits, but what people care about is that good provisioning systems mean they don’t have to know what they need to get what they want).

  Identity Management is expected to be the silver bullet to solve these problems, but it still doesn’t change the fact that someone will still have to determine what “Provision New User->Finance->AP Approver” translates into as a set of network ACL’s (Open access to Oracle Financials), host security controls (SMS push of full-disk encryption software and a PGP plug-in for outlook), and accounts and responsibilities within the Oracle App itself.

• Protect information from abuse by end-users.
  Technologically, this is the realm of DRM and I just posted my thoughts on that separately

There are a lot of smart people doing a lot of good work to tackle all of these problems, most of them in the Real World rather than on paper. The next Jericho meeting will be next month in the England and I’ll have my next update then.

Sorry to ask this here, but do you know of any emails for the Jericho Forum that actually work? I’ve tried two different ones off the website you’ve pointed two and they both bounce. I’d like to see if there’s a member in Ohio that would like to come speak to our ISSA chapter.