It seems the Jericho Forum is at it again. I’m not sure what it is, but they are hitting the PR circuit talking about their latest document, a Self-Assessment Guide. Basically this is a list of “nasty” questions end users should ask vendors to understand if their products align with the Jericho Commandments.
If you go back and search on my (mostly hate) relationship with Jericho, you’ll see I’m not a fan. I thought the idea of de-perimeterization was silly when they introduced it, and almost everyone agreed with me. Obviously the perimeter was changing, but it clearly was not disappearing. Nor has it.
Jericho fell from view for a while and came back in 2006 with their commandments. Most of which are patently obvious. You don’t need Jericho to tell you that the “scope and level of protection should be specific and appropriate to the asset at risk.” Do you? Thankfully Jericho is there to tell us “security mechanisms must be pervasive, simple, scalable and easy to manage.” Calling Captain Obvious.
But back to this nasty questions guide, which is meant to isolate Jericho-friendly vendors. Now I get asking some technical questions of your vendors about trust models, protocol nuances, and interoperability. But shouldn’t you also ask about secure coding practices and application penetration tests? Which is a bigger risk to your environment: the lack of DRM within the system or an application that provides root to your entire virtualized datacenter?
So I’ve got a couple questions for the crowd:
- Do you buy into this de-perimeterization stuff? Have these concepts impacted your security architecture in any way over the past ten years?
- What about cloud computing? I guess that is the most relevant use case for Jericho’s constructs, but they don’t mention it at all in the self-assessment guide.
- Would a vendor filling out the Jericho self-assessment guide sway your technology buying decision in any way? Do you even ask these kinds of questions during procurement?
I guess it would be great to hear if I’m just shoveling dirt on something that is already pretty much dead. Not that I’m above that, but it’s also possible that I’m missing something.
Reader interactions
13 Replies to “FireStarter: Nasty or Not, Jericho Is Irrelevant”
I’m not sure what the criticism is here.
Are our commandments too obvious? Everything’s obvious whemn someone’s explained it to you.
Are we not making enough noise? Perhaps not, but that has nothing to to with whether we’re right or not. Thanks anyway for giving us some free publicity!
Nearly every competent security person I talk to about Jericho and de-perimeterisation gets it immediately.
What to do about it? Please remember that we’re a user organisation rather than a vendor organisation. I see our job as being to winge when things are wrong rather than to develop the solution. The solution is a 10-year or 20-year project and Jericho can’t solve it on its own.
What Rich said… He is much more diplomatic, which is why I am becoming accustomed to letting him clean up my messes and leave everyone with a smile on their faces.
But alas, some of the perspectives need to be clarified. First of all @adrius42, who I presume is Adrian Seccombe, I don’t write stuff to be controversial. And amazingly enough, I’m that guy that actually believes what I write. I do believe that Jericho is largely irrelevant as a thought construct, and I think all of your considerable talents (yes, that means you @Paul Simmonds and @Andrew Yeomans) would be better suited by moving past Jericho and thinking more holistically about how to solve the problem of information-centric security. Sorry @Jim Hietala, I know you’ll end up holding the Open Group bag, but oh well. I just don’t think the concept of Jericho is viable, and yes that is my opinion.
Now to be clear, and something I stated in the post – Jericho did call out the fact that the perimeter was changing. It clearly didn’t change as much as they bet, and as a result ended up looking like Chicken Little for the most part, but now is the time to apply that kind of thought-leadership to how we protect the **data**, not just make sure our current applications use secure protocols and adhere to some kind of realistic trust model. Yes, those are incremental steps, but we don’t need groups of smart guys spending a lot of time evangelizing incremental steps.
We need a group of thought leaders to examine how we will get to the true concept of information-centric security. It’s about securing the fundamental element of data, regardless of where that data resides and how it is consumed. The so-called “inside out” approach, which I believe in.
It’s not about de-perimeterization or re-perimeterization or perimeters at all. The network clearly cannot provide all the protection one needs, nor have we ever said that. In the emerging (5-7 years) cloud based reality, we don’t know where the data is, we don’t know how it will be consumed, and we certainly can’t assume what computing platforms will be in play. The Cloud Security Alliance, assisted by the politically correct Mr. Mogull and a lot of other smart guys, are doing good work to illustrate the problems.
But it’s about more than just protecting data stored in the cloud. I think we all realize that. And to highlight your point Andrew, we guys at Securosis are happy to help drive this thought leadership and brainstorm some architectural constructs for how this new world order will look. I just don’t think it’s interesting to undertake such an effort under the auspices of Jericho.
The good news is that some guys have a bit of experience in positioning big ideas for broad market consumption without alienating lots of folks in the process. More good news is that we can look to the early days of Jericho for valuable lessons in what not to do relative to driving ideas that will be uncomfortable for a lot of folks.
Although it would be fun to debate (I’m always up for an intellectual scrap), I think it would be much more productive to brainstorm. If that’s of interest, we can work on getting something set up. You know where to find us.
Adrius42 (Adrian?),
Mike is out so I’ll drop a quick response and I know he plans on responding as well since it’s his post.
For myself I’ve read nearly everything you have published, and if you are the Adrian I think you might be we’ve talked in person and shared the stage for at least one event.
None of us here believes that firewall-centric security is the answer. If you read our content, as we’ve read yours, that will be clear. The issue is how Jericho communicates that, and the lack of specifics that the industry craves. We’ve been writing about specific architectures to implement information-centric security and about secure application development and collaboration for years.
Deperimeterization is simple a silly term- this is about collapsing and moving perimeters, and using “de” demeans what I think is your goal and creates a bunch of confusion. By clinging to branding and not providing specifics, such as implementable reference architectures and real world use cases, you are hurting your own positions. My personal criticisms of Jericho have always been around the terminology and lack of details issues. I won’t argue that the traditional concept of a perimeter is long dead, but neither will any serious security folks.
In terms of identity that’s one interesting perimeter, but realistically the OS/VM and Data are where they are really collapsing to, with Identity being a key component to properly associate security controls on those perimeters.
Don’t assume that because w criticize you that we believe in stale security mantras. Read our stuff, we read yours. To be honest, we’ve published far more practical guidance on actually implementing for this new world than Jericho, and I for one really wish you would step a level down to provide users the guidance they crave. You could do a heck of a lot of good, and have the right people and thinking, to pull that off.