It seems the Jericho Forum is at it again. I’m not sure what it is, but they are hitting the PR circuit talking about their latest document, a Self-Assessment Guide. Basically this is a list of “nasty” questions end users should ask vendors to understand if their products align with the Jericho Commandments.
If you go back and search on my (mostly hate) relationship with Jericho, you’ll see I’m not a fan. I thought the idea of de-perimeterization was silly when they introduced it, and almost everyone agreed with me. Obviously the perimeter was changing, but it clearly was not disappearing. Nor has it.
Jericho fell from view for a while and came back in 2006 with their commandments. Most of which are patently obvious. You don’t need Jericho to tell you that the “scope and level of protection should be specific and appropriate to the asset at risk.” Do you? Thankfully Jericho is there to tell us “security mechanisms must be pervasive, simple, scalable and easy to manage.” Calling Captain Obvious.
But back to this nasty questions guide, which is meant to isolate Jericho-friendly vendors. Now I get asking some technical questions of your vendors about trust models, protocol nuances, and interoperability. But shouldn’t you also ask about secure coding practices and application penetration tests? Which is a bigger risk to your environment: the lack of DRM within the system or an application that provides root to your entire virtualized datacenter?
So I’ve got a couple questions for the crowd:
- Do you buy into this de-perimeterization stuff? Have these concepts impacted your security architecture in any way over the past ten years?
- What about cloud computing? I guess that is the most relevant use case for Jericho’s constructs, but they don’t mention it at all in the self-assessment guide.
- Would a vendor filling out the Jericho self-assessment guide sway your technology buying decision in any way? Do you even ask these kinds of questions during procurement?
I guess it would be great to hear if I’m just shoveling dirt on something that is already pretty much dead. Not that I’m above that, but it’s also possible that I’m missing something.
Reader interactions
13 Replies to “FireStarter: Nasty or Not, Jericho Is Irrelevant”
Having just read the RFI response from a major software vendor, who’s marketing B***S*** manages to side-step all the questions designed to get to the bottom of “is this secure”, then the answer is YES, we do need the nasty questions.
More importantly they may be obvious but we as purchasers are not asking them, and the vendors are not voluntering the information (mainly because what they supply is inherently insecure).
And then we wonder why we are in the state we are in??
As with all good bloggers the best thing to do to get noticed is be controversial.
I am sitting here wondering if you really do believe what you typed or you just wanted to start the fire to get some “well deserved?” Blog Hits. After all that was the name of the piece.
Did you attend this years RSA? If you did then the widespread recognition for the underlying shift in thinking must have passed you by. The tide has quietly turned on you, while it used to be quite hip to bash Jericho Forum thinking as being the foolish dismantling of firewalls, which it never actually was… more folks are coming to realise that IT architectures that are designed from the outset to enable organisations to securely interact might just add economic value.
Have you read of the Jericho Forums Cloud Cube Model?
Which of the Jericho Forum Commandments do you disagree with?
Do you really believe that the only use case for architectures that enable collaboration and protect information when it is outside the “Corporate Walls” are the “Public Cloud” whatever that is?!
Have you actually read the Jericho Forum Commandments?
The Jericho Forum is a group founded by a bunch of CISO’s that are working to get across the need to change the mindset and have IT Vendors of all stripes deliver products and services that “Enable Collaboration” not stifle it. The group does not intend to design and build such new services, more help the world understand the need for them.
After much thought, if you are not simply wanting to boost blog hits, I suspect you might be one of those that believe that the Network provides ALL the security anyone needs, in which case yes, Jericho Forum thinking will be a little hard for you to swallow. I am happy to discourse further.
The Jericho Forum is currently working on the concept of Identity (or more correctly Credentials) being the new Perimeter. Of course as always the Network will have a part to play, which is as a transport!
And yes I am a member of said group.
And I do believe in securing from the inside-out, rather than the outside-in.
The trouble with bolt-on security is that it can too easily be unbolted.
PS Having read your various blog posts I see you as a pragmatic security player, ie take what we have here and use it. The Jericho Forum takes a different approach , take what we have here and improve it.
Look forward to a more effective dialogue, what about on a Panel at RSA in London this year?
Mike, like you, I have spent a fair amount of my career on the vendor side of the industry, and I have seen a whole lot of aggressive marketing that distorts/misleads customers.
There’s just an almost complete void in the infosec industry of objective information about the design goals and actual effectiveness of various products.
IMHO, the industry needs MORE customer-driven initiatives (like the Jericho Self-Assessment Scheme) that attempt to assess or to make obvious the effectiveness of security technologies.
Arguing about the specific assessment questions and the effect/market impact of a program like this is a healthy thing.
Initiatives like this one that drive vendors to be more transparent to customers are a step forward.
Jim
Mike, I’m sure *you* don’t have to worry about that application that roots your datacentre, your firewall will surely stop it? 😉 Which states the problem in a nutshell, figuratively – one small crack and your kernel is exposed.
And data-centric protection is one way forward. If you already are doing it for those removable USB sticks and laptops, why not do it in the data centre too, and benefit from the depth of your defence? Then maybe that crack won’t expose your data.
Now many of the self-assessment questions may be obvious, but in my experience, the (honest) answers are not. We don’t often enough get manageable APIs that work when as you grow. I’ve seen products that force you through “user friendly” drop-down lists, work nicely in the demo but fail for 6,000 servers. Products that force you to trace network packets as they don’t document what protocols are required. That still use protocols such as FTP as “everyone supports it”. And so on…
The Jericho Forum Self-Assessment Scheme clearly isn’t a complete set of questions. It doesn’t explicitly cover coding practices and testing, but does ask whether devices can survive in a hostile network – which implies penetration testing with fuzzing. But it does concentrate on the need for security by design, not afterthought. We hope to raise the product procurement level to “adequate”, at least.
I’d genuinely love to see *your* list of nasty questions to vendors. You have some in “The Pragmatic CSO”, and Project Quant is doing great work to help validate the answers and show the value of different approaches with its metrics. It will be great if we can all work together to help improve security products. Even if you don’t like de-perimeterisation!
An area I didn’t see above is the direct customer-vendor interaction and influence jericho provides (or at least used to). At msft in 03-04, I saw jericho provide a voice and bullhorn to challenge and encourage vendors to advance security and management. I didn’t see silliness to pull the perimeter. I did see norms being challenged and a group asking vendors to think harder about solutions across IPSec, federation, QoS, NAC, DRM, etc.
I hope to re-engage someday when I can. Active participation is much more powerful than content generation. To another experienced security pro, how much of your content could be labeled from “captain obvious?”
Re: self-assessment. It doesn’t look to have legs however what harm can come from more customer-vendor dialogue? I think it would be pretty cool to have a customer ask me to respond. I plan to do preemptively anyway.
@dre – the point wasn’t that JF’s piece wasn’t interesting because it didn’t mention cloud amongst other buzzword soup. More to the point that public cloud is pretty much the only use case where de-perimeterization holds water.
Agree with @armorguy about the reality that private cloud doesn’t involve a vanishing perimeter, unless your network architects suck.
And most of the initial comments validate my point, which is Jericho has become irrelvant. Yes, they were early on talking about the fact that data will not be restricted to our own little walled gardens forever. Good for them. But crap, Peter Tippett of TruSecure (now Verizon Business) was talking about the “disappearing perimeter” in 2003.
I pretty much agree with your (Mike’s) take on the Jericho Forum’s relevance, but it’s worth knowing what they’re up to since on rare occasions one will run into a true believer. When that happens, having some background on JF’s latest push is useful in helping guide the conversation back to reality.
Bob
1. My take-away from Jericho Forum has been more an understanding of shifting focus to securing data and transactions than it has been on the whole deperimeterization mantra. Yes, the perimeter still exists, but it’s also generally swiss cheese. So what do you do to secure data and transactions for traffic that comes through those holes? It’s almost like that data-centric notion some other analyst guy around here has been known to talk about a lot. 😉
2. & 3. Who really cares about the self-assessment? Does Jericho Forum have enough standing and influence in the industry to prevent all but a few zealots from completely ignoring this thing? Seriously doubtful…
1. I think more in terms in “re”-perimeterization than “de”-perimeterization. It’s playing into our planning but more from a “the bad guys can get through the layers, how do we detect/respond” than a “Yay, turn the firewall off!”.
2. I think we need to define what cloud is before we start talking perimeters. If we’re talking *aaS then, yeah – the Jericho ideas work pretty well. If we’re talking “private cloud” then not any more than legacy architectures we already have in place.
3. It might help give me a fuzzy that the vendor is thinking about it but it’s not going to get any major weight during RFP…
Besides Amazon’s virtual private cloud, what other perimeterized public cloud solutions are there?
And really, Mike, does one NEED to spin a document full of buzzwords like “cloud computing” in order to be relevant or on-target?
There are other more interesting cloud security assessment projects, but I think that JerichoForum definitely got the ball rolling a few years ago. They at least deserve some credit for “first post”.