Sometimes it’s not even worth the effort.
I suppose Jericho’s goals are admirable, but I can’t help but feel that they’re stating the blindingly obvious and doing a piss poor job of it. For those of you not familiar with Jericho, take a quick gander over here. Basically, they’ve been advocating “de-perimeterization”; pushing people into new security architectures and dropping their firewalls (yes, they really said to trash the firewall if you go back and look at some of their original press releases).
These days they have a marginally better platform (speaking platform, not technology), and aren’t running around telling people to shut off firewalls quite as much. I’ll let them describe their position:
The group admits ‘deperimeterisation’ isn’t the most catchy phrase to explain multiple-level security, but Simmonds calls it an “overarching phrase” that “covers everything”. So what is it? According to the Jericho Forum, it is a concept that describes protecting an enterprise’s systems and data on multiple levels using a pick’n’mix of encryption, inherently secure computer protocols and data-level authentication. At the same time, it enables the free flow of secure data wherever and whenever it is needed, in whatever medium and between dissimilar organisations — such as banks and oil companies, for example. This kicks against the notion of security via a network boundary to the internet.
Or as Hoff restates:
Your perimeter *is* full of holes so what we need to do is fix the problems, not the symptoms. That is the message.
Chris sometimes refers to a particular colleague of ours as Captain Obvious. I guess he didn’t want Richard to be lonely.
Of course the perimeter is full of holes; I haven’t met a security professional who thinks otherwise. Of course our software generally sucks and we need secure platforms and protocols. But come on guys, making up new terms and freaking out over firewalls isn’t doing you any good. Anyone still think the network boundary is all you need? What? No hands? Just the “special” kid in back? Okay, good, we can move on now.
How about this- focus on one issue and stay on message. I formally submit “buy secure stuff” as a really good one to keep us busy for a while. You have some big companies on board and could use some serious pressure to kick those market forces into gear.