More Jericho?

Yep. Can’t let Hoff go without a retort, not after this.

I’d like to quote my last post for a moment:

I suppose Jericho”s goals are admirable, but I can”t help but feel that they”re stating the blindingly obvious and doing a piss poor job of it. For those of you not familiar with Jericho, take a quick gander over here. Basically, they”ve been advocating “de-perimeterization”; pushing people into new security architectures and dropping their firewalls (yes, they really said to trash the firewall if you go back and look at some of their original press releases).

Now Hoff’s criticism of said post:

The Mogull decides that rather than contribute meaningful dialog to discuss the meat of the topic at hand, he would rather contribute to the FUD regarding the messaging of the Jericho Forum that I was actually trying to wade through. … I spent my time in my last post suggesting that the Jericho Forum’s message is NOT that one should toss away their firewall. I spent my time suggesting that rather reacting to the oft-quoted and emotionally flammable marketing and messaging, folks should actually read their 10 Commandments as a framework.

Quick reminder that the platform really used to be about getting rid of the perimeter. I’m a huge data security wonk, and even I think we’ll always need a perimeter, while also building better controls into the data. If you want to look, this is one of their better early presentations. It’s not too bad. But I’m an open minded guy, so I’ll drop the past and move into the present.

Let’s look at the 10 commandments (Chris, I’m stealing your image to save typing time):

200709182154 1. Agree. Security 101. 2. Agree, common sense. 3. Agree, seems obvious. 4. Agree, in an ideal world, we can get better and should strive towards it but not rely on it. 5. Agree, any company with a laptop is implementing this already.

200709182158 6. Agree, designed a model for this back in 2002 (I’m not sure I can share it, need to check with my former employer). 7. Agree, was part of that model, and we’re already seeing some of this today. 8. Agree, see federated identity. Nothing new. 9. Agree, this could be interesting but I think it needs a lot more development. 10. Agree, but again, pretty basic. 11. Agree, no one would disagree.

Chris, this messaging needs more refinement and a lot more meat. A lot of it isn’t revolutionary, yet much of the Jericho press coverage is sensationalistic and impedes their ability to get the message to the audience. They’ve built up so much baggage that they need to really work on the messaging. Quotes like this one don’t help the cause:

The group admits “deperimeterisation” isn”t the most catchy phrase to explain multiple-level security, but Simmonds calls it an “overarching phrase” that “covers everything”. So what is it? According to the Jericho Forum, it is a concept that describes protecting an enterprise”s systems and data on multiple levels using a pick”n”mix of encryption, inherently secure computer protocols and data-level authentication. At the same time, it enables the free flow of secure data wherever and whenever it is needed, in whatever medium and between dissimilar organisations — such as banks and oil companies, for example. This kicks against the notion of security via a network boundary to the internet.

You asked me to:

Repeat after me: THIS IS A FRAMEWORK and provides guidance and a rational, strategic approach to Enterprise Architecture and how security should be baked in. Please read this without the FUDtastic taint:

It isn’t the FUD in the framework that’s the problem. It’s the FUD in the press quotes, and the lack of meat in the guiding principles (the commandments aren’t really a framework).

I’m happy to retract my suggestion to focus on using market forces to pressure vendors. Better yet, I’m happy to contribute to the dialog. I’ve been doing it for years, and intend to keep doing it. Take a look at my Data Security Hierarchy (which is now dated and I’m working on a new framework which is much more specific). Also look at Dynamic Trust if you can find it at Gartner (again, can’t release material I don’t own).

… Spend a little time with Dr. John Meakin, Andrew Yeomans, Stephen Bo er, Nick Bleech, etc. and stop being so bloody American 😉 These guys practice what they preach and as I found out, have been for some time.

I’m happy to. I’m happy to spend as many hours as they’d like talking about specific models and frameworks for improving security and protecting data. You set up the meetings and I’ll be there. Data security is here today, but harder than it should be, with some big clients out there implementing the right models we can make life easier for the rest of the world.

But I disagree that they’ve refined the messaging enough yet. Too much obviousness; not enough specifics to back the really cool ideas; way too much FUD still in the press. That’s basic communications, and it needs work.

I’m happy to help. You know where I am. Just shine your Stupendous Signal into the clouds and I’m on my way.