Jericho Forum: Visionaries with a visibility problem

After initial buzz around 'de-perimeterization', group struggles to gain influence

Now in its forth year, the Jericho Forum has held the course in its role as a user forum advocating security alternatives to the perimeter firewall, arguing for its vision of "de-perimeterization" in an Internet-connected world of e-commerce and business collaboration. The group, though it's grown in membership, is gaining credibility but still manages to irk some critics who claim it's achieving little with its rhetoric.

The Jericho Forum, a group created in 2004 by IT security managers convinced that firewalls and other perimeter gateways had become a hindrance to e-commerce, made quite a splash with its rallying cry of "de-perimeterization."

The group coined the term to describe how traditional network boundaries are disappearing in favor of complex online interrelationships that require more innovative security approaches.

The Jericho Forum's controversial views were greeted by some as radical, while others found its message befuddling or quixotic. And not much has changed over the past four years.

The group de-perimeterization message is still controversial, given how ensconced the firewall is in virtually all enterprise networks. But outside of the small world of IT security cognoscenti, the Jericho Forum hasn't exactly become a household name. Many in the end user community and in vendor circles say they've never heard of the Jericho Forum. And membership has grown very slowly, consisting today of about 60 members.

The group's impact on the larger world of enterprise security is debatable. Some say it's had no impact at all; others say it has triggered an important conversation about the best way to secure enterprise networks.

"We've actually got the industry talking about how we're getting de-perimeterized," argues Jericho Forum board member Paul Simmonds, who recently joined pharmaceutical firm AstraZeneca as its integrated assurance director after a stint as chief information security officer at ICI, a chemicals firm.

Picture of Paul Simmonds

"Jericho never said the firewall is dead," explains Simmonds, an affable Brit who has become, along with colleagues Adrian Seccombe of Eli Lilly & Co. and John Meakin of Standard Chartered Bank, the most visible chief security officers to speak out about the disappearing perimeter.

"The firewall isn't doing you much good anymore. The border firewall is obsolete or in a period of transformation. The firewall will morph into more of a protocol-based firewall or an identity-based firewall," Simmonds adds.

But after four years of public events at security shows such as RSA as well as the publication of numerous white papers, blueprints, commandments and other documents, the group is still regarded in some quarters as obscure, irrelevant, or even quirky.

"They haven't captured the imagination of the software world," says Dick Mackey, vice president at consultancy SystemExperts. "Is Jericho Forum having an impact outside its own borders? Not yet."

"A vision of the future that assumes everything can protect itself is great if that future ever happens — but until then, network security will generally lead the way," says Gartner analyst John Pescatore, adding Jericho Forum doesn't appear to have had a major impact on anything over the course of its existence.

And sometimes the rules that influential standards groups come up with seem to work against the principles espoused by the Jericho Forum.

For example, the first rule that companies must follow to win compliance with The Payment Card Industry Security Standards Council standards is that you must have a firewall.

And PCI Council's general manager Bob Russo said in a recent interview that he'd never even heard of the Jericho Forum. He added if he understood their objections to firewalls and what alternatives there might be, the Council might consider changing the firewall rule.

Simmonds acknowledges one of the biggest problems the Jericho Forum faces is "oddball regulations" that run counter to Jericho Forum's vision of what progress would be.

But even more disconcerting is the fact that the group, in some cases, isn't having much of an impact among some of its own members.

John Bratkovics, global head of networks, voice and collaboration for Europe-based investment firm Dresdner Kleinwort, a Jericho Forum member, says he's vaguely aware of Jericho, but he's not directly involved with it, as it remains in an area managed by others.

That's not to say the Jericho Forum isn't gaining some traction. It does have 60 dues-paying members, two-thirds of whom are end users. The rest are vendors, including major players such as Symantec and Electronic Data Systems.

Plus, representatives from Microsoft, Oracle and Juniper, among others, routinely show up at the group's monthly meetings in places such as London, New York and San Francisco. Sometimes they're given an audience to discuss their product development; sometimes they just listen, trying to get a bead on what the Jericho Forum really wants.

This isn't necessarily easy, as the group elaborates its vision at a pretty abstract level. The latest Jericho publication is a position paper titled "Collaboration-Oriented Architectures," (COA) authored primarily by Seccombe.

The document describes an online contract-management repository of the future that includes a "reputation repository" that can record a user's actions and compare them with applicable contracts and be audited.

Seccombe, who discussed the COA framework last April in San Francisco as it was first published, said that although COA doesn't exist today as embodied in IT products, there are many companies, including Eli Lilly, which need COA-like software systems to efficiently manage the multitude of collaborative relationships among customers, manufacturers and in outsourcing. Simmonds says Jericho plans more on COA this fall.

"Generally speaking, they're doing a good job in explaining how the network looks today and how it can look in the future," says Juniper's director of product management, Brian Lazear, who attended a Jericho Forum meeting earlier this year. "They're trying to create nimbleness in the network."

But Lazear acknowledges that "it's difficult to have the access control and support the goals you want without the legacy firewall," adding that Juniper's strategy today centers around its Unified Access Control technologies based on the Trusted Computing Group's open standards for network-access control.

Success stories

A few vendors, though, say they get the message from Jericho Forum loud and clear. Start-up Rohati Systems and Palo Alto Networks, have introduced security products directly inspired by the Jericho Forum's foundational ideas.

Kurt Plowman, CTO for the Staunton City, Va., municipal government, has never heard of the word "de-perimeterization." But his views about the traditional firewall mirror those of the Jericho Forum, which he also hasn't heard of.

"The complexity of the network has grown over the last 10 years, and I haven't seen the firewall manufacturers make that change," says Plowman, who said this past spring he investigated the firewall choices out there and was disappointed. "I don't care about ports, I care about applications."

Plowman is working on a shared-network project and Internet access with the local school system that involves phasing out older firewalls. He decided to buy security control gear from Palo Alto Networks, which blocks and monitors entirely on the application level. "

Rohati Systems, a Jericho Forum member, is convinced the firewall "is not capable of doing its job today from an access-control perspective," says Rohati President and CEO Shane Buckley. Rohati's offer also focuses on application use, with its offering designed for application Layer 7-based entitlements management.

Some security consultants say the Jericho Forum is playing an important role by seeking to bring together end users and vendors to articulate a vision for security in a world where de-perimeterization is not just a concept but a reality. Jericho Forum provides a place where that discussion can occur among CSOs and IT managers who may not otherwise have a way to do that.

"Businesses are being extended into each other," says Rena Mears, who leads the security and privacy services group at Deloitte LLP. "They're becoming integrated with each other. This is a group of people starting to talk about strategies around data protection for that."

"De-perimeterization is not a recommendation, it's the identification of a problem, a problem that needs to be solved," said Burton Group analyst Dan Blum, who attended the Jericho Forum's July meeting in London where the COA concept was discussed.

Blum said the Jericho Forum is still perceived by some as "advocating organizations just tear down their firewalls." But that's not the basic message at all, he notes.

Still, the Jericho Forum has a visibility problem and needs to "make sure they're received positively, constructively and not negatively." Blum adds that their core concepts, such as COA, are coming to fruition and industry should be more involved. "The COA vision contains good guidelines and principles for organizations to use," Blum says.

Even among those who haven't heard about Jericho Forum, the de-perimeterization concept sometimes holds quick appeal.

"I have to agree that the firewall is not as useful as it used to be," says Lou Jackson, IT manager for accounting firm Considine & Considine in San Diego. "I haven't heard of Jericho Forum, but I'd like to think they're pulling together something more robust than what we have today."

Learn more about this topic

E-Commerce, security issues challenge firewall role

The future of network security

Cisco alums ready firewall killer

Burton Group commentary on the Jericho Forum COA White Paper

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT