{"id":37886,"date":"2020-10-28T16:00:03","date_gmt":"2020-10-28T16:00:03","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=92139"},"modified":"2020-10-28T16:00:03","modified_gmt":"2020-10-28T16:00:03","slug":"back-to-the-future-what-the-jericho-forum-taught-us-about-modern-security","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/back-to-the-future-what-the-jericho-forum-taught-us-about-modern-security\/","title":{"rendered":"Back to the future: What the Jericho Forum taught us about modern security"},"content":{"rendered":"

Some of the earliest formal work on what we now call Zero Trust started around in a security consortium known as the Jericho Forum (which later merged into The Open Group Security Forum<\/a>). This started as a group of like-minded CISOs wrestling with the limitations of the dominant and unquestioned philosophy of securing all resources by putting them on a \u2018secure\u2019 network behind a security perimeter.<\/p>\n

The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to \u201csecure assets where they are\u201d proved quite prophetic, especially when you consider that the original iPhone didn\u2019t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).<\/p>\n

\n

One CISO: Our network has become a mini-internet<\/h3>\n

A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.<\/p>\n<\/blockquote>\n

In this blog, we will examine how these concepts (captured succinctly in the Jericho\u00ae Forum Commandments<\/a>) have helped shape what has become Zero Trust today, including Microsoft\u2019s Zero Trust<\/a> vision and technology.<\/p>\n

Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.<\/p>\n

<\/p>\n

Blocking is a blunt instrument<\/h2>\n

While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.<\/p>\n

The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user\/application trying to do at this moment) and usually limits the response options to only blocking or allowing.<\/p>\n

This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.<\/p>\n

We have found that it\u2019s better to offer users a safe path to be productive rather than just blocking a connection or issuing an \u201caccess denied.\u201d Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area<\/p>\n