It is some years since the Jericho Forum published its ‘Commandments’ on how to plan for a de‐perimeterized future digital business environment. The most recent version 1.2 was published in May 2007. The conclusion of that document included the following words:
“De‐perimeterization has happened, is happening, and is inevitable; central protection is decreasing in effectiveness: It will happen in your corporate lifetime.Therefore, you need to plan for it and should have a roadmap of how to get there.”
Now in 2016 we see a world where nothing could be a more accurate description of what is now known as ‘cyberspace’, and the popular buzzword of the time is ‘cybersecurity’, meaning securing the digital business world against all types of cyber threats. Have we, as an industry, really developed a roadmap of how to deal with pervasive de‐perimeterisation? The Attributer thinks not.
We have a tendency to get stuck with our methods of securing systems, with no real innovation to keep up with the innovations on the applications front. The mobile business world of smart phones and tablets, the deep service‐oriented supply chains, and the Internet of Things are examples of how technological innovation has surged in terms of applications, but we are still tinkering around with the same old security technologies, trying to make them work in this totally altered world. Not surprisingly it isn’t working very well. We still have a system‐centric mind‐set for securing ‘the box’ and ‘the wire’, whatever the box might now look like and despite the fact that in a cloud‐based world the idea of a wire with identifiable endpoints is nonsense.
SABSA does have a roadmap for the future, although it has gained little traction so far. In 2010 a SABSA paper published at COSAC was entitled “SABSA Trust, Security and Risk Management in Cloud Computing” in which the basic concepts of data‐centric security (as opposed to system‐centric security) were set out. In 2012 this was followed by a full day workshop at COSAC called “Securing the IT Spring” in which the concepts of the future of security architecture were presented, including a mixture of system‐centricity, data‐centricity and people‐centricity (anyone, any time, any place), together with the concept of a global network of trust brokerage to provide trusted execution platforms for remote processing in the cloud. These presentations also outlined how these concepts can be implemented using SABSA Business Attributes Profiles to build secure data wrappers called Assurance Policies.
Layered data encryption, data, source and destination authentication, together with key management, are the mechanisms for ensuring that only trusted platforms can be used to execute the applications to transform the data, securing both the mobile data and the transformations that can be performed on it, deep in the digital services supply chain. By layering the cryptography with different keys, different service providers can be used to carry out different operations on the data, before it is returned to the owner. This enables a deep digital supply chain with multiple layered service providers/suppliers. Many people have an impression that when they take a cloud solution it is with a single supplier, but as often as not it is just a portal with multiple services layered behind it. The technology alone is not sufficient to provide a secure solution – a network of trusted brokers and legal contracts is needed to secure the entire supply chain.
The SABSA Business Attributes Profile is the key tool for expressing the Assurance Policies that need to be bound tightly to the data as it travels in cyberspace. Further research and development is being applied to develop an interpretive language that can be used to both write and read these Assurance Policies in the form of metadata wrappers for the data itself. By using a machine‐readable language to express the SABSA Business Attributes Profile, automation will be enabled. Only by this type of innovation shall we move on into using technologies that truly support modern cybersecurity.