Founded almost a decade ago by a group of international chief information security officers (CISOs) grappling with the seemingly diametrically opposed demands for both a more collaborative and more secure IT environment, the Open Group Jericho Forum has unveiled a set of identity commandments focusing on the fundamental design issues surrounding identity management and the access to systems, services and data. The forum, which focuses on defining and promoting solutions relating to the issue of de-perimeterization and secure collaboration within cloud computing enterprise environments, has published the Identity, Entitlement and Access Management Commandments, or IdEA, a set of 14 open and interoperable principles that IT professionals can use to build a user-centric security framework within their organizations.
According to a new Ponemon Institute survey, the cost of U.S. data breaches continues to rise, reaching an average cost of $7.2 million in 2010, up 7% from $6.8 million the previous year. The cost has increased every year since the first survey was released in 2006.
The two big issues driving this segment are how you protect data that you own but don't manage (for example, data in the cloud) and how you understand all the things that are connected to you (identity), says Paul Simmonds, co-founder and board member of the Jericho Forum. While there are lots of really good things happening out there in protecting data, “identity is a mess,” he adds. “Identity is what is holding us up as an industry from making good risk-based decisions. So Jericho did what it did best--ignored the technology and took it up two levels, to what is the root level, and that's the principles.”
There is a fundamental problem with the traditional approach to identity and access management (IAM), says Simmonds. “It's wrong ... you have to separate identity and access management; what sits in the middle is entitlement.”
The other problem is the belief in the bigger the better. “The days of big government databases are very flawed, and the concept it's going to scale doesn't work,” Simmonds says. What is relatively simple and secure with a 50- to 100-person company doesn't work when scaled up to 20,000 or 100,000 people, he says. “You have a whole bunch of people sitting there trying to glue this together with custom glue … it's very expensive and doesn't work.”