There's a biblical story about a walled city called Jericho. In the story, the walled city was under siege, and the folks who wanted in blew their horns for seven days and then the walls all fell down.

The Open Group has an initiative based on this story, called Jericho Security, which is based on the premise of security without walls. This is at odds with most current concepts of security, and yet it appears almost vital to the concepts Web 2.0 espouses such as collaboration, open discussions, and the free flow of information.

The conventional approach to security has been and to a certain extent remains one of putting up walls around things - organizations, servers, etc. Even the concepts and terms we use have a militarist bearing - firewalls, demilitarized zones - that connotes borders and maintaining integrity.

But the old saw about generals always being ready to fight the last war may also be apropos here. We're not fighting an external enemy in many cases - a good number of costly security breaches have been internal. There are no clear battle lines, no solid borders in today's corporations, just a mesh of various individuals and ecosystems working together.

Web 2.0 and social networking have further compounded the issue. I've had numerous conversations with organizations recently regarding the adoption of social computing and other Web 2.0 technologies. One uniform response from the corporate world is that blogs are bad. Whether it's with respect to legal, regulatory, or privacy issues, invariably someone has decided that blogs are the latest incarnation of the Wild Wild West. Some big bad blogger is going to come along and say something so dreadful that it will cause massive disruption to the business and drive it into bankruptcy.

Never mind that we've all dealt with an electronic document mechanism for close to 20 years that serves as a model of how to deal with this challenge - it's called e-mail. Policy, practice, and governance have been put in place to deal with the same challenges over the years and solutions exist.

Security has become a larger challenge - not only must we address the issue of protecting data at the source, we also must be able to address legislated concerns about communications and free expression. It's become inexorably linked to social and governance issues such as HIPPA, Sarbanes-Oxley, and PCI. In this context, the concept of putting a wall around the organization becomes increasingly irrelevant. Security can't be at the edge; it has to be part of the data, an integral part. And the definition of data, which in most cases means structured data in a database, has to undergo a rapid transformation. Data is not in the database anymore; it's everywhere.

Recent data theft disclosures drive this point home. I suffered some credit card fraud recently. When I looked into the organizations I had credit with, it startled me that there were multiple incursions at different companies in which my identity may have been compromised. It frightens me that instead of possibly identifying where the breach had occurred, what I saw was a pattern of breaches throughout the industry. Yet all of these organizations have firewalls and IT security groups. Obviously that's not really helping to solve the problem. Since many of the breaches in security have occurred within the firewall, it's clear to me that security at the perimeter is not the answer to our problems. Without protection of the data, at the source, secured so that internal theft is pointless, we're all at risk.

The plus side to all this is that once data is secure in this manner, the concepts of a wall around our organizations - you know, the one IT clamps down that prevents you from visiting Facebook or using instant messaging and generally interferes with you operating as efficiently at work as you do at home - vanishes. Then, finally, the walls can come down.