SAN FRANCISCO -- Systems that track the identities of users and provide access to information and services based on who they are could be the most essential requirement for securing businesses in the coming years, according to Sun Microsystems' chief security officer, who spoke at the company's SunNetwork user conference here Thursday.

   ADVERTISEMENT
  

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

Free IT resource

Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007

Sponsored by InfoWorld

RELATED LINKS
»  AT&T buys high-speed wireless spectrum for $2.5 billion
»  Google, IBM promote 'cloud' computing at universities
»  IT trainer offers master's degree for hackers
»  Networking RSS feed 

IDG ENTERPRISE NETWORK
More Network LAN/WAN News...  (ComputerWorld)
Lucid8 adds data protection to software lineup for Exchange  (ComputerWorld)

TOP NEWS 


IT SOLUTION SEARCH
In everyday life our most basic security mechanism is recognizing people, he said -- admitting to our home only those whose faces we are familiar with, for example. The same principle carries over to networked computing, especially with more and more users accessing data and applications remotely from outside of corporate firewalls, said Sun CSO Whitfield Diffie.

Such recognition is achieved through network identity and policy management products, combined with passwords, smart cards and digital certificates, all of which help to verify that users are who they say they are. But those technologies must be built into applications from the start, not as an afterthought as is often the case, Diffie said.

"In the past, security was really like insurance -- by buying a $100 lock for your front door you hoped to save $10,000 that might have been stolen if you hadn't," he said. "But it's evolving into a scenario where security is a part of the business plan from the very start."

Unsurprisingly, Diffie pitched as part of the solution the Sun ONE (Open Net Environment) Identity Server, which includes Sun's directory server for policy-based provisioning. He also announced two security additions to Sun's iForce offerings, which are integrated packages of hardware and software from Sun and its partners.

One of them addresses security at the perimeter of a network and includes software from Check Point Software Technologies Ltd., Symantec Corp., Trend Micro Inc. and others. The other addresses Web services security and includes products from PentaSafe Security Technologies Inc., Sanctum Inc. and Ubizen NV.

In addition, five other companies have certified products to work with Sun's network identity software, including Banyan Systems France, Business Layers Inc., Entrust Inc., Passlogix Inc. and Persistent Inc. Each company has integrated their security products with Sun's Sun ONE Network Identity Platform, which includes various Sun hardware and software offerings.

"I think (Sun's) network identity program is the right vision," said Laura Koetzle, an analyst at Forrester Research Inc. "In most network environments today you've got islands of security -- one for SAP, one for ( customer relationship management), one for the LAN. Sun is trying to divorce security from the application itself. (Network identity) allows them to ensure that applications with similar sensitivity have the same security. Generally today, that's not the case in most organizations -- security's all over the place."

Diffie also revealed that Sun will contribute work it has done with a technology called Elliptic Curve Cryptography (ECC) to the OpenSSL Project, an open-source implementation of the widely used Secure Sockets Layer protocol. ECC, which he said has been around for about a decade, uses complex algorithms to provide strong security using encryption keys that are as little as one-tenth as long as those required with other cryptography methods, he said.

Shorter keys typically use less memory and other resources, which should enable stronger encryption for devices such as mobile phones and handheld computers, said Rama Moothy, product line manager for network and security products at Sun.

"Clearly, RSA is the primary choice in commercial applications as asymmetric algorithms go," she said. "We think this (ECC) has applications for mobile computing devices, handheld devices and so on."

Cryptography is not a core business for Sun, Koetzle said.

"They don't make cryptographic accelerators, they're not a PKI (Public Key Infrastructure) vendor, so there's not a huge value (for Sun) in the (ECC) asset," she said. "Licensing the technology to somebody is the right way to go, and licensing it to the OpenSSL project is a huge public relations boost for them in the open source community."

Licensing the technology should also help accelerate the commercial use of ECC, she said.

Taken together, the announcements clearly were designed to show that Sun makes security a top priority with its products.

"Sun's track record on security is generally very good," said Forrester's Koetzle, noting that each new version of Solaris has newly-added security features.