Sun: Security is a Lifestyle Choice

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Sun Microsystems used the opening day activities of the RSA Conference 2004 in San Francisco to announce the launch of a sweeping security initiative to include all its software products, officials said Tuesday.

First to get the security treatment — which ties together authentication, identity management and risk management — is the Santa Clara, Calif., company’s Java Desktop System, an operating system officials hope computer user’s will consider as an alternative to the security-challenged Windows OS.

The Java Card is Sun’s authentication technology powering its new security strategy, allowing users comprehensive protection working behind the scenes.

“Security is a lifestyle, not an afterthought — it should be integrated, invisible and infinite,” Jonathan Schwartz, Sun executive vice president of software, said in a statement.

With Internet access finding its way into more devices, Sun
officials said security efforts need to break out of the PC-centric model. PDAs, cell phones and laptops all use the Internet to connect to personal information and as such need to have the same level of protection as desktops.

The Java Card is actually a reversal of the normal trend; it is deployed today in more than 500 million smart cards and mobile phones.

Out-of-the-box support for the Java Desktop System is the first in a planned rollout that will include all of Sun’s software products. With the card, users (and particularly network administrators) will be able to guarantee
the device, the people and the content sent from the desktop or mobile.

To accomplish this, Sun security developers looked at three areas to
concentrate their efforts: authentication, ID management and risk
management. Like many new systems rolling out in recent times, role-based
identity management plays a key part in strategy, with the network
partitioned to minimize damage in the case of a breach.

Sun has had an answer to two of the three “architectural pillars” officials say is necessary for infinite and invisible security — risk management and authentication.

The third, identity management is made possible from a key
acquisition by the company in November 2003 of Waveset Technologies. That company’s ID provisioning manager, password manager and identity broker provide were incorporated with Sun’s own meta directory server and identity server to build up the Java Card technology.

Steve Borcich, executive director of security marketing, told
internetnews.com companies are looking for security that works in a heterogeneous environment and encompasses all network users, from the employees to customers visiting the site to make purchases.

What’s more, that security needs to work in conjunction with the security at other companies.

“In today’s world, you have a lot of segregated islands of rights and
privileges, so you might have an account at American Airlines, and another at Bank of America,” he said. “You need to be able to set up and manage user rights and privileges across multiple applications and into targets for multiple systems.”

Working to get security to work across corporate lines involves cooperation among business entities. To do that, Sun has been working for years to bolster support for Project Liberty, an open source organization it founded to bring standardize identification management throughout the business world, called federated network identity .

In November 2003, the organization entered phase two of its ID management program, which expands on identification within the company (phase one) by creating templates to use in a Web services environment. When adopted, users can log into the network, any network, from a variety of places, not just the workstation — mobile phones, PDAs and even Internet kiosks — and switch to other networks using one authentication scheme.

One immediate benefit to identity management at the company is the launch Tuesday of Waveset’s (now Sun Identity Manager) adaptors for use in a variety of software by application vendors like IBM, BEA Systems, PeopleSoft, SAP and Linux.

Like the Java Desktop System, Sun’s main target, however, is Microsoft. According to officials, Sun is offering a Microsoft adaptor for “a sharply reduced license fee.”

A key element to authentication is making sure the user signing on to the network is really who they say they are. Working with OASIS, Sun is trying to boost recognition of public key infrastructure , or digital certificates, through a joint initiative. The PKI Action Plan is targeted
at IT staffs that don’t use the technology or don’t use it correctly; with the proper knowledge, which the organization will provide, officials expect PKI usage to increase.

The OASIS PKI committee conducted a survey recently and found five areas that most hinder PKI support: poor or missing support in software applications, high costs, poor understanding of PKI among senior managers and end users, interoperability problems, and lack of focus on business needs.

The action plan proposes the following:

Develop application guidelines for PKI use.
Provide conformance test suites, interoperability tests and testing
events for document signing, secure e-mail and e-commerce.
Ask vendors who develop document signing, secure e-mail and e-commerce
software what they need to provide better PKI support.
Educational materials that spell out the benefits, return on investment
(ROI) and risk management effects of PKI.
Discounting PKI function tests to allow companies to conduct pilot
programs.

“The committee believes that the security benefits provided by PKI can become more widely available with our proposed plan for addressing the current obstacles to deployment,” said John Sabo, PKI committee co-chair, in a statement. “We believe that following through on this action plan, which incorporates input from PKI experts and adopters, can greatly benefit those implementing emerging Web and e-business standards.”

Are large vendors such as Sun Microsystems and Microsoft really interested in improving security or is it all just marketing? Tell us what you think in our IT Management Forum.