Accelerate Without Fear

Why do cars have brakes? Sun VP Sara Gates offers a contrarian point of view.

Story by Al Riske. Photography by Howard Friedenberg.

19.Dec.05--Most companies recognize the need for identity management. Running a business without it would be like driving a car without brakes. Dangerous. But Sara Gates makes a more thought-provoking case for the software Sun sells.

"I start by asking the question, 'Why do cars have brakes?' Everyone says, 'So they can stop.' But the real reason cars have brakes is so they can go fast," she says.

Gates, VP of Identity Management for Sun, is well aware that companies around the world are concerned about securing their networks, and should be, but she contends there's a bigger threat.

"The risk of not having effective identity management is that you won't have a good security infrastructure and won't be able to move as fast as your competitors," Gates says.

"If you can't control who has access to what, then it doesn't make sense for you, or for your shareholders, to push your online presence – though that's what you should be doing in terms of online purchasing and bringing your vendor and partner communities into your network."

In short, Gates wants Sun's customers to be able to accelerate without fear.

"The brakes on a race car are really quite different from the brakes on a family car. They're better equipped to manage the speed at which a race car travels," she says. "Businesses that go online need better brakes to manage the new challenges that come from participating online."

In other words, she takes the contrarian view that security, often seen as simply another cost of doing business, is really a key business enabler. "It's not about lock it down anymore, it is becoming more about open it up, and security is what lets us do that," she says.

"You have to have a view of security that says, 'I need these things in place so I have the appropriate level of risk, given my business and my growth pattern and how aggressively I'm trying to get out there.'"

Gates, who joined Sun two years ago when the company acquired Waveset Technologies, points out that Sun was among the first in the industry to assemble a comprehensive identity management suite.

"Waveset's technology was the final piece missing from Sun's portfolio. Then we really built on that strength and have continued to innovate while a lot of competitors are still putting the basic suite together," she says.

"We have great technology in user provisioning, directory services, and federated identity, and the fact that Sun has been involved in creating the standards for the Liberty Alliance and Web single sign-on gives us a fantastic leadership position," she says.

In fact, Sun's business in this space grew at five times the market growth rate in the past year, Gates points out.

"Unfortunately, many executives think identity management is simply single sign-on for consumers. However, we're trying to educate them on its full potential and promise. Identity management is how you make security a part of your daily business in ways that help you unlock business value and make money," she says.

"We're seeing customers, particularly in the wireless industry, use identity management to deliver highly personalized services to millions of devices and customers. They're taking identity management from just providing savings and cost-efficiencies to actually enabling new revenue-building services."

High-profile Sun customers in this space include T-Mobile, General Motors, and General Electric, which is deploying the Sun Java System Identity Manager across all 11 business units and 450,000 users around the world.

"Sun Java System Identity Manager gives us an exceptional platform for managing identity profiles and permissions, which enhances our overall enterprise security while allowing us to reduce operation costs," says Tom Sheffield, head of identity and access management at GE.

Sheffield adds that the Sun solution "greatly reduces the time it takes to get users up and running productively, to change user access privileges, and to instantly and securely revoke accounts when their relationship with our company ends."

The name of the game now is to automate as much of the process as possible, Gates says.

A case in point is regulatory compliance. A key pain point for companies based in the United States, for example, is that corporate officers must now be able to say with certainty who has access to various company applications and systems in order to ensure compliance with government mandates such as the Sarbanes-Oxley Act of 2002. But Gates believes that those who focus on just "getting to compliance" are being shortsighted.

"You have to look beyond meeting requirements today to achieving sustainable compliance," she says. "One of the companies I talked to recently went through their first Sarbanes-Oxley audit and it took them 50 man/months to figure out what their violations were on their 35 business-critical applications. Fifty man/months on one audit. This is not Y2K. This is something they'll have to do regularly from now on."

Up until now most of the "compliance spend" has been on advisory services. "Now they've figured out what they need to do, but it's all manual," Gates says. "The question going forward will be: 'What are the technologies that will let me sustain compliance?'"

The good news, she adds, is that Sun already has solutions to help them automate much of the process.

But the bigger mandate is giving customers the ability, and the confidence, to drive their businesses more aggressively.

Fear of computer viruses, fear of malicious spyware, and fear of identity theft are widespread and damaging to society, Gates says, because those fears inhibit participation and economic growth.

"Fortunately, there are some very tactical ways -- using technology, using virtualization, using encryption, using identity management -- that we can very aggressively remove some of the risk," she says.

"One reason identity theft is such a problem is that you can go find a person's name and social security number if you hack into any of thousands of databases -- from the person's alma mater, credit card company, insurance company. You could find enough information that you could effectively become that person. But what if we could -- and I believe we can, using Sun technology -- completely eradicate the use of social security numbers as a primary means of identifying people? What if we could use technology to go find everywhere you have this nine-digit number, with or without dashes, and take it out?"

After all, only the U.S. Social Security Administration really needs your social security number.

"We have, in one of the identity products, the ability to randomly generate a number, so your number could be 123A7 and that would be your health-care number, for example -- a number that will never be used again, is always associated with you, and is nowhere tied to your social security number. The number is meaningless, except to your healthcare provider. Then if there's an employee who's getting access and selling the data, or a hacker breaking into the database, all they're going to get is 123A7," Gates says.

You can't apply for a credit card or a mortgage with a meaningless, randomly generated number, she notes.

"So that's one area that's ripe with opportunity. But the reason identity management is gaining so much attention and growing so fast is that it helps you control who has access to what, limit your risk, and to some degree be the brakes on the car. It can help you get rid of social security numbers and secure yourself against identity theft and that risk," Gates says. "At the same time, it gives you the ability to provide access to your network very quickly as a competitive advantage. It also provides for a better user experience and helps maintain customer loyalty. So it helps on both the security side and the growth side."

In other words, identity management is the brake you need to accelerate without fear.