Making Security Simple

The Goal: Validating Entire Architectures with a Single Click

By Al Riske

12.Dec.06--For Glenn Brunette, Director of Security in Sun's Global Sales and Services organization, information security is an applied science. Unfortunately, it's rarely applied consistently throughout any organization.

"It seldom receives the attention and care it deserves -- until an organization suffers from a failed audit or, worse, a security breach," says the Distinguished Engineer.

The reason: "Security controls have traditionally been too hard to understand, implement, sustain, and measure."

Brunette wants to change that.

Consider the safety and security features of cars today, he says. Door locks, seatbelts, alarms, airbags, antilock brakes, a vast array of sensors monitoring various conditions. It's all very high-tech and very complicated. Unless you're the driver. Then it's as simple as pressing a button, turning a key, fastening a seatbelt.

"Imagine having to regularly update or patch your onboard computers and configure your car's sensors and alarms," Brunette says. "It's unthinkable, but that's what we're asking most IT organizations to do today."

Take for example something as fundamental as operating system security.

"The OS is the foundation upon which organizations build and deploy services and access data, yet many simply don't take the time to properly configure the security of their systems," Brunette says. "Even those with the knowledge and time rarely have repeatable processes in place to automate these common tasks. As a result, the security configuration of systems varies greatly depending on when the system was installed and who was responsible for managing it."

The consequences can be brutal.

"Talk about a nightmare scenario. We received an urgent call from a large financial services firm late one day indicating that they had suffered a security breach and a significant portion of their environment was offline," Brunette recalls.

Things were about to get much worse. The customer had few internal security controls to monitor or protect its IT environment, and even the most basic operating system controls were not used. As a result, an attacker was able to exploit poorly understood trust relationships to effectively destroy the software and data on hundreds systems.

"When restoration efforts began, we found that nearly every system was configured differently," Brunette says. "The lack of standardization really hurt the organization's ability to rebuild impacted systems. Instead of restoring service in days, the effort stretched into weeks."

What's more, he says, such unbounded IT diversity makes it difficult and costly to measure and ensure compliance going forward.

Yet configuring and evaluating operating system security doesn't have to be difficult, Brunette says. And he should know.

The Solaris Security Toolkit, which he and Alex Noordergraaf originally developed in 1999, placed Sun among the very first vendors to offer a policy-based mechanism to both personalize and validate the security of its systems.

"The Solaris Security Toolkit transformed the 'dark art' of securing Solaris systems into something that was available to each and every system administrator. It was a way of simplifying and automating common security tasks while helping customers leverage Sun's recommended practices to build more secure IT environments," he says.

"Even better, Sun leveraged the success of the toolkit to further improve the capabilities and default settings in Solaris, thereby closing this very important feedback loop. The Solaris Secure by Default project is one element of that."

When most people think about IT security, the first things that come to mind are virus scanners, firewalls, and intrusion-detection systems. Products whose entire focus is on providing some specific security function. Products that are bolted on to existing systems.

Sun takes a different view.

"The thing we bring to the table and want to reinforce is that there is security value in everything -- in the processors, the network and storage devices, the operating systems, the middleware, the desktop, and so on. Everything has a part to play in keeping your IT environment secure," Brunette says. "In fact, Sun is in a unique position because we have a complete architectural perspective on security that is derived from the breadth and depth of our product and service portfolio."

He notes that Sun's Java Enterprise System software, for example, can leverage the strength of the Solaris operating system, which in turn leverages the security capabilities of our UltraSPARC T1 processors, not to mention our Sun CryptoAccelerator cards.

"Add Sun's experience in building some of the most sophisticated and secure IT environments for financial services institutions, telecommunications providers, governments, and many other customers and you are just starting to get a taste of what Sun can offer," Brunette says.

"Unfortunately many of our customers only get one view at a time from us. It's important that we show them a more systemic view of security so they can understand how to build more resilient environments. Security doesn't have to be hard, it doesn't have to be complicated, and it doesn't have to be at odds with how you build and manage IT environments."

In fact, he says, security needs to be a pervasive quality that exists throughout IT -- from architecture and policy, to education and awareness, to processes and technology.

Which is where the Sun Systemic Security program comes in.

Brunette is known as the father of the Sun Systemic Security program, which includes architectural methodologies, design patterns, reference configurations, and recommended practices as well as products and services from both Sun and various partners.

In keeping with Sun's focus on openness and simplicity, the program is compatible with existing multivendor environments and enables customers to focus on specific elements they need. In total, the program is designed to breed a culture of security.

"We could go in with a team of people and lock down an environment, but where would it be in a week, a month, or a year? Security must be a lifestyle choice -- a priority that is as important to the business as performance, availability, and time to market," he explains.

To be effective, security must focus on the people and processes as well as technology.

Here Brunette recalls the example of another financial services company that was being audited by an external firm. Instead of assembling a team of hackers to try to break through the technology, the auditors sent out a single person who sat outside the building and started talking with people who came out for a smoke.

"He followed them right in the door and walked his way to the datacenter, where he put his hands on the systems he was targeting and called up the CFO," Brunette says. "They could have spent millions of dollars on technological security controls, but if people are going to let you through the door, it doesn't much matter."

This is where the applied part of the science comes into play -- along with equal doses of pragmatism and psychology.

"We have seen all too often cases where complex products or solutions end up taking space on people shelves because they were simply too hard to install, configure, or manage. Even worse, a product that is not properly configured or used could do more harm than good if it leads a customer into a false sense of security," Brunette says. "This is precisely why the solution must be matched to the maturity level of the organization."

The Sun Systemic Security program leverages advances in operational maturity analysis to determine both the current and desired security maturity of an organization. With this information, specific actions can be prescribed that enable the organizations to establish roadmaps to meet their short- and long-term goals.

Simply put, Sun takes a building-block approach.

"We say, 'Okay, this is about where you are operationally and this is where you want to be and here's a roadmap to get you there,'" he says.

One of the really ground-breaking areas Brunette has focused on over the past few years is something called Adaptive Security, which he developed with colleagues Dave Walker, Bart Blanquart, and Peter Charpentier.

"Adaptive Security is a concept whereby systems, devices, and services can automatically secure themselves based upon the environment into which they are being placed -- as well as any policy or other constraints put upon them," he explains. "Ideally, you should not have to go about securing each and every component individually. The systems, devices, and applications should be able to configure themselves and report on their current state."

Using grouping mechanisms, elements should be able to report on not only themselves but any elements they contain, thereby allowing entire architectures to be validated with a single click, Brunette says.

To that end, he and his colleagues have developed a proof of concept called Project Epoxy that is focused on adapting operating system security. The feedback so far has been very positive, and the team continues to look for ways to automate, simplify, and streamline security configuration and management.

"Unfortunately, this is not the way IT is today," Brunette says, "but we have a vision that one day it could be as simple as flipping a switch to set or query the security of your datacenter. More than that, the security would automatically remain consistent as you provision new systems and services and retire old ones."