Feature Story

Mobility with security.

Sun CIO Bill Vass explains how Sun Ray ultra-thin clients and Java Card technology secure the mobile enterprise.

24.Aug.04--Where are you reading this article? At the office? At a coffee shop with a Wi-Fi hot spot? At the airport? And what device are you using? Your workstation? Your laptop? A public kiosk? Your cool new handheld with a wireless modem?

We're a mobile society. We want access to the digital domain--e-mail, the Internet, applications and files--any time, anywhere, from any device. But when we hit the road, we risk leaving something important behind: network security.

Is it possible to have mobility without sacrificing security? In this Q&A, Bill Vass, Sun CIO and senior vice president, says that it is, and he explains what Sun is doing to provide it.

Vass oversees IT security for Sun's highly mobile workforce of more than 30,000. Prior to joining Sun, he worked in the Office of the CIO at the United States Department of Defense (DoD). Among other responsibilities, Vass represented the DoD to Congress, the White House, and other nations.

Q: Is mobility with security an either/or choice?

Bill Vass, Sun CIO and Senior Vice President

Bill Vass: Today's workforce needs both. Mobility is a fact of life, and security is an absolute requirement. The availability of bandwidth and connectivity, especially wireless, is exploding, but the capability to access anything from anywhere creates a lot of security issues. You can't open your network unless you know who is connected, that you can connect them securely, and that you can secure the devices they use to connect.

When proper security is in place, it enables a business to do many more things. A mobile workforce is more productive and efficient--and happier.

Q: What security threats are introduced by mobility?

Bill Vass: Most people don't realize that any time they're connecting to the network they are basically connecting to everyone on the planet that's on that network. There are lots of people on that network with good intentions--and a few with bad intentions. It's a continuing battle against the people that abuse the privilege of connecting to a network. So you can assume anything connected to a network will be scanned, monitored, and/or attacked at all times.

That means you need to have a strongly authenticated identity, and you need that identity to be verified on a very regular basis. It's not sufficient to simply issue a password generator to a user and never check it again for years and years. You need something that links that person to those credentials, and you need to check it almost daily.

You need the capability to provision and deprovision access instantly. The risk of unknowingly continuing to provide access to former employees is enormous. A large telecom company recently faced a $20 million loss due to a former employee abusing access.

Another big risk of mobility is that you don't control the communications delivery. You really don't know what's occurring between the client and the server because there are many different ways to connect. So you need to secure that link, whether it's wired or wireless, and protect against viruses and other threats. At Sun, VPNs and multifactor authentication are standard practices.

However, one size does not fit all. Authentication requirements need to match the risk of the information a user can access. That's why we are moving away from providing a VPN as the primary method for accessing secure information from mobile devices.

I should also note that there are increased government and industry requirements for useful security and strong auditing, HIPAA and Sarbanes-Oxley regulations, for instance. In many cases, these requirements specify executive and individual accountability for implementation. That makes it very personal!

Q: What about the physical security of all these new mobile devices--getting them stolen, lost, or broken?

Bill Vass: That's a big issue that very few people think about. One company had a laptop stolen that had 250,000 customer accounts on it--credit information, bank accounts, and so on.

The more information you store locally, the more at-risk you put your corporation because that information moves around outside of your control. The less information you store locally, the more secure you'll be; and the more centrally you can control that information, the more secure you'll be.

Q: How do you begin dealing with the security issues of mobility? What's the starting point?

Bill Vass: The first thing you have to do is define what type of "mobility" you're talking about. At Sun, we look at mobility in a number of ways.

Let's start with the two basic categories of clients: managed and unmanaged. With the managed client, you know and control the software and hardware configuration. It's backed-up, it's secure, and it's patched. A thin client is one example because the data and processing is centralized and managed centrally. A thick client, such as a laptop, can be remotely managed through something like APOC and Sun Control Station. This allows an intermittently connected client that has local storage and processing to be backed up and patched each time a user connects to the corporate network.

And then you have unmanaged clients--any device where IT does not manage or control its operating system, IT does not control the software that's loaded in any static form, and IT does not control the data that's loaded. Cell phones and kiosk PCs are examples.

You need to decide how to deliver information to these two types of clients.

Q: What's the overarching objective?

Bill Vass: You want mobility that is device-independent. You should be able to get information securely on a managed or an unmanaged device, and you should be able to get it anywhere at any time.

For example, have you ever been at a store and looked at a pair of shoes and thought, "I bet I could find those cheaper on the Internet"? You should be able to use any device that has a network connection, including your cell phone, and find that information.

What we're doing at Sun is extending that kind of immediate gratification environment to the enterprise. Have you ever had a customer ask "What's the status of my order?" when your laptop isn't booted up or not in front of you? We can use a cell phone to access this type of information. It's all about convenience and data security.

Q: What are the other considerations in delivering mobility with security?

Bill Vass: First, there's what I refer to as session access. Think about how you watch TV--CNN for example. I watch CNN at my house, at a hotel, at the airport, and on a plane. But I don't carry a TV set with me everywhere I go. I get access through a number of devices as I travel.

In enterprise computing terms, you want the ability to walk up to a thin client anywhere and instantly get your desktop session--with the knowledge that it's secure. That's a managed configuration interaction.

Breaking that interaction down one level further, you can have what we would refer to as a simple interaction or a rich interaction. A simple interaction is primarily an HTTP or XML interaction. You achieve that through a portal, where the interface is XSLT-tagged (XSL Transformations) and stored as a visual web service and the portal dynamically adjusts to the device you happen to be on, giving you one interface on any device. That is device-independent mobility.

The portal also maintains your state between devices. So if you're on your cell phone and you add a channel to your portal view, that channel is there when you use an airport kiosk. If you go to grandma's house and use her PC to create a presentation, you can save it in your presentation channel and then drive to a customer site and bring it up on one of their desktops.

For a simple interface like that, the end device doesn't have to do anything more than run Java and have a browser. Nothing has to be preloaded or managed on that device. I use this approach all the time when I make a presentation outside Sun. It saves time and hassle and ensures I have the latest materials at hand, even if someone else was making last-minute changes while I was on route.

You can also deliver rich interfaces that go far beyond the limitations of HTML and XML, and will also operate in a disconnected mode. These are typically created as Java technology-based visual web services. They dynamically download to the end device and are configured and managed through a content delivery system. This gives the user a more full-featured interaction and takes advantage of the local client's processing power. The content delivery system remotely manages the rich interface so that updates to interface logic are automatic every time the user connects through the web service to the central business system.

Q: What are the security considerations in delivering this type of interaction?

Bill Vass: There are three considerations. The first is how you authenticate. The biggest mistake most companies make is making VPN access an all-or-nothing proposition. You need authentication with fine granularity.

Another dimension is the device type. The interface should dynamically change for the type of device you're using. It should sense that you're using a PDA or a feature-rich thin client, for instance, and take advantage of the features those environments provide.

The last dimension is the role. What is your role to access that information? Your role should define what you're entitled to see based on your job, your responsibilities, your position in the organization, and so on. You don't want to give all the data to every user. When a role changes, the available information should change on the fly. And your role should go away when you do.

Click here for the second part of this interview, where Bill Vass explains what Sun is doing to deliver mobility with security.