Only as Secure as Your Foundation
By John Fowler
Chief Technology Officer, Software, Sun Microsystems
Friday, Feb 20, 10:00 AM PT
The San Francisco Bay Area is a unique place for many reasons -- cultural
diversity, academic excellence and entrepreneurial spirit to name a few.
And
of course the natural beauty of mountains meeting ocean. But the very
reason
for such natural beauty is also the source of its primary vulnerability.
The
Bay Area sits on a highly volatile geologic zone where earthquakes pose a
grave and ever-present danger. Catastrophic earthquakes in 1906 and 1989
resulted in billions of dollars in damages and thousands of lives lost.
City planners, knowing the inevitability of earthquakes in the region,
implemented some of the world's strictest building safety codes. And in
turn, engineers designed shock-absorbing foundations and buildings that
sway
without fracturing. As a result, even an employee on the 50th floor of a
high-rise building in San Francisco's financial district works in comfort
and safety.
So why, with the inevitability (and indeed the increase) of hacker attacks
and malicious e-mail viruses, does the IT industry continue to cling to an
antiquated security mindset? Answering the networked world's security
challenges with more firewalls, security patches and peripheral defenses
is
like saying shatter-proof glass will prevent skyscrapers from collapsing.
Enough is enough! It is time for a massive rethinking of the way we view
IT
security.
Instead of bolting on security as simply a perimeter defense, we must
design
security into the fundamental building blocks of the network -- from the
ground up.
The first thing every CIO and IT manager should do is ask themselves, "Is
my
foundation secure? Am I secure at the core?"
Take a look at your operating system, your foundation, through the lens of
the following five factors:
- More granular user control: Role-based Access Control (RBAC) divides
administrative tasks among a number of roles that grant only necessary
authority. RBAC ensures that all administrative actions are traceable to
an
authenticated individual instead of just the ROOT account, providing
greater
accountability.
- Reduced risk of security violations: The combination of labeling of
all
objects, clearance levels for each user, and strong audit capabilities
will
make all users accountable and all actions traceable, greatly diminishing
the risk of security violations.
- Increased privacy: Mandatory access control allows information to be
processed at multiple security levels allowing users to share files with
other users of the same security level. Administrators can also restrict
the
security levels of information sent to individual printers and restrict
who
can view print queue information.
- Protection of local devices: Allocate devices based on labels, which
lets administrators allocate a device to securely move data on or off the
system to another medium. Pluggable authentication modules provide
failed-login account locking, trusted-path checking, and machine generated
passwords, without the need to change code.
- Independent Certification: The Common Criteria project harmonizes the
various evaluation criteria, ITSEC, CTCPEC (Canadian criteria), and United
States Federal Criteria (FC), to replace national and regional criteria
with
a worldwide set acceptable to the International Standards Organization
(ISO). How does your foundation stack up?
Security is not a joke. If any of the five areas above give you an uneasy
feeling, it is time to take a deeper look beneath the surface.
Much like architecting an earthquake-safe building, the best way to secure
your business is to begin at the foundation. And that starts with an
operating system you can trust.
| 
