Java Solaris Communities About Sun How to Buy United States Worldwide

 Compliant Provisioning and Security for Identity Management: Sun Microsystems
Java Solaris Communities About Sun How to Buy My Account Cart United States Worldwide
Sun Identity Insights Sun Microsystems®

Insights from Inside

» Join the Sun Identity Insights Program
» View Newsletter
Leslie Lambert, VP and Chief Information Security Officer, Sun IT

The Growing Importance of Identity to Information Security


By Leslie Lambert
VP and Chief Information Security Officer, Sun IT

Welcome to this issue of Sun Identity Insights. As chief information security officer for Sun IT, I’m interested in identity largely in terms of its role in keeping Sun’s information assets secure. I’ve seen the role of identity in security grow and change dramatically over the last few years, as the universe of users with access to corporate information has grown and changed.

Today, there are more users who need access to more resources at more different levels than ever — which means opening up the enterprise to them while at the same time keeping its resources secure. Striking that elusive balance between open and secure is a constant challenge in my job, and identity is central to meeting that challenge.

In or Out?
I remember when information security basically meant maintaining a strong perimeter around the network to keep unauthorized users out, much as you would build a moat around a castle to stop outsiders from entering. It was pretty easy to define then who needed to be inside and who didn’t: If you were part of the organization, you were in; if not, you were out. (Of course, threats to information security can come from inside, too — but that’s another story).

Now, however, business models that rely on outsourcing and collaboration have turned “inside” and “outside” on end, and Sun’s security model has shifted from simply keeping the bad guys out to actually supporting innovative new ways of doing business. Only with the right security mechanisms in place can you open up the business to outsourcing partners or others outside the enterprise with the confidence that they will have full access to all the resources they should have access to, and no access to any of the ones that they shouldn’t.

Or in Between?
This brings up another problem with the strong-perimeter approach: it’s simply too black-and-white. If you’re outside, you’re outside; if you’re in, you’re in, with access to pretty much everything. Today’s ways of doing business require more shades of gray, in which people who are granted access to the enterprise have different levels of access once they’re inside.

In this environment, it’s not enough to establish and verify a user’s identity at the gate to the castle, so to speak. You must also be able to provide the user with keys to certain rooms and not others, and to add or take away from that set of keys when the user’s role changes. Finally, you have to be able to track the whereabouts of users at all times, to be sure they’re only where they’re supposed to be and that they haven’t somehow gotten into a room to which they shouldn’t have access.

Who Are You? And More
To put it simply, with regard to security, identity used to mean asking “Who are you?” and then saying “Come on in,” or “Stay out,” depending on the answer. Now it means asking:

  • Who are you?
  • How do I know you are who you say you are?
  • What access are you supposed to have?
  • What access do you actually have?
  • Who gave you access?
  • Where have you been?
  • Where are you now?
  • Where are you going?

When you have the answers to these questions, you are free to share information and resources with users coming from inside and outside the enterprise — with the confidence that those resources remain secure in the process.

How Do You Manage?
The role of identity management in keeping information and other resources secure on the network is to streamline the otherwise impossible-to-manage task of keeping the answers to all the above questions straight. When the question was just “Who are you?” and the answer was just as simple, identity information could be managed manually.

But now, a good identity management solution must provide the capabilities to automatically:

  • Authenticate identities
  • Authorize access
  • Provision users for access
  • Change their access privileges when necessary
  • Audit their access in terms of what they’re allowed to do, what they’re actually doing, and what they’ve done

And it has to be able to do this for the enterprise as well as for everyone the enterprise interacts with on the network: partners, vendors, customers, and so forth. That’s a lot of people, and a lot to keep up with. And that’s what makes identity management a key component of any information security program today.
 

Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright 1994-2008 Sun Microsystems, Inc.