Using Identity to Secure Information Assets

Hello again, Sun Inner Circle readers. As you've probably realized, my continuous search for best practices in managing IT resources has become a common theme in my monthly letters. You may recall my recent thoughts about leaving datacenter management to the experts, ways to make IT outsourcing pay off, and how to best provision scarce IT products and services in the enterprise.

Each of these areas calls for a willingness to share information with multiple internal and external parties in ways that would have been unimaginable just a few years ago. Yet managing IT services and products can no longer be performed solely by in-house staff if an organization wishes to be more nimble and competitive.

These changes come with advantages — and challenges. As businesses share more information with outside vendors to remain competitive, the number of areas where security can be breached increases dramatically. The hard reality of information-sharing calls for new defense mechanisms — and Sun leads the industry in built-in security features.

Whether it's the vast range of Sun server options, the Solaris 10 Operating System, or software development tools like Java EE, Sun's commitment to security defines much of our product development. This commitment is one reason we have people on staff like Whit Diffie, our chief security officer, who also happens to be one of the pioneers of public key cryptography.

Security is a subject in which Leslie Lambert, Sun IT's vice president and chief information security officer, has special expertise. As she notes, new business models require IT organizations to rethink security approaches. For this month's CIO letter, I've asked Leslie to examine the role identity plays in keeping information assets secure, and as you'll read below, her thoughts on the subject provide a wonderfully straightforward primer on the subject.

Bob Worrall
CIO
Sun Microsystems

Thanks, Bob. As chief information security officer for Sun IT, I'm interested in identity largely in terms of its role in keeping Sun's information assets secure. I've seen the role of identity in security grow and change dramatically over the last few years, as the universe of users with access to corporate information has grown and changed.

Today, there are more users who need access to more resources at more different levels than ever — which means opening up the enterprise to them while at the same time keeping its resources secure. Striking that elusive balance between open and secure is a constant challenge in my job, and identity is central to meeting that challenge.

In or Out?
I remember when information security basically meant maintaining a strong perimeter around the network to keep unauthorized users out, much as you would build a moat around a castle to stop outsiders from entering. It was pretty easy to define then who needed to be inside and who didn't: If you were part of the organization, you were in; if not, you were out. (Of course, threats to information security can come from inside, too — but that's another story).

Now, however, business models that rely on outsourcing and collaboration have turned "inside" and "outside" on end, and Sun's security model has shifted from simply keeping the bad guys out to actually supporting innovative new ways of doing business. Only with the right security mechanisms in place can you open up the business to outsourcing partners or others outside the enterprise with the confidence that they will have full access to all the resources they should have access to, and no access to any of the ones that they shouldn't.

Or in Between?
This brings up another problem with the strong-perimeter approach: it's simply too black-and-white. If you're outside, you're outside; if you're in, you're in, with access to pretty much everything. Today's ways of doing business require more shades of gray, in which people who are granted access to the enterprise have different levels of access once they're inside.

In this environment, it's not enough to establish and verify a user's identity at the gate to the castle, so to speak. You must also be able to provide the user with keys to certain rooms and not others, and to add or take away from that set of keys when the user's role changes. Finally, you have to be able to track the whereabouts of users at all times, to be sure they're only where they're supposed to be and that they haven't somehow gotten into a room to which they shouldn't have access.

Who Are You? And More
To put it simply, with regard to security, identity used to mean asking "Who are you?" and then saying "Come on in," or "Stay out," depending on the answer. Now it means asking:

Who are you?
How do I know you are who you say you are?
What access are you supposed to have?
What access do you actually have?
Who gave you access?
Where have you been?
Where are you now?
Where are you going?

When you have the answers to these questions, you are free to share information and resources with users coming from inside and outside the enterprise — with the confidence that those resources remain secure in the process.

How Do You Manage?
The role of identity management in keeping information and other resources secure on the network is to streamline the otherwise impossible-to-manage task of keeping the answers to all the above questions straight. When the question was just "Who are you?" and the answer was just as simple, identity information could be managed manually.

But now, a good identity management solution must provide the capabilities to automatically:

• Authenticate identities
• Authorize access
• Provision users for access
• Change their access privileges when necessary
• Audit their access in terms of what they're allowed to do, what they're actually doing, and what they've done

And it has to be able to do this for the enterprise as well as for everyone the enterprise interacts with on the network: partners, vendors, customers, and so forth. That's a lot of people, and a lot to keep up with. And that's what makes identity management a key component of any information security program today.