Christoph Schuba

Glenn Brunette

As part of their work in the Sun Security Program Office, Senior Staff Engineer Christoph Schuba and Distinguished Engineer and Director and Chief Architect of the Client Solutions Security Office Glenn Brunette are helping define the future of security for tomorrow's Sun products, architectures, and solutions. In this interview, they discuss why it is so challenging to characterize what security means and how IT managers can leverage Sun's Systemic Security approach to create or adapt their enterprises to survive and thrive for the long run.

Inner Circle (IC): Why is it so challenging to define what security really means?

A: The term "security" is so hopelessly overloaded with meaning that it is used to capture a vast set of properties and problems that we all care about — in high technology and in society as a whole. For example, how often have you heard someone say "for security reason"' when you asked why you had to take off your shoes in an airport or divulge personal information to a customer service representative. If you inquired what they meant by the phrase, you may have gotten a persuasive answer, such as "because explosives could be hidden in your shoes"' or "because we are attempting to protect your account from unauthorized access." Everyone can relate to security because we all come across security issues in our daily lives — as well as in high technology. Specifically, in IT, security issues are seen as the most pressing problems that need to be solved to make the use of technology robust, acceptable to customers and legislators, and, ultimately, commercially viable for the long term.

IC: What does it mean to secure an IT product, system, or data center?

A: Regardless of whether you are speaking about products, systems, processes, or services, it is very difficult to be precise when saying that something is secure. In order to gauge security, some people talk about products or systems that behave the way they are intended to behave, while others specify the security goals (authentication requirements, access control mechanisms, and level of audit, for example) that must be satisfied. Behind all of the attempts to characterize what security means lies the fact that security is about risks and threats, their probabilities of occurrence, the assets affected, the mechanisms that influence the various probabilities, the cost of implementing the mechanisms, and the policies that govern their use.

IC: Can you give a real-world example of how those factors affect security?

A: Consider a customer-facing IT data center that runs the entire business operations for a company. There are various risks that could cause the service to degrade gradually or to cease completely, from accidents (a construction crew damages the only communications connection to the service provider or a flood shorts out the data center power supplies) to malice (a disgruntled employee erases a business-critical customer database or an external denial of service attack brings down the server software).

All these examples are captured by the term "security." How likely is it that these incidents will happen to a company within the next year? How much damage would ensue if they did happen? Those questions are very difficult to answer in the context of a specific real-world scenario. Yet, even if many of the probabilities and consequences are unknown, they can be manipulated through a governing policy in ways that are obviously beneficial to a company. For example, if the office building of the company was located in an area prone to flooding, moving the data center from the basement to the second floor would dramatically reduce the risk of flood damage.

IC: Can you extend that example of a physical risk to comprehensive security for IT systems and business processes?

A: With our Systemic Security approach, Sun is following this same principle — namely managing risk by employing sound, preventative mechanisms. Fundamental to this approach is the use of architectural building blocks and patterns to build security into each step of the process. These building blocks leverage time-tested security principles that are sometimes applied in unconventional ways to reap greater security rewards than otherwise thought possible. Certainly, architecture alone is not the solution. A continuous improvement methodology, based on a security maturity model, is also employed to realize greater levels of integration, efficiency, and alignment with business goals.

IC: What is the biggest challenges enterprises face when building a secure IT environment?

A: Managing risk, cost, and complexity effectively requires a careful balance between business and technical forces. Architectures must be flexible to respond to ever-changing business opportunities, new policy and regulatory pressures, and evolving threat profiles. Our Systemic Security approach addresses the problem of designing, implementing, and managing IT environments where everything and everyone is securely connected to the network.

IC: How do organizations achieve Systemic Security?

A: The Systemic Security approach combines an architectural vision and methodology with modular, standardized, and composable architectural patterns or building blocks that are aligned with automated, repeatable, and auditable processes. This approach enables the capture, reuse, and refinement of knowledge about IT infrastructure, processes and applications, as well as a better understanding of the inter-relationships between the various building blocks and their underlying components. In the end, it allows organizations to determine which patterns may be appropriate for a particular situation given a set of requirements, dependencies, and constraints.

IC: What are some of the Systemic Security building blocks?

A: There is no single set of building blocks that will work for everyone. Every organization has its own set of policies, priorities, and business and security goals. However, Sun has identified an architectural approach, methodology and set of products and services that can help organizations to reach their systemic security goals. One of the key elements of the approach is its collection and use of architectural patterns to aid in the construction of secure architectures and the transformation of existing ones. A few of the building blocks are:

• Secure components
• Secure execution containers
• Secure network enclaves
• Shared infrastructure services
• Shared application services
• Secure presentation services
• Secure desktop services

IC: Let's go through that list. What do you mean by secure components?

All IT environments are comprised of discrete components, such as hardware platforms, operating systems, network elements, and applications. Sun advocates the selection of components designed with security in mind from the start. Proper installation and personalization of these components is also necessary to ensure that IT environments are built upon a strong and secure foundation. Where possible, products are selected that have a strong track record for security or have independent validation of vendor claims.

IC: How about secure execution containers?

Secure execution containers are a special class of secure components that are able to receive, host, and execute services or applications. Typically, a service, which itself should be a secure component, is provisioned into and runs within a secure execution container. The purpose of this approach is to compartmentalize services to protect them from accidental or malicious exploitation, as well as to contain damage should the service itself be breached. The actual method used to construct a secure execution container varies based on the organizational requirements, product capabilities, and, of course, the threat profile for a given service or application. For example, some services may require physical separation while others may employ electrical, logical, resource-level, or other forms of separation.

IC: How do secure execution containers enable secure network enclaves?

Secure network enclaves are a progressive form of secure execution containers. They compartmentalize communities of users and services at the network level, offering network level security policy controls between individual or groups of enclaves. Secure network enclaves group users into communities — such as by office building or functional department — regardless of whether they are in the same physical location or spread across multiple locations. Secure network enclaves can also be used to compartmentalize access to specific infrastructure or application-level services based on well defined and agreed upon interfaces or contracts between enclaves. In this capacity, secure network enclaves form the basis for a defensive strategy to implement the principle of least privilege at the network level to contain security breaches and to curtail the spread of malware throughout an enterprise.

IC: Why are shared infrastructure and application services building blocks?

Sharing consolidated infrastructure and application services allows businesses to deliver secured services on demand and only to those that need them. This enables additional security benefits including protection of individual execution containers from direct network access and the ability to perform rolling patching or upgrades to remediate security issues while not compromising availability.

The shared infrastructure services pattern forms the basis for all other higher order services used by an enterprise. Typically, shared services such as DHCP, DNS, directory, database, identity, proxy, Web, and other services could be shared in this way. The shared application services pattern can be used to implement common security services provided to applications such as identity, authentication, authorization, federation, and auditing. Just as secure network enclaves enable the creation of service-oriented networks, so too do shared service infrastructures enable the creation of service-oriented architectures.

IC: What are secure presentation services?

Secure presentation services give organizations the ability to insulate their services and data from the communities of users and services accessing them. Again, the fundamental concepts of least privilege and compartmentalization seen throughout each of the patterns can be seen here as well. The secure presentation services pattern provides a focal point for centralized policy enforcement. From this position, organizations can better identify, authenticate, authorize, and audit access to their services and data. Further, this form of separation means that potential attackers never have direct access to an organization's systems, networks, or applications. Whether implemented using portal servers, proxies, high assurance guards, or other presentation services, organizations can find themselves in a stronger position to protect their infrastructure and middleware, in particular, from attack.

Thus far no mention has been made to distinguish between internal and external users. Our notion of user communities can be used to refer to employees, customers, partners, suppliers, or even more fine-grained collections of users and services. This characteristic is one of the strengths of the Systemic Security approach: All users are treated equally — as untrusted entities — until they have sufficiently proven their identity to the organization.

IC: What are the benefits of secure desktop services?

Traditional fat-client desktops are not only a costly solution to providing ubiquitous access to services, they are also a source of many well documented security problems, including software piracy, data theft and loss, and malware infection and propagation. By contrast, thinner client architectures enable the creation of desktop utility environments where small, stateless networked devices eliminate many of the risks associated with traditional desktop computing, such as the threats previously mentioned, while still providing ubiquitous and mobile access to services and information.

Additionally, thinner client architectures also help simplify the security problem by providing a single control point for accessing, managing and delegating access to services and data whether through the use of secure presentation services or through more traditional means. Lastly, thinner client architectures also permit organizational efficiencies with respect to standardization of secure desktop configurations, patching, and responding to security alerts because there is no need to synchronize and manage hundreds or thousands of independent PCs or other stateful devices.

IC: When IT managers are trying to assemble these building blocks to create systematically secure architectures what should they be thinking about?

Beyond the patterns themselves, we have worked to develop continuous improvement methods that enable organizations to advance through several transformational phases — each of which results in greater levels of consistency and efficiency, as well as security and compliance. Sun has identified the following transformational phases: consolidation, standardization, automation, and optimization. As an organization continues down the path to transformation, it will find that it is better able to focus efforts on strategic goals and optimization instead of continuously fighting fires. In addition, these phases align very well with more general IT optimization efforts and so benefits beyond security and compliance can often be achieved.

IC: Again, let's walk through these phases. What do you mean by consolidation?

All too often organizations suffer from the lack of structured configurations and change control, which results in excessive variation throughout an IT environment. So, the first phase of security transformation consists of consolidating existing deployments into a manageable set of systems, software, and configurations. An organization focused on the transformational phase of consolidation needs to look at managing variance in its IT environment. Variation is in many ways contrary to organizational goals of security, efficiency, and compliance, but the greater the level of variation the harder it is to remain in a secure and consistent state. This phase is not about creating homogeneous IT environments, but limiting IT diversity to a level that can be more easily managed and secured.

IC: What about standardization?

Standardized configurations help ensure consistent and predictable interfaces and capabilities for individual IT elements. Without such standardization, organizations cannot easily identify configurations that are out of compliance, nor can they respond quickly or completely to business needs. For example, if all of the systems in an organization are configured differently, it becomes very difficult to ensure that they all have compliant and secure configurations. Furthermore, moving services between systems in a timely manner to respond to changing business conditions is made more difficult.

Similarly, response efforts stemming from IT security incidents can also be prolonged if system, network, and service configurations are not standardized to some degree. Also, without standardization it is difficult to determine the systems that are at risk due to a particular vulnerability and to recover disabled platforms should an attack succeed. The level of difficulty is further compounded by the sheer number of products, technologies, configurations, and variations that need to be managed.

IC: And where does automation fit in?

Automation is best enabled by the foundation provided by consolidation and standardization efforts. Automating without this foundation can often be viewed as automating inconsistency and in fact chaos. When properly applied, however, automation creates opportunities for agility, efficiency, cost reduction, and security. Automation helps organizations manage increasingly complex IT environments because it provides a buffer between administrators and the inherent complexity of the environment. Automation is also an excellent opportunity to capture business processes and knowledge.

All too often organizational memory is captured only in the minds of its employees, and as employees transition to new roles, retire, or find new opportunities, knowledge is invariably lost. By codifying this knowledge with automated processes, organizations can begin to move from a culture of heroes to an environment that delivers a consistent, repeatable, and measurable experience. Lastly, automation can also aid an organization's compliance efforts where the management and audit of components, configurations, and access can be more easily controlled.

IC: How does optimization build on consolidation, standardization, and automation?

The final phase, optimization, takes advantage of the other phases in order to help organizations realize greater levels of security and efficiency. Organizations are not static — what worked yesterday may not suffice tomorrow. Therefore, it is critical that organizations not only maintain consolidated and standardized configurations, as well as automated processes, but also look for ways to improve those states over time. Failures, root cause analysis, and lessons learned can be leveraged to improve existing work and to prevent the same failures from occurring again in the future. This moves organizations from a responsive, firefighting stance to one that enables them to more easily predict and adapt their environment for what comes next.

IC: Is there anything else IT managers need to keep in mind as organizations progress through the transformational phases?

It is important to remember that organizations cannot rush through any of these phases. Instead, enterprises (or indeed departments) must mature gradually through each phase. We have experienced that any organization, no matter where they may fall on the maturity scale, can reap benefits from the Systemic Security approach. Different areas or departments within an organization can — and often do — exist in different transformational phases at the same time.

Organizations should make informed risk management decisions that control how far they want to progress in a given area, especially given that security is not the only pressure that must be managed. Taken as a whole, however, the Systemic Security approach enables IT managers to realize greater security, compliance, and efficiency in their organizations.

Find out more about Sun's Systemic Security approach along with its security solutions.