Network identity must be part of the business plan, says Sun man

Systems that track the identities of users and provide access to information and services based on who they are could become the...

Systems that track the identities of users and provide access to information and services based on who they are could become the most essential requirement for securing businesses in the coming years.

That was the contention of Sun Microsystems's chief security officer, Whitfield Diffie, speaking at the company's SunNetwork user conference in San Francisco.

In everyday life the most basic security mechanism is recognising people, he said -- admitting to our home those whose faces we are familiar with, for example. The same principle carries over to networked computing, especially with more and more users accessing data and applications remotely from outside corporate firewalls, said Diffie.

Recognition is achieved through network identity and policy management products, combined with passwords, smartcards and digital certificates. Diffie said these technologies should be built into applications from the start, not as an afterthought as is often the case today.

"In the past, security was really like insurance - by buying a $100 lock for your front door you hoped to save $10,000 that might have been stolen ," he said. "But it's evolving into a scenario where security is a part of the business plan from the very start."

Diffie pitched the Sun ONE (Open Net Environment) Identity Server, which includes Sun's directory server for policy-based provisioning as part of the solution. He also announced two security additions to Sun's iForce offerings, which are integrated packages of hardware and software from Sun and its partners.

One addresses security at the perimeter of a network and includes software from Check Point, Symantec, Trend Micro and others. The other addresses Web services security and includes products from PentaSafe Security Technologies, Sanctum and Ubizen.

In addition, other companies have certified products to work with Sun's network identity software.

"I think [Sun's] network identity program is the right vision," said Laura Koetzle, an analyst at Forrester Research.

"In most network environments today you've got islands of security - one for SAP, one for (customer relationship management), one for the LAN. Sun is trying to divorce security from the application itself. [Network identity] allows them to ensure that applications with similar sensitivity have the same security. Generally today, that's not the case in most organisations - security's all over the place."

Read more on IT risk management