Security Isn't "One Size Fits All"

Although Microsoft and Sun Microsystems have long been rivals, their security strategies contain more than a passing similarity. Both envision use of smart-card technology plugged into the desktop to authenticate users to their systems and both believe that the majority of a users' security technology should come from the same company.

During his Tuesday keynote at the RSA Conference 2006, Sun Microsystems CEO Scott McNealy said the bar is low regarding security in the technology market. "The computer industry is more screwed up than any industry except health care, which kills everyone eventually," he said. More specifically, McNealy criticized large, cobbled-together data centers that don't make use of standardized protocols to communicate and verify information. McNealy also pointed out that PC security is suffering for the exact opposite reasons, namely that most people use the same type of device and operating system, "the same DNA," which makes them easier to attack.

Of course McNealy's displeasure with the current state of the PC and data center markets could be seen as a ploy to promote his company's strategy for the use of thin clients and smart cards on the desktop and Sun servers on the backend. These Sun servers would be equipped with the Sun Crypto Accelerator 6000, which the company announced Tuesday. The SCA6000, available by the end of April, is a high-performance hardware security module for Sun Fire servers that offers a tamper-resistant way to store secure encryption keys.

McNealy also announced that the Sun Java System Web Server 7.0, due for release this summer and part of the Sun Java Enterprise System, would support Elliptic Curve Cryptography, which is used by the National Security Agency to protect classified government information. By including ECC in the Java System Web Server, Sun is looking to cut the time it takes to complete secure online transactions.

Microsoft is in complete agreement that users need to simplify security in order to make it easier to use and more ubiquitous. "We have an overly complex situation today" for end users, IT workers, and application developers, Microsoft chairman and chief software architect Bill Gates said during his Tuesday keynote. Such complexity hinders adoption of security.Microsoft's vision of simplicity in security includes the company's upcoming "network access protection" for ensuring that devices looking to connect into a network are free from viruses or other contaminants. The feature can place PCs and laptops running Windows Vista and connected to servers running Microsoft's upcoming Windows Server software code-named Longhorn, into special "quarantine zones" until they're furnished with updates that bring them into compliance with a company's PC-health policies. Another technology that's key to Microsoft's vision of "trustworthy computing" is the InfoCard, which stores user information on the PC and can be used to authenticate that user during online transactions. Multi-factor authentication needs to be "built down into the system itself," Gates said.

Yet companies need to figure out the specific level of authentication required for a particular transaction. Can a user remain anonymous to the system, or should their identity be verified in depth? Or can a "pseudonymous" identification be employed to reduce complexity while at the same time providing acceptable levels of security?

Not a fan of a one-size-fits-all approach to authentication, RSA Security Inc. president and CEO Art Coviello said during his Tuesday keynote, "Businesses need to embrace an adaptive approach to authentication." He likens the online world to a "crime-ridden neighborhood" that requires companies conducting business there to stay ahead of their adversaries.

Smaller transactions can be protected using passive authentication methods that simply compare a user's behavior, i.e., the transactions they're initiating, with past behavior. Any anomalies can trigger alerts to a security team or shut down a transaction before it can be completed. Larger transactions require active authentication in the form of tokens, smart cards, and USB-pluggable devices that contain information used to authenticate the user to the transactional system.

Such a proactive approach to security is necessary because "the opponent is not standing still," Gates said. Businesses have to move to smart cards, InfoCards, and support for standards. "We're really at the beginning of this trust ecosystem," Gates said, who added that he is seeing progress. More and more users are updating their Windows systems regularly to get the latest features and security components. In fact, 80% of Windows users take advantage of regular Windows updates, compared with only 50% a couple of years ago.0