HP CTO: Security means chains of trust

As vice-president and chief technology officer of Hewlett-Packard Co., Rich DeMillo is responsible for many things: guiding the company’s technology strategies, overseeing the chief technology officer of each HP business unit and security, among other things. Now that HP’s acquisition of Compaq Computer Corp. seems to have succeeded, DeMillo sat down with the IDG News Service last week after his keynote speech at the Worcester Polytechnic Institute’s Molecular Engineering conference to discuss HP, security and where the two will be going over the next few years.

(Note: The transcript of this interview has been edited for length and clarity.)

How would you say security and privacy are viewed within HP?

It’s undergoing change. For many years, HP had had point products in the security space. One of the things that Carly (Fiorina, HP’s chairman and chief executive officer) did when she came to HP was to say: “This company, that has been so great at products, now has to become a solutions company.” In the Internet era, solutions means (quick, deliberate steps) and she articulated some technology imperatives. Security was brought along with that.

We’ve decided that we don’t need to build every product that’s going to be part of the solution. We went out to the business units and it was clear early on that they were going to go back to basic principles. It’s security plus privacy plus authentication. You’ve got to think in terms of chains of trust, starting with the hardware and building out to services.

We’re not going to be able to, nor do we want to, build every link on the (product) chain. We have to know what we need out of the various layers and we have to know who to partner with. We’re a little less than a year into that process and we’ve done well at the platform layer. But given where we started, and where the rest of the industry is right now, it’s been great progress.

When you think of HP, security is perhaps not one of the first things that comes to mind. Does security need to come up the priority list? Do people need to associate security with HP?

The association of HP and trusted infrastructure has always been there. The question is: what does trust mean? For most of our history, trust has been high-dependability, high-availability, performance, manageability, because those were things the market valued.

What’s happened is that the market has now expanded. Now it’s the Internet era, so it’s not just the voice network, it’s an open protocol network. We’re now pushing utility data centers, we’re pushing mission-critical services for business out over that network and we’ve got to bring that same level of sophistication to that market.

You were talking earlier about HP’s history of innovation and creating new categories of productsand new markets. Will you innovate in security products or will you integrate third party products?

Both. The innovation around platform security has been tied to details of the Itanium architecture. Itanium has a protection ring structure that’s built into the chip and we realized early on that if you wanted to build a secure operating system on top of Itanium, there were hardware guarantees we could provide. So, we put together a set of software interfaces that run on top of Itanium that we would like to see operating systems ported to because once you do that, you get the hardware guarantees associated with Itanium. We started out on a Secure Linux project. I think HP-UX is also in the pipeline to be ported to that architecture.

So there are a bunch of technologies along those lines where we think we’re going to innovate. Will we develop our own PKI (public key infrastructure)? Probably not. We’ll partner with the market leaders there and put together solutions. Will we do disaster planning and recovery? No, probably not. We’ll have partners there.

What specific security product areas should HP get into, either through innovation or partnerships?

We have to have a good solution strategy: a robust set of offerings around consulting, around services, (to allow us to) develop (and implement) plans that make sense for a customer.

Working at the (deep) layers of these architectures is going to be really interesting work for some years to come. What’s the government going to for its crisis management systems? Is it going to build a separate infrastructure like GovNet, or is it going to leverage existing commercial technologies? We think the latter is the right way to go.

(An area where) it’s very unclear what the right approach is right now is identity management. HP was one of the founders of the Liberty Alliance (Sun Microsystems Inc.’s single sign-on system). We’re talking with Microsoft (Corp.) about Passport. It’s less important to me who plays into that marketplace than it is having a clear and open set of interfaces for end users. Customers should be able to truly choose their trusted service providers and that shouldn’t be dictated by any choice of platform or software vendor.

Lay out HP’s 2002 security plan.

We will spend a fair amount of table-pounding on what the right trust strategy is, because there are many constituencies within HP now that have priorities to be put on the table. There’s lots of expertise in the company, lots of competing ideas that need to be sorted out.

At the 30,000 foot level, I can talk about chains of trust, I can talk about going back to hardware, but the layers underneath that need to be filled in with detailed investment plans.

There’s a whole planning process that HP and Microsoft and a whole bunch of other people (will go) through over the next year that says this is the direction we’re going in, this is not a minor blip on the technology horizon. This is a generational change that’s going to be with IT for the next 20 years.

What are the biggest security and privacy issues for the next two years for the entire industry?

One is developing a new investment model — I’m talking from a CIO’s (chief information officer’s) perspective — for security. I used to give talks about security and the conversation would always center around ‘give me the cost-benefit.’ And I sense the conversation has changed, partially driven by Sept. 11, partially driven by the growth of e-services.

The second area has to do with specific technologies and where they fit in our roadmap… like the secure platform architecture and … the quality of service guarantees that you’re going to need in order to securely reserve bandwidth on the network.

I would suspect along about this time next year, you’re going to start seeing government purchases, you’re going to start seeing IT managers going out specifically for trusted components in these areas.

What issues keep you up at night?

Being able to anticipate external events right now is the biggest thing for us. GovNet and (White House cybersecurity czar) Dick Clarke’s plans for a separate infrastructure for the government. I certainly don’t want to see a world where there’s a public trusted infrastructure and a (private) trusted infrastructure with no trusted connections between them. To a large extent, it’s on the IT industry’s shoulders to influence the government to move in the commercial direction by providing those technologies.

I also worry a lot about things we don’t know. Are the (security) models that we have the right ones? Have we thought seriously about what security means, what trust means in some of these new environments? I’m obsessing at the moment about how to keep the pressure on the industry in order to get those models down before you build the infrastructure.

What effect do you think the increased government interest in computer security, post-Sept. 11, is going to have?

We’re at a bifurcation point. It could be beneficial and we’ve been pushing on Dick Clarke and his folks very strongly in the direction of viewing trust as a quality of service component of the commercially available infrastructure. I honestly don’t know what progress we’ve made in that discussion, but he’s certainly listened carefully. I’m very optimistic that things will continue to go that way, but there are never any guarantees. So all we can do is build up the viable alternative.

The industry that you’re saying customers need to trust suffers from constant buffer overflows and huge security vulnerabilities. Is the industry up to that trust challenge?

Could be. Some of these mistakes that we keep repeating have more to do with (the industry) not having made the hard investment decisions previously. There have been many attempts to build secure instruction set architectures that would be immune to buffer overflow attacks. They’ve been implemented in systems that have gone to the government but have never been implemented on the commercial side.

There a lot more questions to be answered than we have answers for. The good news is, a lot of energy is going into this. You see big shifts like you’re seeing at Microsoft and you’ve got to feel good about that because that’s a lot of resources being brought to the table.