Sun, IBM, others make security splash at conference

The RSA Conference 2002 shined a spotlight this week on the accomplishments of many different security software vendors, including IBM Corp., Sun Microsystems Inc. and VeriSign Inc.

Sun said a security-hardened version of Solaris 8.0 has made it through a year of testing in an outside lab, to be granted what’s called the “Common Criteria” certification. The “Common Criteria” is a global security test program adopted in October 2000 by countries that include the U.S., France, Canada, Germany and Austria, to certify software and hardware. It is the international security program that replaces the so-called “Red Book” and “Orange Book” guidelines from the National Security Agency that the U.S. has used in earlier decades.

“Our product, Trusted Solaris 8, is the first 68-bit-quality operating system to achieve this equivalent of Evaluated Assurance Level 4, which was B1 under the old system,” said Martin Hack, product manager for Solaris security.

The Solaris Trusted OS has mandatory access controls with support for up to 255 labels to separate which users can have access to what data. Hack noted it cost “millions of dollars” to shepherd Trusted Solaris 8 through the extensive evaluation process, which was done at Logica’s labs in the United Kingdom. Logica’s lab is one of a number of labs accredited to do the “Common Criteria” testing.

The last time that Sun submitted a version of Solaris to this type of rigorous government-supervised testing regimen was with Solaris 2.51 in 1997.

Financial institutions and the military, in particular, value the Common Criteria testing because it proves that software and hardware adhere to important security requirements, such as mandatory access control. But the testing doesn’t mean that Trusted Solaris 8 is invulnerable to problems.

The recent uproar over the security deficiencies in SNMPv1 also affected Trusted Solaris 8, which required a software patch to correct for security vulnerabilities in SNMP, just as software from 50 other vendors were compelled to do the same.

Sun also announced its Cryptographic Accelerator 1000, an SSL accelerator board that guarantees 4,300 operations per second for the Solaris-based iPlanet and Apache Web servers.

At the RSA conference, Citadel announced Hercules, a tool that can use reports output from vulnerability-assessment scanning tools to ensure software patches or other measures are automatically installed on server applications and operating systems. Hercules, which costs US$1,000 per server, works with Network Associates’ CyberCop Scanner and the scanners from Internet Security Systems.

The Veterans Administration Hospital in Long Beach, Calif., has found the beta of Hercules useful for automating the software-remediation process, said Emanuel Carter, senior network administrator. “I have 50 servers, mostly Cluster NT 2000 and Exchange, and without this tool, I’d have to physically go to each workstation to apply the patch.”

IBM was also in force at the RSA conference, talking up advances in desktop security. The latest IBM ThinkPad computers contain “smart-card-like” chips that act as the encryption and decryption engine, said IBM program director for client security, Clain Anderson. They also store users’ keys and certificates.

This IBM Embedded Security Subsystem, as the internal board and chip for the PC is called, lets each computer authenticate after specialized software is downloaded to the chip by the user or by the network manager who has the option of doing this via IBM’s Tivoli PolicyDirector management console.

The Embedded Security System can be used in a variety of ways. One example would be to require the use of fingerprint biometrics to activate the computer. IBM showed how the PC card-based fingerprint reader from Targus Systems, which fits into the PC card slot on the IBM ThinkPad, can be used for this purpose.

A keyfob-like device for logging on and off to the notebook computer wirelessly — just like keyfobs for locking and unlocking car doors remotely — also works with IBM’s Embedded Security System. The wireless keyfob is called the Xyloc and it’s made by Ensure Technologies.

The underlying technology for it all is based on a specification called TCPA v. 1.1 from the Trusted Computing Platform Alliance, which was started in 1999 by large manufacturers, including IBM, Hewlett-Packard and Compaq.

In other RSA Conference news, VeriSign discussed a multiyear strategy to ensure its public-key infrastructure technology works harmoniously with the new XML-based Web services envisioned in Microsoft’s .Net and Sun’s ONE platforms.

VeriSign, calling it the Digital Trust Services framework, said that over the coming year and beyond it will provide the tools and related services for Web-based digital signing and encryption that might be required in products from BEA Systems, Hewlett-Packard, IBM, Microsoft, Oracle, and webMethods.

“Just as the integration of public-key infrastructure technology into Web browsers and servers helped unleash the first wave of e-commerce servers seven years ago, today’s announcement sets the stage for the next wave in trusted e-business: Web services,” said VeriSign president and CEO Stratton Sclavos.

In fact, IBM is relinquishing its own PKI software development to rely on VeriSign’s PKI technology, Anderson noted.

VeriSign also announced a secure messaging and document delivery service called SecureExpress, which was developed in partnership with Slam Dunk Networks. The service lets customers enroll to gain secure access to mail and documents.

In another event at the RSA Conference, a group called the Liberty Alliance, organized last fall to develop a standard way to handle identity authentication on the Internet for purposes of e-commerce, said it now had a timeline for releasing its first specification.

This spec should allow corporations to share user authentication data so users don’t have to single in multiple times at Web sites with commercial partnership programs. It would be a standardized way to write the authentication process for Web-based e-commerce, and companies wouldn’t need to keep writing code differently to accommodate each business partner.

“The technical working group envisions a midyear release of the initial specification,” said Eric Dean, chair of Liberty Alliance and CIO of United Airlines. Because corporations such as United “have invested a lot of money in the user interface” for logging into online accounts, the first spec from Liberty Allaince will attempt “not to intrude on the user interface,” said Dean.

“We do a lot of business with Hertz, for example, so the first step would make it possible to link accounts you already have but authenticate in only one place,” Dean said.

But the Liberty Alliance spec will do this with the user always in control and without commercial partners sharing customer personal data, he noted. “The privacy issue is absolutely at the center of what we’re going to do,” Dean said.

Founding members of the Liberty Alliance include American Express, AOL Time Warner, Bell Canada, France Telecom, General Motors, Mastercard International, RSA Security, Sony and Sun Microsystems. Microsoft has favored its own approach known as Passport, which was created prior to the formation of the Liberty Alliance.