Monday Oct 02, 2006

Blogging from CEC: Day 1

Today is the start of Sun's Customer Engineering Conference (CEC). It is a huge geekfest with thousands of technies descending upon the Moscone Center in San Francisco for several days of executive briefings, technical training and discussions, community building, and of course a lot of fun too. I am currently sitting during our morning keynote where Jim Baty and Dan Berg kicked off the event and Don Grantham is ralling the team discussing recent successes and outlining the opportunities that lay before us. Honestly, for a sales guy - he is doing pretty well in front of this highly technical and often cynical audience.

This year, I will be giving two talks (each given at two times). First, I will be joining Jon Haslam to talk about how DTrace can be used for security monitoring, forensics and (in some limited cases) control. This was a very fun talk to work on and I am very much looking forward to giving it tomorrow. DTrace is such a cool technology and I think we are only at the tip of the iceberg in uncovering ways to use it. This session will include a bunch of practical demonstrations based on both newly developed and freely available code. It is my goal to post the presentations and code snippets once the conference is over.

My second talk is focused squarely on architectural patterns for security. This talk will leverage the Sun Systemic Security work already published as its foundaiton, but it will go deeper into how some of the architectural patterns can be instantiated and realized using Sun and partner products. Again, I think that this should be a lot of fun showing how the higher level abstract components can be made real to solve actual problems facing our customers today.

In addition to my sessions, there will be quite a few security talks happening on each day of the conference on topics ranging from Solaris, Trusted Extensions, Secure SOA, Privacy and Compliance, and even Kernel Forensics. Lots of great speakers and sessions so be sure to stop by and hassle them. \*grin\*

Now, like all speakers, I hope that people will enjoy my sessions and will leave with new ideas, information and a better understanding of the topics being covered. Certainly, the sessions at CEC offer people great opportunities to learn new topics or gain a deeper appreciation for ones they already know. That said, I honestly believe that most people, myself included, get even more out of the community interaction happening before, during and after the conference - the hallway discussions, the brainstorming over breakfast, the deep dives over drinks, etc.

So, if you would like to chat with me about anything - career paths at sun, technical leadership and development, information security, or any other topic - please feel free to stop me in the hall, call my on my cell, message me on SMS or AIM. Gotta love a conference where we are encouraged to remain fully connected! If you do not know my contact information - check it out in CEpedia.

Take care,


Technorati Tag:

Friday Sep 22, 2006

2nd Annual NIST Security Automation Workshop

This week, I had the pleasure of speaking at the 2nd Annual NIST Security Automation Workshop held at the NIST campus in Gaitherburg, MD. Overall the conference was wonderful with both great sessions and of course a lot of great discussions in the halls. Day one of the conference was primarily about vision, strategy and direction with great talks from speakers such as:

  • Tony Sager, Chief, Vulnerability Analysis and Operations, NSA
  • Ron Ross, FISMA Implementation Project Lead, NIST
  • Richard Hale, Chief Information Assurance Officer, DISA
  • Dennis Heretick, Chief Information Security Officer, DOJ
  • Eustace King, Deputy Director, OSD/NII-IAD
  • Annabelle Lee, Director, NCSD/DHS

Day two was focused more on technical matters especially those related to the following efforts:

as well as their interaction and alignment toward the goal of automating security configuration application and assessment. There were also some very interesting vendor presentations from companies who were developing security assessment and configuraiton tools that leverage these formats. Really cool stuff. I am personally very interested in hearing from Sun customers who are tracking these projects and interested in seeing security guidance, alerts, etc. published in the XCCDF and OVAL formats.

All (or at least most) of the presentations can be found here and I also have a copy of my presentation here. My talk was primarily a look at Solaris (and Trusted Solaris) security... where we have been, what we are doing today, and where we are going. Along the way, I also discussed some of the ways in which we have collaborated with academia, industry and government to better understand our customers security requirements, improve the security capabilities of our products, and help make cyberspace a little safer for everyone. Much of that collaboration and teamwork still continues to this day as we work with organizations like CIS, NSA, DISA, NIST, and Mitre (for example) to continue to improve the security capabilities of our products and services, and I, for one, can't wait to see what's next!

Technorati Tag:

Tuesday Jun 13, 2006

Will you be in NYC on June 27th? (FREE PASSES)

[Read More]

Tuesday Feb 21, 2006

RSA 2006 Security Conference Photos

Previously, I wrote about Sun's speaking presence at the RSA security conference this year. Well, now that this year's conference is in the books, and I wanted to share some pictures of the event with you.

The RSA Security Conference was at the Convention Center in San Jose, CA this year.

RSA Entrance

Sun installed a number of Sun Ray 170 Ultra-Thin Clients around the conference center allowing people free access to the Internet. The Sun Rays were also featured through the Sun booth on the show flow. One small note: if you are using publically available kiosks such as these - please be sure to log yourself our of your sessions and close down the browser! I can't tell you how many times I came across someone's e-mail or browser session (where they had neglected to log themselves out). You would think privacy and security would be more of a concern for attendees at a conference like RSA, but then again...

Sun Kiosks

Here we have Mark Thacker (Product Line Manager, Solaris Security and Solaris Trusted Extensions) working on the show floor setting up a demonstration of Solaris 10 based on his recently published HOWTO: Eliminating Web Page Hijacking Using Solaris 10 Security.

Mark Thacker

Sun Security Illuminati - Gilles Gravier (Chief Security Strategist) [left] and Jim Hughes (Sun Fellow) [right] pose for a picture on the show floor. Jim hosted a BoF session on day 1 of the show titled "Storage Security - Use of Encryption to Protect Data at Rest".

Jim Hughes/Gilles Gravier

A quick screen shot of Solaris Trusted Extensions. "TX" (as it is affectionally known) is the successor to Trusted Solaris 8. Instead of being a separate product, however, Trusted Extensions will be offered as a piece of software that is layered on top of Solaris 10. TX was announced at RSA and will be available to customers (in beta form) in April.

Solaris Trusted Extensions

Another area of the Sun Booth focused on Secure Service Oriented Architectures (or Secure SOA) for short. Rafat Alvi gave an excellent talk on Secure SOA to a standing room only crowd on day 1 of the conference. It was obvious that this is an area of intense interest judging by the way Rafat was also mobbed as he manned the the Secure SOA area of the Sun booth.

Secure SOA

The Sun booth also featured a variety of other offerings including Sun's new SCA-6000 cryptographic accelerator, Sun's identity management and compliance offerings, Sun's encrypting tape drive, and much more!

Back on stage, the man who needs no introduction... Whit Diffie was a speaker at the RSA Crytographers Panel. Whit shared the stage with crypto luminaries: Ronald Rivest, Adi Shamir, and Martin Hellman. The panel was moderated by Burt Kaliski.

Whit Diffie

Scott McNealy was one of the keynote speakers at RSA this year. Scott's talk was titled "Embracing Risk and Opportunity Through Security". The main thrust of the talk focused on the security and management challenges created by "best of breed" product selection leading to a virtual "Frankenstein" of non-standard, non-interoperable and non-integrated silos in the Data Center. Scott also talked about the security risks of monoculture on the desktop. One of the key themes throughout Scott's talk was Sun(SM) Systemic Security.

Systemic Security #1

Scott McNealy/Systemic

Systemic Security #2

While talking about how Sun builds security into our porfolio of products and services, Scott was joined by James Gosling (Sun Fellow, the Father of Java) who talked about security design issues and challenges considered when designing the Java language.

Scott McNealy/James Gosling

Scott was also joined by Dr. Sheueling Chang (Sun Distinguished Engineer) who talked about her work on Elliptic Curve Cryptography and Sun's contributions to the open-source and standards efforts in that area.

There was so much happening at RSA, there is just not enough time to write about it all. I hope however that this can shed a little light into some of what Sun was doing at the conference!

Take care,


Saturday Feb 11, 2006

Sun shines at the RSA Security Conference

From the press release. For more information on Sun Systemic Security, check out this posting. If you are going to be attending, be sure to check out the Sun booth and look me up! I will be in and around the conference Monday through Thursday and will be at the customer luncheon (Tuesday), if you would like to chat a bit.

MENLO PARK, Calif. -- Feb. 8, 2006 --Sun Microsystems, Inc. (NASDAQ: SUNW) executives Scott McNealy,
chairman and CEO, will deliver keynote presentations on Feb. 14 at the RSA Conference.  At the RSA
Conference in San Jose, Calif., Scott McNealy's keynote presentation will address the need for a
systemic security approach to both protect and enable opportunities the network provides.

Scott McNealy's keynote presentation, "Tear Down the Walls -- Embrace Risk and Opportunity Through
Security", will take place Tuesday, Feb. 14 at 9:50 a.m. Pacific. The RSA Conference is being held
at the McEnery Convention Center in San Jose, Calif. from Feb. 13-17. Information about the 
conference can be found at

Additional Sun Activity at RSA Conference

Sun will host a customer luncheon with security experts Whitfield Diffie and Radia Perlman. Held
on Tuesday, Feb. 14, the lunch will provide an opportunity to learn more about Sun's systemic
approach to security. For more information and to register for the luncheon, please visit

In the Sun booth, number 515, visitors can view demonstrations and discuss Sun's integrated
technology solutions. In addition to McNealy's keynote, several Sun executives will be 
participating in presentations and panels at the RSA Conference, lending expertise on topics
such as identity management, cryptography, data management and cross platform security.
Additional Sun presentations at RSA Conference include:

Tuesday, February 14

    \* 10:35 a.m. Pacific - Whitfield Diffie, chief security officer
      The Cryptographers Panel
    \* 11:45 a.m. Pacific -- James Hughes, Sun fellow
      Storage Security -- Use of Encryption to Protect Data at Rest
    \* 2:00 p.m. Pacific - Yvonne Wilson, architect
      Implementing Federated Identity: What Products Do You Need?
    \* 3:25 p.m. Pacific - Rafat Alvi, senior architect, CTO Office
      Trusted SOA: An End-to-End Trustworthy Services-Oriented Architecture
    \* 4:30 p.m. Pacific -- Rags Srinivasan, CTO, Technology Evangelism
      Secure Cross-Talk Between Java and NET Platforms Using WS-Security 

Thursday, February 16

    \* 2:00 p.m. Pacific -- Michelle Dennedy, chief privacy officer
      The Policy of Identity: Privacy Rules
    \* 2:00 p.m. Pacific -- Nancy Hurley, director, Data Management Group Software
      Integration of Data Management ILM Systems
    \* 3:25 p.m. Pacific -- Radia Perlman, distinguished engineer
      The Information Protection Wars 

Friday, February 17

    \* 11:10 a.m. Pacific -- Hanumatha Neti, director, IT Security and Danny Smith, IT
      security specialist
      Security Metrics -- How Six Sigma is Helping Security in Large Enterprises 

Tuesday Aug 02, 2005

Sun Security BoF @ USENIX SEC05

For those who may be listening and are in the area, Sun will be hosting a security birds of a feather session at the USENIX Security Symposium in Baltimore, MD. The BoF will be this Thursday, August 4th at 7:00 PM ET in the Chesapeake III room. The event include a discussion of some cool new Solaris 10 and OpenSolaris security features and capabilities as well as plenty of time for Q&A. Please consider stopping by to listen in and say hello if you are in the area. We would love to hear what you think!

Tuesday Apr 26, 2005

Sun's CPO in Action!

Check out Sun's Chief Privacy Officer, Michelle Dennedy, in action at the Security Leadership Council Online Conference and Expo on April 28th at 12 PM Eastern. The online conference runs for two days starting April 27th. Michelle is a speaker for the Leaders Roundtable session, COMPLIANCE IN THE COURTROOM: Security Practices Must Stand Up in Court and will be joined by Matt Curtin and Steven Brower.

The abstract for the session is:

The whole point of Regulations & Compliance is to turn certain practices and methodologies into legally binding mandates that are enforceable in a court of law. Compliance practices, while good in and of themselves, have to be implemented with a very strong legal focus to ensure full demonstrability in the eyes of the law, should the need to do so arise. This session will discuss cyber forensics & e-incident investigation, as well as the legal and technological ramifications of demonstrating compliance in the courtroom.

The site does require free registration and that you RSVP for the sessions that you wish to attend.

Wednesday Apr 06, 2005

Systemically Secure Architectures

On Monday - 04/04/2005, I presented at the EDUCAUSE 2005 Security Professional Conference. The goal of this event was to bring together IT security officers and practitioners from across the higher education landscape. My talk was titled Systemically Secure Architectures: Lessons from the Trenches. The talk approached the subject of secure architecture design using a building block metaphor with a focus on automation, optimization and continuous improvement.

This talk did touch briefly on policy, process and people issues, however its primary focus was on technology standardization, automation and optimization to promote greater levels of security, strategic flexibility and of course RAS. Using a building block approach, this talk featured a vision for constructing secure IT architectures using a variety of techniques including defense in depth, compartmentalization, least privilege, and others while still providing the flexibility that is demanded in a university environment. To provide a more concrete example of how to apply the concepts, a strategy was put forth showing how to integrate a variety of Sun technologies and services to achieve these goals.

The Sun technologies that were dicussed included Solaris 10, Secure Application Switch, the Identity Management product set, the Portal Server, Sun Ray thin-clients, as well as methodologies such as Sun's Service Delivery Network (SDN) architecture. It should be noted however that nothing in this talk forces an organization to be homogeneous. In fact, the elegance of this approach is founded in its ability to adapt to heterogenous environments as well as those with different security, risk or assurance needs. In fact, this foundation of this approach could be applied (with some modification) to other verticals such as financial services, government, health care, and others.

This presentation concluded with a vision illustrating how these different technologies and services could be successfully integrated resulting in an architecture that is very strong, agile and resilient to attack. If you would like more information on this approach or any of Sun's other secure technologies or services, please let me know.

Take care!

Technorati Tag:

Monday Oct 25, 2004

OEM Business Forum with Sun Microsystems

I have been away for a while due to vacation, customer visits and preparation for a few upcoming conferences. I will be back soon with more Solaris 10 Security information and tips. In the meantime, you will be able to catch me this week at the Sun OEM Business Forum being held in Rochester, NY. I will be presenting on the topic of designing and building secure OEM business solutions.

Others speaking at the event include:

  • Colin Fowles, Director, Sun OEM Business Office
  • Patrick Petschel, Director, Market Development, Nu Horizons Electronics Corp.
  • Dr. Bob Sproul, VP & Fellow, Sun Labs of Massachusetts
  • David Towne, Manager Sun Compliance Engineering
  • Trey Talbott, Client Services Architect
  • Gordie Klueber, Technical Architect, CTO Office, Sun Microsystems Labs
You can find more information on this event at:

Special thanks to Nu Horizons Electronics, Inc. for sponsoring this event.

Monday Oct 04, 2004

2004 Annual Fall Computer Security Symposium -- UNCC

Security pros to share secrets at UNC Charlotte

As information technology has advanced, it has increasingly become the key to efficient business communication. The spread of such technologies - and the consequent reliance on it - requires a commitment to understand and minimize the threats that could compromise the facility, privacy and integrity of network data.

Leading researchers and practitioners in the fields of information security will delve into these issues and discuss solutions during the Fall Computer Security Symposium at The University of North Carolina at Charlotte. Secret Service agent Tony Marino and Sun Microsystems Chief Security Officer Whitfield Diffie are among those sharing their expertise during the October 13th program in the Cone Center's McKnight Hall. Attending cyber security professionals, including business continuity professionals, IT managers, software developers, systems administrators, information security professionals and policy makers will have the opportunity to question the experts. Registration begins at 8:30 a.m. with sessions running from 9 a.m. to 4:30 p.m.

Other top cyber security leaders to present will be:

  • Kent Blossom, Director of Safety and Security Services, IBM
  • Al Decker, Director, Security and Privacy Services, EDS
  • Tom Fisher, CIO, Qualcomm
  • Brad Ipema, Attorney, Wachovia Bank
  • Kevin Kealy, Security Scientist, AT&T
  • Wynn Mabry, Director, Homeland Security, Mecklenburg County
  • Joan Myers, President, North Carolina Electronics and Information Technology Association
  • Ed Paradise, Vice President and General Manager, Mobile Wireless Group, Cisco
  • Rebecca Whitener, Director, Privacy Services, EDS
  • James A. Whittaker, Associate Professor of Computer Science, Florida Institute of Technology

The symposium's sponsors include: UNC Charlotte's College of Information Technology and the university's Charlotte Research Institute, which draw on their extensive research and educational programs in computer security. The College of IT's program was recently redesignated by the U.S. National Security Agency as a Center of Academic Excellence in Information Assurance Education.

In addition to UNC Charlotte, sponsors include the North Carolina Electronics and Information Technology Association, the Information Technology Council of the Charlotte Chamber of Commerce and InfraGard.

For details & registration on this year's symposium, please visit

To compliment the 2004 Cyber Security Symposium, on Wednesday, October 13th, there will also be a radio broadcast. "Charlotte Talks", a production of WFAE FM 90.7 will host Whitfield Diffie (Sun Microsystems Chief Security Officier), Rebecca Whitener (Director of Privacy for EDS) and Tony Marino (Special Agent for the Secret Service) to address certain questions regarding Identity Theft.

You can listen via the radio or the Internet at FM 90.7.

Common Criteria User's Forum

The Common Criteria User's Forum will be held this week in Washington, DC. Specifically, the event will begin on Wednesday, October 6th and conculde on Thursday, October 7th. The cost of this event is $100 for non-government employees. For U.S. government employees, the fee is waived.

(From the web site), the goals of the forum are to:

  • Recommend practical means to improve the Common Criteria processes and standards to make them a truly viable mechanism toward improving COTS product security for not only the Government, but for all customers.
  • Present the opportunity for all parties to express their perspectives on the issues raised and to identify realistic means to resolve them.
  • Provide an open forum to discuss and resolve the apparent differences between the views of commercial entities and NIAP.
  • Develop a specific plan of action for the recommendations from the NIAP Review and the Task Force Report as well as any additional recommendations developed by the attendees.
  • Begin to share Common Criteria experiences as a means of educating all stakeholders.

It looks like it will be both a fun and constructive event. I would encourage anyone interested in the future of the Common Criteria to stop by if you can. I will be moderating a session on day 2 entitled "Common Criteria Requirements for Commercial Users". This session will focus on what is needed to make the Common Critiera more relevant and appropriate for use in the private sector. It should be quite a discussion! If you are able to drop in, please say hello!

I will hopefully be getting back to my list of lesser known and/or publicized security enhancements to the Solaris 10 OS in the next day or so. Until then, thanks for reading and take care!

Solaris 10 Security Net Talk and Live Q&A

FYI... Be sure to check out this Net Talk and get your questions ready for this upcoming live Q&A session on Solaris 10 security!



Sun Net Talk: Online Seminars for IT Professionals

Let's Talk --> About Security
OS Security: Solaris 10 Breaks New Ground

Keep the bad guys out; let the good guys in. No operating system does
it better than Solaris and with the upcoming release of the Solaris 10
OS, the bad guys might want to think about a new line of work. View  this
Sun Net Talk on Demand to find out how you can better protect your
software environment with the ground-breaking, out-of-the-box security
capabilities of Solaris 10. All viewers will receive early access to a  new
security white paper, discounts on selected security publications and
free security blueprints. q=STTW1gTFwS$vzG&eventid=652&classcode=SNTA-20040820

Got more security questions? Then register for the Sun Expert Exchange
on October 20th. It's your chance to grill our experts in a live Q&A
forum. q=STTW1gTFwS$vzG&eventid=652&classcode=SNTA-20040820

If you have any questions or feedback please send an e-mail to:

Thank you,
Sun Microsystems

----------------------------------------------------------------------- ----
OS Security: Solaris 10 Breaks New Ground
----------------------------------------------------------------------- ----

View Net Talk Now q=STTW1gTFwS$vzG&eventid=652&classcode=SNTA-20040820


  \* Graham Lovell
    Senior Director, Solaris Marketing

  \* Mark Thacker
    Product Line Manager, Solaris Security

  \* Paul Sangster
    Senior Security Architect, Solaris Operating System


  \* Sun's Approach to Security
  \* Solaris 10 Security Architecture
  \* Trusted Solaris
  \* Certification and Services
  \* Next Steps

View now... q=STTW1gTFwS$vzG&eventid=652&classcode=SNTA-20040820


Ask Questions Later

EXPERT EXCHANGE: October 20th at 10 am PT

After watching the Net Talk, you can get any and all of your remaining
security questions answered at a Sun Expert Exchange on October 20th.
Sign up now for this hour of online Q&A with a panel of Sun's business
and technical experts.

Date: Wednesday, October 20th
Time: 10-11 am PT/1-2 pm ET


  \* Paul Sangster
    Senior Security Architect, Solaris Operating System

  \* Mark Thacker
    Product Line Manager, Solaris Security

  \* Angel Camacho
    Technical Product Manager, Solaris Operating System

  \* Larry Wake
    Product Marketing Manager, Solaris Operating System

  \* Smita Thakur
    Product Line Manager, Solaris Operating System

Sign up now... 

Technorati Tag:

Monday Jul 12, 2004

Russian-American Conference on Secure Computing

On June 22, 2004, I had the distinct pleasure of travelling to Moscow to attend and present at the Russian-American Conference on Secure Computing. This conference was sponsored by Sun Microsystems and its Russian partner, Swemel and was held at the Marriott Royal Aurora hotel.

This event focused on a wide array of information security topics and issues facing Russian government and commercial organizations today. The conference was a day long and featured a general session as well as a technical and business track. The event was well attended by leaders of the Russian security council, State Duma, Federation Council, FSB, and many other government organizations and ministries.

My talk provided a technical overview of the Solaris Security Toolkit including its origins, design philosophy as well as practical usage. In addition, a number of other Sun speakers presented during the event including:

  • John Gage, Chief Researcher and Vice President of Sun's Science Office
  • Dr. Whitfield Diffie, Sun Fellow, VP and Chief Security Officer
  • Jean-Paul Bergmans, GSO Country Manager, CIS
  • Michael Pratt, SunPS Country Manager, CIS
  • Evtim Batchev, SunPS Senior Security Architect, Portugal
  • Benjamin Baer, Group Product Marketing Manager, Desktop Solutions

This conference was a continuation of the work completed earlier this year by both Sun and Swemel resulting in the certification of Solaris 9 by the Russian Federal Security Service opening the way for Solaris to be used for certain types of government and classified processing.

Technorati Tag:




« April 2014