Tuesday Jun 16, 2009

NEW: Encrypted ZFS Backups to the Cloud v0.3

Building upon the v0.4 release of the Cloud Safety Box tool, I am happy to announce the availability of v0.3 of the Encrypted ZFS Backups to the Cloud code. This new version uses the Cloud Safety Box project to enable compression, encryption and splitting of the ZFS backups before uploading the results to the Cloud. Due to this change, this project now officially depends upon the Cloud Safety Box project. The nice thing about this change is that it helps to keep the amount of redundant code low (between the two projects) while also improving testing time.

From an end-user perspective, this change is mostly transparent. A few parameters were added or changed in the /etc/default/zfs-backup-to-s3 defaults file such as:

# ENC_PROVIDER defines the cryptographic services provider used for
# encryption operations.  Value values are "solaris" and "openssl".
ENC_PROVIDER="solaris"

# MAX_FILE_SIZE specifies the maximum file size that can be sent
# to the Cloud storage provider without first splitting the file
# up into chunks (of MAX_FILE_SIZE or less).  This value is specified
# in Kbytes.  If this variable is 0 or not defined, then this service
# will _not_ attempt to split the file into chunks.
MAX_FILE_SIZE=40000000

# S3C_CRYPTO_CMD_NAME defines the fully qualified path to the
# s3-crypto.ksh program which is used to perform compression,
# encryption, and file splitting operations.
S3C_CRYPTO_CMD_NAME=""

# S3C_CLI_CMD_NAME defines the fully qualified path to the program
# used to perform actual upload operations to the Cloud storage
# provider.  This program is called (indirectly) by the 
# s3-crypto.ksh program defined by the S3C_CRYPTO_CMD_NAME variable
# above.
S3C_CLI_CMD_NAME=""

It should be noted that compression is always enabled. If this turns out to be a problem, please let me know and we can add a parameter to control the behavior. I would like to try and keep the number of knobs under control, so I figured we would go for simplicity with this release and add additional functionality as necessary.

Encryption is always always enabled. In this release you have the choice of the OpenSSL or Solaris cryptographic providers. Note that just as with the Cloud Safety Box project, key labels are only supported for the Solaris cryptographic provider. The name of the algorithm to be used must match the algorithm name supported by whichever provider you have selected.

File splitting is enabled by default. This behavior can be changed by setting the MAX_FILE_SIZE parameter to 0 (off) or any positive integer value (representing a size in Kbytes).

All of the other changes are basic implementation details and should not impact the installation, configuration or use of the tool. If you have not had a chance, I would encourage you to check out the ZFS Automatic Snapshot as well as the latest version of this project so that you can begin storing compressed, encrypted ZFS backups into Amazon's Simple Storage Service (S3) or Sun's SunCloud Storage Service (when available).

As always, feedback and ideas are greatly appreciated! Come join the discussion at Project Kenai!

Take care!

Technorati Tag:

Thursday Jun 11, 2009

Impacting Solaris 10 Security Guidance

It is that time again! Work is kicking up over at the Center for Internet Security to update the Solaris 10 security benchmark. As I have previously covered, Sun has been working hand-in-hand with the Center for Internet Security for more than six years to develop best-in-class security hardening guidance for the Solaris operating system.

In recent years, the NSA and DISA have jumped in contributing their time and expertise towards the development of a unified set of Solaris security hardening guidance and best practices. Now is the time for the next step. Over the last several months, these groups have been working to comb through and integrate the recommendations found in the DISA UNIX STIG (Security Technical Implementation Guide) and associated checklist as it relates to Solaris. With this work now complete, an effort has been launched to develop a new draft CIS Solaris 10 Benchmark with these additions.

In addition to this effort, a secondary effort will soon be undertaken to update the Solaris 10 Benchmark for the latest release of the Solaris 10 05/2009 (Update 7). Currently, the Solaris 10 Benchmark supports Solaris 10 11/08 (Update 4). There are not that many things added to Solaris 10 since Solaris 10 11/08 that impact the hardening guide, but there are some items that will impact the Solaris Security Appendix that was published with the last version of the Benchmark.

The reason for my post today, however, is to say that the time is right if you are interested in Solaris, security, and want to get involved! We are always looking for people with a passion to help develop and improve the recommendations and settings in the Solaris 10 Benchmark. Want to learn more? Contact CIS!

P.S. Just in case you missed it - Sun and CIS also announced the availability of a security hardened virtual machine image based upon OpenSolaris for Amazon's EC2 (SunCloud will also be supported). Give it a try!

Take care!

Technorati Tag:

Wednesday Jun 10, 2009

NEW: Cloud Safety Box v0.4

Today, I am happy to announce the v0.4 release of the Cloud Safety Box project. About a month ago, I announced the initial public release and since that time it was even highlighted and demonstrated at Sun's CommunityOne event! Not too bad for a new project!

The new version released today was a substantial redesign in order to improve the overall design and efficiency of the tools while at the same time adding a few key features. The biggest visible changes include support for compression, splitting up of large files into small chunks, and also support for Solaris key labels. Let's dive into each of these briefly:

  • Compression. Compression is enabled automatically for the Cloud Safety Box (csb) tool and it is configurable when using the s3-crypto.ksh utility. When compression is enabled, the input stream or file is compressed first (before encryption and splitting). By default, compression is formed using the bzip2 utility (with the command-line option -9. To enable compression with the s3-crypto.ksh utility, use the -C option as in the following example:
    $ s3-crypto.ksh -C -m put -b mybucket -l myfile -r myfile
    

    Of course, compression can be used along with encryption and file splitting. Decompression is handled on get operations and is the last step to be performed (after file re-assembly and decryption). Just as with compression, the bzip2 utility is used (with the command-line options -d -c. To enable decompression with the s3-crypto.ksh utility, use the -C option as in the following example:

    $ s3-crypto.ksh -C -m get -b mybucket -l myfile -r myfile
    

    The actual compression and decompression methods can be changed using the S3C_COMPRESS_CMD and S3C_DECOMPRESS_CMD environment variables respectively as in the following example:

    $ env S3C_COMPRESS_CMD="gzip -9" S3C_DECOMPRESS_CMD="gzip -d -c" \\
       s3-crypto.ksh -C -m put -b mybucket -l myfile -r myfile
    

  • Splitting. It is well known that there are file size limits associated with Cloud Storage services. There are times, however, when you may have files that you would like to store that exceed those limits. This is where splitting comes into the picture. Splitting will take an input file and based upon a size threshold, divide it up into a number of files. Splitting is done by default with the csb tool and can be optionally enabled in the s3-crypto.ksh tool. Splitting is accomplished using the GNU split(1) program and is enabled using the -S option. The maximum file size limit is, by default, set at 4 GB, but it can be adjusted using the -L command-line option (specified in Kbytes). Splitting at 2 GB is enabled in the following example:
    $ s3-crypto.ksh -S -L 2000000 -m put -b mybucket -l myfile -r myfile
    

    When splitting is enabled and triggered (when a file's size exceeds the limit), the files stored in the Cloud Storage service use the name as specified by the remote_file (-r) argument. In the above example, the split files will all begin with the name myfile. Each will have a suffix of a ~ followed by an identification string. For example, files stored in the Cloud may look like:

    myfile~aaaaa
    myfile~aaaab
    myfile~aaaac
    myfile~aaaad
    

    The csb and s3-crypto.ksh tools will use this naming convention to automatically reassemble files for get operations. Just as with splitting, reassembly is automatically performed for the csb tool and is enabled in the s3-crypto.ksh tool using the command-line option -S. When specifying a file that has been split, you do not need to include the suffix. The tools will discover that the file has been split and automatically reassemble it. Here is an example for reassembly:

    $ s3-crypto.ksh -S -m get -b mybucket -l myfile -r myfile
    

    The only downsides to splitting are the time it takes to split the files and the additional space that is needed to accommodate both the original file as well as the files created during the splitting process. This is unavoidable however as complete files must be available locally before they can be uploaded to the Cloud Storage provider.

  • Key Labels. The last "big" feature added in this new version is support for symmetric keys stored in PKCS#11 tokens (when the Solaris cryptographic provider is used). By default, the Solaris cryptographic provider is not selected (for reasons of portability), but it can easily be enabled in the s3-crypto.ksh tool using the -p solaris command line option. This setting will cause enable the use of the Solaris encrypt(1) and decrypt commands in place of their OpenSSL counterparts. Using the Solaris cryptographic provider allows you to take advantage of the Solaris Key Management Framework. Today, only the Sun Software PKCS#11 softtoken is supported, but I expect to remove this restriction in a future release.

    Using the pktool(1) command, you can create a key with a specific key label:

    $ pktool genkey keystore=pkcs11 label=my-new-key keytype=aes keylen=256
    Enter PIN for Sun Software PKCS#11 softtoken 
    Enter PIN for Sun Software PKCS#11 softtoken
    Enter PIN for Sun Software : 
    

    The creation of this new key (with label my-new-key) can be verified:

    $ pktool list objtype=key
    Enter PIN for Sun Software PKCS#11 softtoken  Enter PIN for Sun Software P: 
    Found 1 symmetric keys.
    Key #1 - AES:  my-new-key (256 bits)
    

    This key can be used with the s3-crypto.ksh tool when the Solaris cryptographic provider is selected and the key label is provided using the -K command-line option as in the following example:

    $ s3-crypto.ksh -c -p solaris -m put -b mybucket -K my-new-key -l myfile -r myfile
    Enter PIN for Sun Software PKCS#11 softtoken  : 
    

    The same approach is used to decrypt files when a get operation is specified.

As always, I am always looking for feedback! Let me know if these tools are helpful and how they can be improved! You can find out more information on this project at its home page at Project Kenai.

Take care!

Technorati Tag:

Friday May 01, 2009

Cloud Safety Box

Yesterday, I wrote about the ZFS Encrypted Backup to S3 project that I started over at Project Kenai. This project integrates with the ZFS Automatic Snapshot service to provide a way for automatically storing encrypted ZFS snapshots into the Cloud.

So, what if you wanted to just store and retrieve individual files? Well, there is a tool to help fill this need as well! The Crypto Front End to S3 CLIs project offers a couple tools that allow you to encrypt and upload files to the Cloud (and of course download and decrypt files as well). This project provides a very simple to use interface in the form of the Cloud Safety Box, a tool that leverages a number of pre-configured default settings to trade-off flexibility for ease of use. For those wanting more control over the settings (including encryption provider, encryption algorithm, key type and other settings), simply use the s3-crypto.sh utility. A diagram is available showing how these tools work together.

Since these tools can be configured to use OpenSSL as their cryptography provider (and there are no further dependencies on OpenSolaris, you can actually use this tool on other operating systems (e.g., Mac OS X was successfully used during one of the tests).

It should be noted that the s3-crypto.sh utility can be used to download and decrypt an ZFS snapshot uploaded to the Cloud using the ZFS Encrypted Backup to S3 utility so that with these two tools you have a way of storing and retrieving regular files as well as ZFS snapshots.

You can find all of the details, documentation and download instructions (as well as a Mercurial gate) at the Crypto Front End to S3 CLIs project page. So, please give it a try and let us know what you think!

Technorati Tag:

Thursday Apr 30, 2009

Saving Encrypted ZFS Snapshots to the Cloud

Are you an OpenSolaris user? Do you use ZFS? Have you tried the ZFS Automatic Snapshot service? If so, you might be interested in a new tool that I just published over at Project Kenai that enables you to encrypt and store ZFS snapshots to either the Sun Cloud Storage Service (Employees Only at the moment) or Amazon's Simple Storage Service (S3).

You can find all of the details, documentation and download instructions (as well as a Mercurial gate) at the ZFS Encrypted Backup to S3 project page. So, please give it a try and let us know what you think!

Technorati Tag:

Wednesday Dec 10, 2008

mod_privileges for Apache HTTPD

Special thanks to Matt Ingenthron for pointing out that mod_privileges has been integrated back in the Apache trunk (manual) recently. For more information check out NIQ's Soapbox posting on the subject.

Looks like I will have to find a new target (I am looking at you MySQL!) for my BluePrints. I have used the Apache with SMF privileges example in a few publications including Limiting Service Privileges in the Solaris 10 Operating System (2005) and Privilege Debugging in the Solaris 10 Operating System (2006). The content of these papers is still relevant in the general sense, but with the introduction of mod_security, some of this content will no longer be as useful for Apache. That said, lots of other services can and do benefit from the techniques described.

If you find yourself ever wanting to do something similar - converting your services to be privilege aware on Solaris 10, check out the Sun BluePrints article Privilege Bracketing in the Solaris 10 Operating System (2006). Also, check out the OpenSolaris Security Community project on Privilege Debugging as it can help you in finding out what privileges your programs and services need.

Until next time!

Glenn

Technorati Tag:

Thursday Aug 07, 2008

So what's new?

Previously, I promised to do an update since it had been such a long time between postings. Well, wait no longer. Honestly, the last six months or so were fairly light on security work for me. I have continued to work with customers around the world helping them to apply Sun and partner technologies to their business challenges, but my team has continued to deliver on the Sun Systemic Security vision and we have recently started exploring adaptive security architectures. In fact, Joel was published and featured on the cover of the ISSA Journal for his article titled Adaptive Security and Security Architecture (an abridged version was also posted here). You can follow us on this journey at http://blogs.sun.com/adaptive_security.

So if not security, what have I been up to?

Before answering, when you hear the words "High Performance Computing" or HPC, what is the first picture that pops into your head? Does your mind drift immediately towards the hallowed halls of government and research laboratories? Do you think of Top 500 lists or of supercomputers named Ranger? Do you think about exploring the mysteries of weather patterns, "seeing" back into space and time or even keeping tabs on the behaviors of sub-atomic particles? If so, you are not alone, but that is certainly not all there is to HPC.

Today, there is no shortage of computing problems that today are being tackled using high performance computers, interconnects, storage and data visualization, but we need to widen our views, remove our blinders, and begin to see HPC as it exists everywhere.

  • structural analysis, computational fluid dynamics, crash and safety simulations
  • fraud analysis and detection, anti-money laundering, credit derivatives pricing and hedging
  • reservoir simulation and visualization, seismic processing
  • media rendering and transcoding
  • DNA sequencing, molecular modeling and bio-simulation

Customers employing these processes share common traits. They are all trying to drive better business results, more quickly and efficiently. They have huge data volumes and often short windows in which to derive actionable results. They are trying to reduce their time to market, speed up their ability to make key business decisions and thereby maximize their value to their customers and shareholders. Customers such as these are using IT as a strategic weapon.

Sound cool, right? I thought so! For the last six months or so, I have taken on an additional role of leading a global, virtual team across our Global Systems Engineering organization to focus on these "non-traditional" or "commercial" HPC environments. What is truly fascinating is that this is all just the tip of the iceburg. Wired Magazine noted recently that "The quest for knowledge used to begin with grand theories. Now it begins with massive amounts of data." While perhaps an oversimplification, the idea is dead on. We have collected massive amounts of data and more is collected every day. Just as often new ways are being developed to analyze this data. This is where HPC meets main street. Problems with HPC-like characteristics are all around us and only recently have we been given the (commodity) processing power, storage capacity and network bandwidth to employ HPC-like solutions more broadly from government to industry, from large corporations to small startups, from the data center to the home.

It has been a very cool ride and collectively the GSE HPC Tiger Team (as it is known) delivered remarkable results including millions of dollars in wins, training and education for thousands of people, and the capture of key requirements, use cases and design patterns. With this group solidly running on all cylinders, it is time for me to turn my focus back to security (although HPC will never be rid of me!). In the coming months, you will hear more about our work on adaptive security including some really interesting practical applications you can start trying today. Is that enough of a teaser?

Until next time, take care!

Glenn

Wednesday Aug 06, 2008

2008 SIA Award: Sun Systemic Security

I was a little hesitant to write about this as I did not want it to come across as self-promotion, but in the end I felt that it was important for me to say something on behalf of my team. In July 2008, my team and I were awarded with one of the highest honors that Sun can bestow on its technical professionals - the Sun Innovation Award (formerly known as the Chairman's Award for Innovation) for our contributions to the Sun Systemic Security framework. Collectively, these achievements enabled Sun to improve its products to better comply with our customers' security policies and requirements, develop new architectures and best practices that solve key customer security challenges, and position Sun as an architectural and security thought leader across industry and government.

For those unfamiliar with this award, here is a brief summary:

Sun's Innovation Award recognizes those individuals and teams who have made a significant contribution to Sun through innovation. Innovation is a starting point for the Sun Strategy and is key to helping differentiate Sun and attract communities to Sun. Product, process, and project innovations have increased Sun's ability to grow, make money, build our communities, enlist champions, and accelerate our business. The purpose is to reinforce and recognize exceptional performance related to a key pillar of Sun's strategy and one of our key values: Innovation.
The award ceremony was on July 16, 2008 at the Sun Leadership Conferece held in San Jose, CA. The award was presented to the team by both Greg Papadopolous and Jonathan Schwartz.

Pictured (left to right): Greg Papadopoulos, Rafat Alvi, Bart Blanquart, Glenn Brunette, Joel Weise, and Jonathan Schwartz

I would like to publicly congratulate my team on winning this award and thank them for all of their hard work, focus, and dedication. Through all of the ups and downs, you never failed to deliver innovative and highly impactful work that has helped customers and partners around the world and teams across this fine company. I could not be more proud of you all. This is a team award and it belongs to each and every one of you, and while we have been able to accomplish quite a lot, I have no doubt there are greater things yet to come. Thank you! Now get back to work! :-)

On behalf of the team, I think that it is important to thank both Jim Baty and Hal Stern for their coaching, leadership, and unwavering support over the years. They have helped to build and sustain an environment where we all can be challenged, where innovation can flourish, and where we can make a difference for Sun and our customers. You have both been invaluable to our success - thank you!

Tuesday Oct 09, 2007

Sun SPARC Enterprise T5x20s: A Security Geeks Point of View

What an exciting day! Today, Sun has officially launches the Sun SPARC Enterprise T5120 and T5220 rack-mount systems along with the Sun Blade T6320 blade server, the first to be designed for the UltraSPARC T2 processor. From the point of view of a security geek, there is a lot to be happy about. The UltraSPARC T2 has support for eight (8) cryptographic processing units, each of which supports ten (10) different cryptographic algorithms and a hardware-based random number generator. Lawrence has done a fantastic job of talking about these capabilities and performance if you are interested. It is simply mind blowing.

So, what else is new? Well, we now have actual servers that can leverage the computing power of these chips. This means that companies can now begin to rethink about how they have deployed cryptography in their environments. In particular, it is now much more practical to deploy cryptographic services more widely across an enterprise environment due to the performance gains achieved by offloading the work to the cryptographic processing units. For example, why not ensure that all of your internal web, directory and mail services are fitted for encryption? (Hint: you should be doing this already, but now you can do it while not sacrificing the performance of your CPUs!) Net-net: strong security + excellent performance + eco-friendly is a win-win for everyone.

In addition to enabling the wider use of cryptographic services, I would also encourage any organization to consider how the performance and power benefits of these systems can be applied to their existing environments and workloads. In particular, when used in concert with Sun's Logical Domains (LDoms) technology, organizations can get the benefits of performance, virtualization and security together in one system. Did I mention that today we are also announcing version 1.0.1 of our LDoms technology? Honglin has all the details. Of particular interest to us security geeks is the support for minimized and hardened logical domains! Combine that with the security isolation capabilities of the LDoms hypervisor, a boat-load of crypto performance, and a rock-solid, security, and scalable operating system - you just can't go wrong.

Talk about "zero cost security"! Taken as a whole, you get all of the performance (did I mention the 64 threads?), power and virtualization benefits with security just baked into the design! What's not to like? At least from where this security geek is standing, the view is simply unbeatable. See it all for yourself!

Glenn

Technorati Tag:

Saturday Feb 11, 2006

Sun shines at the RSA Security Conference

From the press release. For more information on Sun Systemic Security, check out this posting. If you are going to be attending, be sure to check out the Sun booth and look me up! I will be in and around the conference Monday through Thursday and will be at the customer luncheon (Tuesday), if you would like to chat a bit.

MENLO PARK, Calif. -- Feb. 8, 2006 --Sun Microsystems, Inc. (NASDAQ: SUNW) executives Scott McNealy,
chairman and CEO, will deliver keynote presentations on Feb. 14 at the RSA Conference.  At the RSA
Conference in San Jose, Calif., Scott McNealy's keynote presentation will address the need for a
systemic security approach to both protect and enable opportunities the network provides.

WHEN and WHERE:
Scott McNealy's keynote presentation, "Tear Down the Walls -- Embrace Risk and Opportunity Through
Security", will take place Tuesday, Feb. 14 at 9:50 a.m. Pacific. The RSA Conference is being held
at the McEnery Convention Center in San Jose, Calif. from Feb. 13-17. Information about the 
conference can be found at http://2006.rsaconference.com/us/.

Additional Sun Activity at RSA Conference

Sun will host a customer luncheon with security experts Whitfield Diffie and Radia Perlman. Held
on Tuesday, Feb. 14, the lunch will provide an opportunity to learn more about Sun's systemic
approach to security. For more information and to register for the luncheon, please visit
http://mediadirect.com/rsa/email.html.

In the Sun booth, number 515, visitors can view demonstrations and discuss Sun's integrated
technology solutions. In addition to McNealy's keynote, several Sun executives will be 
participating in presentations and panels at the RSA Conference, lending expertise on topics
such as identity management, cryptography, data management and cross platform security.
Additional Sun presentations at RSA Conference include:

Tuesday, February 14

    \* 10:35 a.m. Pacific - Whitfield Diffie, chief security officer
      The Cryptographers Panel
    \* 11:45 a.m. Pacific -- James Hughes, Sun fellow
      Storage Security -- Use of Encryption to Protect Data at Rest
    \* 2:00 p.m. Pacific - Yvonne Wilson, architect
      Implementing Federated Identity: What Products Do You Need?
    \* 3:25 p.m. Pacific - Rafat Alvi, senior architect, CTO Office
      Trusted SOA: An End-to-End Trustworthy Services-Oriented Architecture
    \* 4:30 p.m. Pacific -- Rags Srinivasan, CTO, Technology Evangelism
      Secure Cross-Talk Between Java and NET Platforms Using WS-Security 

Thursday, February 16

    \* 2:00 p.m. Pacific -- Michelle Dennedy, chief privacy officer
      The Policy of Identity: Privacy Rules
    \* 2:00 p.m. Pacific -- Nancy Hurley, director, Data Management Group Software
      Integration of Data Management ILM Systems
    \* 3:25 p.m. Pacific -- Radia Perlman, distinguished engineer
      The Information Protection Wars 

Friday, February 17

    \* 11:10 a.m. Pacific -- Hanumatha Neti, director, IT Security and Danny Smith, IT
      security specialist
      Security Metrics -- How Six Sigma is Helping Security in Large Enterprises 

Tuesday Apr 26, 2005

Sun's CPO in Action!

Check out Sun's Chief Privacy Officer, Michelle Dennedy, in action at the Security Leadership Council Online Conference and Expo on April 28th at 12 PM Eastern. The online conference runs for two days starting April 27th. Michelle is a speaker for the Leaders Roundtable session, COMPLIANCE IN THE COURTROOM: Security Practices Must Stand Up in Court and will be joined by Matt Curtin and Steven Brower.

The abstract for the session is:

The whole point of Regulations & Compliance is to turn certain practices and methodologies into legally binding mandates that are enforceable in a court of law. Compliance practices, while good in and of themselves, have to be implemented with a very strong legal focus to ensure full demonstrability in the eyes of the law, should the need to do so arise. This session will discuss cyber forensics & e-incident investigation, as well as the legal and technological ramifications of demonstrating compliance in the courtroom.

The site does require free registration and that you RSVP for the sessions that you wish to attend.

Wednesday Apr 06, 2005

Systemically Secure Architectures

On Monday - 04/04/2005, I presented at the EDUCAUSE 2005 Security Professional Conference. The goal of this event was to bring together IT security officers and practitioners from across the higher education landscape. My talk was titled Systemically Secure Architectures: Lessons from the Trenches. The talk approached the subject of secure architecture design using a building block metaphor with a focus on automation, optimization and continuous improvement.

This talk did touch briefly on policy, process and people issues, however its primary focus was on technology standardization, automation and optimization to promote greater levels of security, strategic flexibility and of course RAS. Using a building block approach, this talk featured a vision for constructing secure IT architectures using a variety of techniques including defense in depth, compartmentalization, least privilege, and others while still providing the flexibility that is demanded in a university environment. To provide a more concrete example of how to apply the concepts, a strategy was put forth showing how to integrate a variety of Sun technologies and services to achieve these goals.

The Sun technologies that were dicussed included Solaris 10, Secure Application Switch, the Identity Management product set, the Portal Server, Sun Ray thin-clients, as well as methodologies such as Sun's Service Delivery Network (SDN) architecture. It should be noted however that nothing in this talk forces an organization to be homogeneous. In fact, the elegance of this approach is founded in its ability to adapt to heterogenous environments as well as those with different security, risk or assurance needs. In fact, this foundation of this approach could be applied (with some modification) to other verticals such as financial services, government, health care, and others.

This presentation concluded with a vision illustrating how these different technologies and services could be successfully integrated resulting in an architecture that is very strong, agile and resilient to attack. If you would like more information on this approach or any of Sun's other secure technologies or services, please let me know.

Take care!

Technorati Tag:

Monday Oct 25, 2004

OEM Business Forum with Sun Microsystems

I have been away for a while due to vacation, customer visits and preparation for a few upcoming conferences. I will be back soon with more Solaris 10 Security information and tips. In the meantime, you will be able to catch me this week at the Sun OEM Business Forum being held in Rochester, NY. I will be presenting on the topic of designing and building secure OEM business solutions.

Others speaking at the event include:

  • Colin Fowles, Director, Sun OEM Business Office
  • Patrick Petschel, Director, Market Development, Nu Horizons Electronics Corp.
  • Dr. Bob Sproul, VP & Fellow, Sun Labs of Massachusetts
  • David Towne, Manager Sun Compliance Engineering
  • Trey Talbott, Client Services Architect
  • Gordie Klueber, Technical Architect, CTO Office, Sun Microsystems Labs
You can find more information on this event at:

http://www.nuhorizons.com/sun/

Special thanks to Nu Horizons Electronics, Inc. for sponsoring this event.

Monday Oct 04, 2004

2004 Annual Fall Computer Security Symposium -- UNCC

Security pros to share secrets at UNC Charlotte

As information technology has advanced, it has increasingly become the key to efficient business communication. The spread of such technologies - and the consequent reliance on it - requires a commitment to understand and minimize the threats that could compromise the facility, privacy and integrity of network data.

Leading researchers and practitioners in the fields of information security will delve into these issues and discuss solutions during the Fall Computer Security Symposium at The University of North Carolina at Charlotte. Secret Service agent Tony Marino and Sun Microsystems Chief Security Officer Whitfield Diffie are among those sharing their expertise during the October 13th program in the Cone Center's McKnight Hall. Attending cyber security professionals, including business continuity professionals, IT managers, software developers, systems administrators, information security professionals and policy makers will have the opportunity to question the experts. Registration begins at 8:30 a.m. with sessions running from 9 a.m. to 4:30 p.m.

Other top cyber security leaders to present will be:

  • Kent Blossom, Director of Safety and Security Services, IBM
  • Al Decker, Director, Security and Privacy Services, EDS
  • Tom Fisher, CIO, Qualcomm
  • Brad Ipema, Attorney, Wachovia Bank
  • Kevin Kealy, Security Scientist, AT&T
  • Wynn Mabry, Director, Homeland Security, Mecklenburg County
  • Joan Myers, President, North Carolina Electronics and Information Technology Association
  • Ed Paradise, Vice President and General Manager, Mobile Wireless Group, Cisco
  • Rebecca Whitener, Director, Privacy Services, EDS
  • James A. Whittaker, Associate Professor of Computer Science, Florida Institute of Technology

The symposium's sponsors include: UNC Charlotte's College of Information Technology and the university's Charlotte Research Institute, which draw on their extensive research and educational programs in computer security. The College of IT's program was recently redesignated by the U.S. National Security Agency as a Center of Academic Excellence in Information Assurance Education.

In addition to UNC Charlotte, sponsors include the North Carolina Electronics and Information Technology Association, the Information Technology Council of the Charlotte Chamber of Commerce and InfraGard.

For details & registration on this year's symposium, please visit http://www.coit.uncc.edu/symposium/2004/site/index.cfm.


To compliment the 2004 Cyber Security Symposium, on Wednesday, October 13th, there will also be a radio broadcast. "Charlotte Talks", a production of WFAE FM 90.7 will host Whitfield Diffie (Sun Microsystems Chief Security Officier), Rebecca Whitener (Director of Privacy for EDS) and Tony Marino (Special Agent for the Secret Service) to address certain questions regarding Identity Theft.

You can listen via the radio or the Internet at FM 90.7.

Common Criteria User's Forum

The Common Criteria User's Forum will be held this week in Washington, DC. Specifically, the event will begin on Wednesday, October 6th and conculde on Thursday, October 7th. The cost of this event is $100 for non-government employees. For U.S. government employees, the fee is waived.

(From the web site), the goals of the forum are to:

  • Recommend practical means to improve the Common Criteria processes and standards to make them a truly viable mechanism toward improving COTS product security for not only the Government, but for all customers.
  • Present the opportunity for all parties to express their perspectives on the issues raised and to identify realistic means to resolve them.
  • Provide an open forum to discuss and resolve the apparent differences between the views of commercial entities and NIAP.
  • Develop a specific plan of action for the recommendations from the NIAP Review and the Task Force Report as well as any additional recommendations developed by the attendees.
  • Begin to share Common Criteria experiences as a means of educating all stakeholders.

It looks like it will be both a fun and constructive event. I would encourage anyone interested in the future of the Common Criteria to stop by if you can. I will be moderating a session on day 2 entitled "Common Criteria Requirements for Commercial Users". This session will focus on what is needed to make the Common Critiera more relevant and appropriate for use in the private sector. It should be quite a discussion! If you are able to drop in, please say hello!

I will hopefully be getting back to my list of lesser known and/or publicized security enhancements to the Solaris 10 OS in the next day or so. Until then, thanks for reading and take care!

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today