Is It the End of the Security World as We Know It?

SAN JOSE, Calif.—The folks running the annual RSA Conference here this week will tell you that the show is bigger than ever and security is at the top of every CIO’s list of concerns.

And while all of that may well be true, if heavyweights such as Sun Microsystems, Cisco Systems and Microsoft have their way, enterprises soon will have little use for the wares that most of the security vendors here are hawking.

It’s rare that those three vendors would all agree on anything, but in speeches and interviews this week, executives from all of them have said that it’s time to build security into hardware and software from the ground up and stop trying to fix problems after the fact.

Of course, each vendor has a different idea about how to accomplish that goal, but the underlying idea is the same: Make security an integral part of the network, and not an add-on.

To Cisco, this means enterprises buying into the company’s Self-Defending Network strategy. In his keynote speech at the conference, Cisco CEO John Chambers showed off the company’s new Security Management Suite, which is designed to automate protection features and management among routers, switches and client devices.

The Cisco Security Manager piece of the suite will enable administrators to create flexible policies that can be shared among devices and then modified on the fly to defend against new threats.

“We want all of the security devices communicating with each other automatically,” Chambers said.

But, as with Cisco’s Network Access Control solution, the new suite is meant to run only on Cisco’s own networking gear.

And, there are a number of hurdles to overcome before such integrated security will be cost-effective and efficient for enterprises, analysts said.

“Networking and security are separate units in the enterprise. So you need a closed loop between networking and security in order to make this work,” said Abner Germanow, an analyst with IDC, based in Framingham, Mass.

“Automating that process is a fairly scary thing for a lot of people. Integration is classically the hardest and most expensive thing going. Will we get to automation? Yes, but this is more of an interim step to help solve the problem.”

Sun executives have their own ideas about where security should lie. They believe security should be provided not by firewalls, IDS boxes or anti-virus scanners, but by the network infrastructure and the software running on it.

And that can only be accomplished by writing software based on open standards that has been developed using a community process, Sun executives said.

Click here to read about Bill Gates’ keynote speech at the RSA Conference.

“You use community development, an open interface and a public reference implementation that’s guaranteed to be open. That’s the right way,” said Scott McNealy, Sun’s CEO.

“It’s mankind versus the proprietary answers. Vista security is a bolt-on [solution]. Solaris is a Unix and it’s meant for the network.”

Sun has quietly been adding a number of security features to Solaris over the last couple of years, and McNealy said that will continue.

The company has started shipping its Trusted Extensions for Solaris, a toolkit that hardens the operating system. The idea is to make security a transparent part of the OS, not a group of add-on features.

“People think of security as a noun, something you go buy. In reality, it’s an abstract concept like happiness,” said James Gosling, a vice president and Sun Fellow, and the man who invented Java. “Openness is unbelievably helpful to security.”

The implication—sometimes spoken, sometimes not—of what McNealy, Gosling and Chambers all said is that all of these security technologies are necessary because of the deficiencies of Windows and other Microsoft products.

McNealy, in fact, spent much of his time on stage railing against Microsoft.

But, Redmond is not standing still either. Bill Gates, Microsoft’s chairman and chief software architect, used his conference-opening keynote to preview a few new security technologies that will be built into Windows Vista.

Many of the features, such as integrated anti-spyware software and upgraded online identity management tools, are things that dozens of security vendors are trying to sell as stand-alone products.

Many observers believe that once those technologies are integrated into Windows, they will quickly become commodities, much like browsers are today.

But Gates knows there is still much more work to be done on security, by Microsoft, Sun, Cisco and hundreds of other companies.

“If there’s an area that we absolutely need to do better in, [simplicity] is it. I’ll be the first one to say that,” he said.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.