Is It the End of the Security World as We Know It?

Heavy hitters such as Sun, Cisco and Microsoft all want to build security into their own hardware and software, which could leave security vendors out in the cold.

SAN JOSE, Calif.—The folks running the annual RSA Conference here this week will tell you that the show is bigger than ever and security is at the top of every CIOs list of concerns.

And while all of that may well be true, if heavyweights such as Sun Microsystems, Cisco Systems and Microsoft have their way, enterprises soon will have little use for the wares that most of the security vendors here are hawking.

Its rare that those three vendors would all agree on anything, but in speeches and interviews this week, executives from all of them have said that its time to build security into hardware and software from the ground up and stop trying to fix problems after the fact.

Of course, each vendor has a different idea about how to accomplish that goal, but the underlying idea is the same: Make security an integral part of the network, and not an add-on.

To Cisco, this means enterprises buying into the companys Self-Defending Network strategy. In his keynote speech at the conference, Cisco CEO John Chambers showed off the companys new Security Management Suite, which is designed to automate protection features and management among routers, switches and client devices.

The Cisco Security Manager piece of the suite will enable administrators to create flexible policies that can be shared among devices and then modified on the fly to defend against new threats.

"We want all of the security devices communicating with each other automatically," Chambers said.

But, as with Ciscos Network Access Control solution, the new suite is meant to run only on Ciscos own networking gear.

And, there are a number of hurdles to overcome before such integrated security will be cost-effective and efficient for enterprises, analysts said.

"Networking and security are separate units in the enterprise. So you need a closed loop between networking and security in order to make this work," said Abner Germanow, an analyst with IDC, based in Framingham, Mass.

"Automating that process is a fairly scary thing for a lot of people. Integration is classically the hardest and most expensive thing going. Will we get to automation? Yes, but this is more of an interim step to help solve the problem."

Sun executives have their own ideas about where security should lie. They believe security should be provided not by firewalls, IDS boxes or anti-virus scanners, but by the network infrastructure and the software running on it.

And that can only be accomplished by writing software based on open standards that has been developed using a community process, Sun executives said.

/zimages/3/28571.gifClick here to read about Bill Gates keynote speech at the RSA Conference.

"You use community development, an open interface and a public reference implementation thats guaranteed to be open. Thats the right way," said Scott McNealy, Suns CEO.

"Its mankind versus the proprietary answers. Vista security is a bolt-on [solution]. Solaris is a Unix and its meant for the network."

Sun has quietly been adding a number of security features to Solaris over the last couple of years, and McNealy said that will continue.

The company has started shipping its Trusted Extensions for Solaris, a toolkit that hardens the operating system. The idea is to make security a transparent part of the OS, not a group of add-on features.

"People think of security as a noun, something you go buy. In reality, its an abstract concept like happiness," said James Gosling, a vice president and Sun Fellow, and the man who invented Java. "Openness is unbelievably helpful to security."

The implication—sometimes spoken, sometimes not—of what McNealy, Gosling and Chambers all said is that all of these security technologies are necessary because of the deficiencies of Windows and other Microsoft products.

McNealy, in fact, spent much of his time on stage railing against Microsoft.

But, Redmond is not standing still either. Bill Gates, Microsofts chairman and chief software architect, used his conference-opening keynote to preview a few new security technologies that will be built into Windows Vista.

Many of the features, such as integrated anti-spyware software and upgraded online identity management tools, are things that dozens of security vendors are trying to sell as stand-alone products.

Many observers believe that once those technologies are integrated into Windows, they will quickly become commodities, much like browsers are today. But Gates knows there is still much more work to be done on security, by Microsoft, Sun, Cisco and hundreds of other companies.

"If theres an area that we absolutely need to do better in, [simplicity] is it. Ill be the first one to say that," he said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.