Boardroom
Sun Microsystems

In the Boardroom With...

Mr. Glenn Brunette
Distinguished Engineer and Director,
Global Sales and Service Security Office
Sun Microsystems (NASDAQ: SUNW)



SecurityStockWatch.com:
Thanks for joining us today, Glenn. Please give our audience an overview of your background and your role at Sun.

Glenn Brunette: It is a pleasure to speak with you today. Thank you for having me. I have been working in and around the information and systems security arena for over 15 years focused primarily in the areas of systems and network administration, software and systems engineering, and IT consulting. For the last 7 years, I have been employed by Sun and have worked in a number of technical information security roles in the sales and consulting organizations. Most recently, I have taken on the role of Director and Chief Architect of Sun's Global Sales and Service Security Office. In this role, I am responsible for security strategy and architecture as well as improving the quality and security of the products and services delivered to Sun's customers.

SecurityStockWatch.com: One will read on Sun.com that, “Sun takes a whole-system approach to security and compliance. Sun Systemic Security integrates layered protections directly into essential IT infrastructure.” Please elaborate on this holistic approach for our readers.

Glenn Brunette: Certainly. It is an unfortunate fact that in many environments, IT security is simply an afterthought. While not universally true, we see all too often see cases where organizations become concerned with security only after they have endured substantial pain as a result of a failed audit or, even worse, a security breach. In other organizations, security is viewed as a simple matter that can be “solved” using a product or set of point solutions (e.g., virus scanner, firewall, etc.). In still others, it is viewed through a lens reflecting only a particular view of the problem space (e.g., security is addressed only by network security controls). At Sun, we recommend that our customers take a strategic and more holistic approach when it comes to security. This is what the Sun Systemic Security Program is all about.

We realize that customers depend on our products and services to run their businesses. Building on the accrued knowledge from protecting military, financial, and other information assets and critical infrastructure, Sun has continued to build security into all its products and services by design. As a result, the Sun Systemic Security Program includes Sun's diverse product, service and training portfolio for those customers wanting to gain the benefits of using Sun technology in their environment. We do recognize that no single vendor can meet every customer's need, and so the Sun Systemic Security Program also includes IT and security products and services from members of the Sun Partner Advantage Program to complement our offerings. Collectively, the products and services provide a strong foundation on which customers can rely.

More importantly, however, we understand that security is not just about product features and capabilities. At the heart of the Sun Systemic Security Program is a principle that security must not be treated as a product or service, but rather as a pervasive quality that is holistically, consistently and repeatedly applied throughout an organization's architecture, processes, training and products. This vision enables organizations to realize business value from the systemic integration of security into their existing IT architectures and practices. Organizations should not view security as some “thing”, but rather as one of the primary qualities that every architecture, service, product, or procedure must possess (in balance with other systemic qualities, such as reliability, availability, performance, cost, and so on). Viewed in this light, security becomes an enabler that can serve to help reduce risk, cost and complexity in an IT environment.

To realize this vision, the Sun Systemic Security Program leverages a compliance-oriented methodology along with a set of modular, standardized, and composable architectural patterns and building blocks that are aligned with repeatable and auditable processes. This approach enables the capture, reuse, and refinement of knowledge about IT infrastructure, processes and applications, as well as a better understanding of the inter-relationships between the various building blocks and their underlying components. In the end, it allows organizations to determine which patterns (and consequently what processes and products) may be appropriate for a particular situation given a set of requirements, dependencies, and constraints.

Just as important, our approach leverages a maturity model to capture the operational maturity of an organization in order to map solutions that are appropriate, cost effective and within the ability of the organization to maintain. This approach allows organizations to better understand where they are operationally as well as where they would like to be. Armed with this information, a road map can be developed to help bridge any gaps that may exist today while keeping the organizational focus on their longer-term goals.

Taken as a whole, the Sun Systemic Security Program provides a comprehensive model for helping to address and in fact improve IT security and compliance across in an enterprise. Further, Sun's complete portfolio of servers, storage, software and services, complemented with those from our partners, create a strong, open and interoperable foundation upon which an organization's security goals can be made a reality.

SecurityStockWatch.com: Also on Sun.com, one will see that Identity Management is the foundation for safeguarding a company's critical information assets, as well as its ability to achieve a strong and sustainable compliance posture. Please tell us about Sun’s ID solutions.

Glenn Brunette: Sun is recognized as a global leader in identity management and billions of user identities worldwide are managed by Sun's identity management products. In fact, Sun was positioned by Gartner in the "Leaders" quadrant of the 1H06 User Provisioning Magic Quadrant report and with good reason. Our identity management platform streamlines and simplifies the process of managing user identities across a variety of applications in order to provide provisioning and secure access, ensure ongoing compliance and enable federation for sharing beyond business boundaries. The key elements of our Sun Java Identity Management Suite include: Identity Manager, Access Manager, Federation Manager, and of course our Directory Server. Allow me to elaborate a little on each of these components.

  • Identity Manager delivers comprehensive user provisioning using a non-invasive architecture for fast, easy and cost-effective implementation. Recently, Identity Manager was enhanced to provide auditing capabilities that help to address regulatory mandates, internal privacy and policy initiatives and to help support ongoing and sustainable IT compliance. In fact, the Java System Identity Manager version 7.0 is the first product to marry provisioning and auditing in this way.

  • Access Manager, complements Identity Manager, by enabling open, standards-based authentication and policy-based authorization within a single, unified framework. It helps secure the delivery of essential identity and application information by offering single sign-on (SSO) as well as enabling federation across trusted networks of partners, suppliers, and customers.

  • Federation Manager helps organizations establish and extend trusted domains to include large numbers of service providers as part of a hub-and-spoke architecture. Federation Manager provides secure federated services by allowing spoke partners to more efficiently leverage the core security and identity infrastructures of the hub provider. Because it makes trusted domains easily extensible across vast networks of partners, Federation Manager can create application security mechanisms that are reusable and that enable authentication and access solutions to work together seamlessly across diverse partner environments.

  • Directory Server is the backbone of our Identity Management platform and provides a solid and scalable foundation for identity management by providing a central repository for storing and managing identity profiles, access privileges, and application and network resource information.

Further, Sun's recent acquisition of Neogent enables Sun to leverage Neogent's Velocity Identity Package (VIP) to reduce deployment time, ultimately providing customers with a scalable, cost effective solution that can be completed in as little as 45 days.

SecurityStockWatch.com: What is your perspective on the market drivers for Sun solutions at this time?

Glenn Brunette: We have a very rich and broad portfolio of products and services that are used by nearly every industry and vertical to solve a wide array of business and technical challenges. Consequently, we do find that the reasons that customer's are choosing Sun solutions can vary greatly. There are however three common themes that rise to the top: choice, innovation, and trust.

The use of open, interoperable products has been at the very core of Sun since its inception. Sun's insistence of leveraging open and interoperable protocols and standards means that customers have choice. Our customers see value in not being locked into a single technology or vendor. We believe that choice is incredibly important and that vendors should actively participate in the development of open, interoperable standards and as individual companies compete on the resulting quality our products and services. Taking this a step further, we work very hard to enable our products to run in environments that are not our own. Take for example, the Solaris 10 Operating System that can not only run on our UltraSPARC and AMD-based platforms but also on hundreds of servers, desktops and laptops sold by other manufacturers. The same is true for our Java Enterprise System suite of products which can run on Linux, Windows and even HP-UX. The best example is, of course, Java with its write once, run anywhere philosophy. We believe that it is very important to provide our customers with the freedom to choose their own path.

Sun has consistently shown itself to be a leader in technology innovation. Whether talking about SPARC processor line, the Solaris Operating System, Java or more recently technology such as the UltraSPARC T1 processor with Cool Threads technology, the Sun Grid compute utility, the Sun Fire X4500 hybrid data server or the “data center in a box”, Project Blackbox, Sun is at the forefront of innovation. Clearly, customers value choice, but when that choice is coupled with a consistent record of innovation, it is easy to see why they come to Sun. Our customers are in business to serve their customers, their shareholders, and their communities. That means retaining existing customers, attracting new customers, and differentiating themselves in the marketplace. Sun enables our customers, through our products and services, to create competitive differentiation, enable market agility while at the same not compromising on choice, innovation or security.

Last, but certainly not least, is trust. Customers must have confidence in the products they select for their IT environments – that those products are robust, reliable and secure. Sun technology is used through banking, health care, telecommunications, and even the military is evidence that our technology is trusted by those organizations to support their diverse and demanding environments. That trust was not blindly given but rather was earned – through proven deployments, through external evaluations such as the Common Criteria, and even by open-sourcing our software and hardware so that anyone is free to validate our claims. By engendering trust, Sun is able to create a relationship with our customers. An added benefit of earning a customer's trust is that they are more willing to work with us to help improve our products and services to better meet their needs. OpenSolaris is a great example of this where we have a large and growing community actively shaping the future of the Solaris Operating System.

SecurityStockWatch.com: As an industry leader, Sun has had impressive “wins” in every enterprise vertical. Let’s pick three. How about a brief overview of Sun solutions with a customer in the finance, healthcare, and technology verticals?

Glenn Brunette: Absolutely. How about five! Sun has indeed had a number of great wins across these sectors. What is nice about them is that in nearly every case – it is a success story for security. As I mentioned previously, we strive to make our products robust, reliable and secure out of the box and for that customer's have trusted Sun solutions to run their businesses. It does not matter whether we are talking about electronic commerce, critical infrastructure, compute grids, big business or national security – Sun is there. Let me share with you a few examples.

  • Financial Services. National Stock Exchange (NSX) selected Sun Microsystems to create and power its new cutting-edge technology platform to help it compete with other exchanges in the U.S. and globally. The Sun build-out, based on Sun Fire SPARC and Opteron-based servers, will have scalable capacity that will help NSX handle increasing trading volumes, as well as manage its archiving needs to comply with recent SEC regulations. (July 2006)

  • Health Care. One of the largest non-profit academic medical centers in the Western U.S., Cedars-Sinai Medical Center is implementing a new Sun Microsystems-based high-performance computing grid for medical research at its Center for Applied Molecular Medicine, with particular emphasis on cancer research. The HPC grid is comprised of 400 Sun Fire servers based on AMD Opteron processors and running Sun N1 Grid Engine software. The Sun Customer Ready Systems program pre-configured, racked and tested the grid platform prior to delivery in under three weeks. Cedars-Sinai was recently introduced as number 412 on the 27th TOP500 List of supercomputing sites in the world during the International Supercomputer Conference (ISC2006) in Dresden, Germany. (June 2006)

  • Technology. Internet Systems Consortium, Inc. (ISC) the leading provider of public infrastructure for the global Domain Name System (DNS), announced that the ISC chose the free and open source Solaris(TM)10 Operating System (OS) and Sun Fire(TM) x64 (x86, 64-bit) servers, powered by AMD Opteron(TM) processors, as an F-root server, one of the13 root DNS servers that are the foundation of the Internet. (October 2006)

  • Telecommunications. Swiss telecommunications carrier Swisscom Mobile selected Sun Fire T2000 servers running the Solaris 10 Operating System and the Sun Java Identity Management Suite to enable its1145 retail stores to connect securely with the company's Siebel CRM system from Oracle and point-of-sale (POS) applications. This will let the stores provision services at the point of sale, making it easier for customers to take advantage of more and better services faster. (October 2006)

  • High Performance Computing. The National Science Foundation (NSF) awarded the Texas Advanced Computing Center (TACC) at The University of Texas at Austin $59 million over five years to acquire, operate and support a high-performance computing (HPC) system made of Sun Fire x64 (x86, 64-bit) servers and Sun StorageTek disk and tape storage technologies that will use over 13,000 of AMD’s forthcoming quad-core processors. TACC is partnering with Sun Microsystems to deploy a supercomputer system specifically developed to support very large science and engineering computing requirements. In its final configuration in 2007, the supercomputer will have a peak performance in excess of 400 teraflops, making it one of the most powerful supercomputer systems in the world. It will also provide over 100 terabytes of memory and 1.7 petabytes of disk storage. (October 2006)

These are but a few examples to highlight some of our recent successes. Rest assured, however, that these companies are not alone. Sun has a presence in the top 10 Wall Street firms, the top cable providers, 8 of the largest 10 telecommunications carriers, 22 of the top 30 Fortune 500 manufacturing companies, and 7 of the top 10 airlines, not to mention our presence in governments around the world. If that is not trust, I do not know what is.

SecurityStockWatch.com: Let’s turn to the Government sector. Without divulging any confidential or classified information, of course, is there a Homeland Security or Intelligence project that you can tell us about?

Glenn Brunette: Even in the government sector we have had some very compelling successes. Let's look at a few examples:

  • Centers for Medicare and Medicaid Services awarded a task order, valued at $41 million, to EDS to handle the hosting of its public web sites. The Enterprise Data Center multiple-award contract aims to consolidate data center operations that support mainframe and client/server applications. The task encompasses the medicare.gov and cms.hhs.gov web sites as well as other CMS web-based legacy applications. Sun Microsystems is an EDS’ Agility Alliance partner and will provide major components in support of this new task order. (July 2006)

  • Defense Information Systems Agency is moving to a pay-per-use method to supply and manage servers for its data centers. Sun Microsystems was awarded one of five contracts, in total worth as much as $700 million over the next eight years. Sun's offering makes use of a wide variety of Sun products and services including the Solaris 10 Operating System, Sun's N1 Management Suite, Sun's Variable Cost Infrastructure Service, as well as Sun's complete range of both SPARC and AMD-based servers. Sun will provide hardware, software, maintenance and support for these components DISA's 18 data centers. (October 2006)

  • DODIIS Trusted Workstation. Originally developed for the Pacific Command's Joint Intelligence Center (JICPAC), the DODIIS Trusted Workstation (DTW) was designed to provide a standard intelligence system coupled with applications interoperability that enables collaboration between intelligence sites in a secure and timely manner. Sun technology is at the heart of DTW including Sun's Trusted Solaris Operating System, Sun Ray thin-clients, as well as Sun SPARC-based servers. Since its successful pilot, DTW has gone on to become an accepted community standard solution. The new Sun Ray 2 thin clients deliver state-of-the-art, military grade security features, a full compliment of peripheral ports and an integrated smart card reader. The eco-friendly Sun Ray 2 client boasts extremely low typical power consumption -- approximately four watts, compared to a typical PC which consumes over 80 watts. "In the Defense Intelligence Community, we have been using the Sun Ray environment for the last three years now," noted Dr. Ryan Durante, the DTW Program Manager at the Air Force Research Laboratory. "The dual head capability, combined with the security of fiber to the desktop, sets Sun's newest offering apart from anything else on the market. We expect to save $5.6 million over the next two years by migrating to the SunRay 2FS." (October 2006)

SecurityStockWatch.com: We understand that Sun is a contributor to The Center for Internet Security. What are the goals and objectives of this group?

Glenn Brunette: The Center for Internet Security is a non-profit organization whose mission is to help organizations to reduce the risk of unexpected outages or service disruptions resulting in accidental or deliberate attacks against their IT assets. CIS is most noted for their publication of security guidance and scoring tools that evaluate a product's compliance with the published recommendations. CIS brings together vendors as well as customers from academia, industry and the government to develop security recommendations through a consensus process.

Sun has been working with CIS for nearly four years in an effort to align their recommendations with those we had published previously under the Sun BluePrints program and codified in the Solaris Security Toolkit. Over the last four years, the vast majority of our differences have been addressed. In fact, working in partnership, Sun and CIS were able to not only able to publish security guidance for Solaris 10 before it was released, but Sun also took the additional step of publicly announcing support for customers implementing the CIS recommendations. Needless to say, we are continuing to work with CIS to improve the recommendations for current and future products.

A wonderful side effect of this relationship has been that we have been able to reach out to more customers to better understand their security requirements. With this information, we have also been able to make a number of changes directly to the Solaris Operating System in response to customer feedback as well as recommendations published in that guide to make it easier for our customers to deploy and manage more secure configurations. This is in fact what the Participation Age is all about – bringing together communities, sharing ideas, and moving the state of the art ever forward.

SecurityStockWatch.com: What resources; such as webinars, case studies, and white papers, are available at www.sun.com for end-users?

Glenn Brunette: You can actually find a great deal of security and identity-focused information on the following web sites:

In addition, Also, you can find an additional discussion of Sun Systemic Security at:

For those with more targeted security interests, the following sites may be more appropriate:

There is a wealth of security information and resources available from these sites in the form of webcasts, white papers, presentations, case studies and more. If you do not find what you are looking for, I would encourage you to drop us a note or talk to your local Sun representative.

SecurityStockWatch.com: Thank you very much for your time today, Glenn. Is there any other subject you would like to talk about?

Glenn Brunette: If you do not mind, I just want to highlight that Sun has a very diverse portfolio of products and we were only able to touch on a few during this interview. I would like to simply reinforce that security is something that we have worked hard to design into our complete set of products and services. The cryptographic acceleration properties of our UltraSPARC T1 processor and Sun CryptoAccerator 6000 PCI card, the wide-array of security protections in the Solaris 10 Operating System, and our comprehensive identity management platform are just the tip of the iceberg. Upon closer inspection you will find security integrated into our middleware, the Sun Java Enterprise System, our service oriented architecture suite, the Sun Java Composite Application Platform Suite, and even out to the desktop in the form of our Secure Global Desktop and Sun Ray offerings. Taken individually, they each have a strong security value proposition.

In keeping with the Sun Systemic Security viewpoint, however, it is important to note that viewed architecturally, these and other components can be used together to build a strong, resilient and agile service-based architecture that is capable of meeting if not exceeding the security and compliance requirements of most organizations. In this case, the whole is significantly greater than then sum of its parts. Applying the Sun Systemic Security Program, including its methodology, maturity model, and architectural patterns, organizations can optimize their security investments, reduce complexity and drive greater security and value from their IT environment.

Thank you for the opportunity to share with your readers a little bit of information about Sun and our security successes.