Trusted Solaris has secure future, Sun says

SAN FRANCISCO – Sun Microsystems Inc. will continue to offer the Trusted Solaris version of its operating system as a separate product, a company official said Tuesday, trying to clear up any confusion that Sun may have caused in the marketplace.

Sun executives have said several times recently that security features from Trusted Solaris, a hardened version of Sun’s OS used by the military, governments and some enterprises, will be added to its standard Solaris distribution. But the two product lines will continue to exist separately, said Ravi Iyer, Sun’s group manager of systems security marketing.

“There’s a misperception that these two products have merged. They have not merged, but we took some features from Trusted Solaris and moved them to Solaris,” he said.

For example, Solaris includes a feature from Trusted Solaris called process rights management, which prevents applications from accessing resources that aren’t essential to the task they perform. The feature can help minimize damage caused by buffer overflows, a common type of attack against computers, according to Sun.

But other security features won’t be moved into Solaris. For example, Trusted Solaris lets users label all the applications and files on a server and then restrict access to those items based on an employee’s security clearance level. Such features carry too much performance or administrative overhead to be made a part of the general purpose OS, Iyer said.

Several other features, such as discretionary access control and secure networking and printing functions, also are not headed for the standard Solaris distributions, Iyer said. Customers pay extra for the added security in Trusted Solaris, as well as for various security certifications, he noted.

Meanwhile, Sun plans to reduce the time it takes to release upgraded versions of Trusted Solaris. In the past there has been a lag of about one year between the time a new version of Solaris is released and the corresponding upgrade to Trusted Solaris. Sun plans to cut that to between six and nine months, Iyer said.

Trusted Solaris is currently at version 8; there was no version 9 of the product. Solaris 10 is due to ship in the third quarter, which means Trusted Solaris 10 should arrive three to six months after that.

Trusted Solaris 10 will have no new security-specific features that aren’t in version 8, but some general-purpose improvements to Solaris will benefit security, Iyer said. For example, when N1 Grid Containers, for partitioning a server into discrete compartments, is used with the labelling technology in Trusted Solaris, the resulting system will be considerably more secure, Iyer said.

Trusted Solaris has been offered since the mid-1990s. It initially was designed for the military, but some commercial customers with a need for tough security have latched onto it. For example, Chicago-based Bank One Corp. uses Trusted Solaris for its payment processing system, according to Sun.

Jonathan Schwartz, Sun’s executive vice president for software, is due to speak at the RSA Conference on security in San Francisco on Wednesday, where he’s expected to highlight Trusted Solaris, Java smart cards and other security offerings from Sun.