The Office of the Secretary of Defense CIO releases policy guidance promoting the use of Open Source Software throughout the DoD.

This is wonderful news, its great to see the DoD taking a leadership position with Open Source.  It also puts in place guidance that encourages the evaluation of open source products as well as how they should be managed within the DoD.  I believe that other agencies across the Federal Government should be pro-actively creating polices like this within their organizations.

Secretary Janet Napolitano delivered a special Cybersecurity webcast this past Tuesday that I thought would be a good opportunity to share some advancements in using complementary layers of protection for Internet services. The Internet services environments are just as important for Cybersecurity as your personal computing environment, and I often talk about how information assurance may be improved by following some of our recommendations to limit your exposure to attacks by deploying strong countermeasures. When describing our Cybersecurity capabilities, I like when we demonstrate how effective protection can be constructed with a little ingenuity and assembled with readily available components. You may have heard me talking about the use of Mandatory Access Control (MAC) when describing systems that are deployed within the U.S. Federal Government, but I need to explain more frequently that MAC has additional benefits for commercial use in the enterprise for Internet services. Our contributions to The National Cybersecurity Awareness Month emphasize the mandates that everyone, including those who deploy Internet services, must follow - all of the time - for operating safely online.

Recently, I challenged two of our senior researchers to demonstrate how they enforce MAC with virtualization to confine Internet services with simple security configurations using Solaris. The following information comes from John Weeks and John Totah showing MAC enforcement that they configured for some interesting security restrictions they have been testing for commercial use. They also layered the MAC protection with what you would ordinarily expect from using all of the other Solaris security features combined with virtualization, eg. zones, and Internet community sponsored configuration guidelines such as the Center for Internet Security (CIS) benchmarks.

Introduction

Thanks Bill! - We think the use of MAC is a good way to prevent certain kinds of attacks and is also effective for isolating the remote administration for out-of-band management. Traditional implementations for the “zones of trust” concept often relied on the use of network firewall configurations for isolating
Internet services from other network resources in an enterprise. We realized a long time ago that network firewall architectures by themselves are insufficient for securing Internet infrastructure for services and applications. We understand that we must also apply many of the critical security controls that are now defined in the Consensus Audit Guidelines (CAG) to include operating system confinement techniques. We must also enforce more protection so that the communication endpoints for applications also restrict an attacker from gaining administrative access to other parts of the enterprise. The security failures that we must prevent include improper access control, and the failure to prevent an attacker from manipulating configuration files and manipulating other parts of the environment. The idea of attack resistant architectures is not new, but we want to show a few interesting ways to use Solaris with Trusted Extensions (labeling) enabled as a security container for Internet services.

Too often, we define MAC in terms of labeling to enforce a Multi-Level Security (MLS) policy and sometimes we unfortunately overlook the value that MAC can bring to a virtualized environment. In addition to filesystem MAC security, Solaris provides trusted networking to enforce MAC policy for labeled network communications. The trusted networking can be used to restrict network connections to one-way inbound connections and also isolate administrative network access to manage the Internet services such as configuring an application server. The use of MAC for labeled network restrictions is slightly different than only using host-based firewalls, due to the simple association of a label to communication endpoints that are compared for equality by the kernel and only if the label comparison is successful then the firewall rules are applied.

The basic MAC concept to start with is that labels are associated with all IP addresses that the Solaris host is authorized to communicate with. Obviously, this includes the IP addresses that are configured for the Solaris physical NIC adapters, and also the virtual NICs that are plumbed up within the Solaris host, as well as any virtualized guest operating systems virtual NICs. In addition to the labels associated to all the IP addresses, Solaris may be configured to start labeled Solaris zones when trusted extensions is enabled. The labeled zones may start processes, including Internet services for applications that are also associated with the same label of the labeled zone. It is important to understand that if a process inside a labeled zone attempts to initiate a network connection to an IP address of a different label, the connection will not be permitted based on MAC enforcement by the kernel. However, the interesting MAC enforcement that we
have been using with Solaris is based on the configuration of an address for a NIC that uses a different label than the application process that starts in a labeled zone by listening for connections using a construct called a Multi-Level Port (MLP).

The first example is a Sun Glassfish security container using two labeled zones which must be defined with different labels for Solaris to start. The first labeled zone is where we are running a reverse proxy server to control incoming connections destined for the second labeled zone where we have the Glassfish instance running. We restrict remote administration from another network that is specifically designated for out-of-band management. In each of the zones, we use MAC to enforce incoming connections only and we therefore have robust control over the processes that execute in the confined labeled zones.

The second example replaces the Sun Glassfish security container with a Microsoft Internet Information Services (IIS) security container using Sun VirtualBox that is running Windows Server 2008 using the "Core" installation option. The notable differences between the two examples are that Glassfish security container is using a Java Virtual Machine (VM) to execute in the restricted labeled zone and the Microsoft IIS security container is using Sun VirtualBox to execute in a restricted labeled zone.

The Experiment

To test the use of MAC to restrict connection initiation from Internet hosted services to an enterprise network computing environment, we built an example configuration in our lab to demonstrate what could be accomplished using off-the-web components without modification to their source code. We decided to try a simple configuration that would easily show the basic concepts described above. We were pleasantly surprised to find out how easy it was to construct the prototype to show Bill some of the unique value of MAC to benefit customers that are outside our typical U.S. Federal Government deployments. We start with a simplified system configuration with one NIC connected to the Internet, and another NIC for remote administration allowing connections from an out-of-band management network. Our first test example uses the MAC capabilities of Solaris, the Sun GlassFish Application Server, and the Sun Java System Web Proxy Server running on an Ultra 27 Workstation. We configured a virtual DMZ security container in a dedicated labeled zone where the Sun Server Java Proxy instance is running to control incoming connections destined for web services in other zones. What's unique about the MAC configuration of the virtual DMZ zone is that the label of the Internet NIC is
different from the label of the virtual DMZ labeled zone itself. This means that the MAC policy will also allow the Proxy to accept incoming connections, but will not allow the Proxy, or any other process that may run in the virtual DMZ labeled zone, to initiate any outbound connections to applications with listeners using the
NIC IP address or through the NIC to any network endpoints.

We also use Solaris IP Filter with traditional host-based firewall rules for the physical NICs as a typical defense-in-depth measure.

Virtual DMZ/Proxy Security Benefits:

* Contained within a labeled zone
* Configuration prevents any outbound Internet connections
* Remote administration is isolated to strictly allow incoming connections from the out-of-band management network

We then configured a virtual WEBAPP security container in the second labeled zone where the Glassfish instance is running and accepting connections from the reverse proxy server running in the virtual DMZ security container. The next step was to configure a dedicated NIC for the WEBAPP zone that allows access to the GlassFish Application Server Administrative port 4848 from the out-of-band management network.

The resulting configuration allows Internet web browser access through the virtual DMZ labeled zone to the WEBAPP labeled zone, and GlassFish Administrative access from the out-of-band management network. You will notice that the administration of the GlassFish running instance is not accessible from the same network that GlassFish is listening on for the application service, nor is the Glassfish administration accessible from within the WEBAPP labeled zone where GlassFish is running. After having success with the DMZ and WEBAPP configuration, we decided to apply the same concepts and methods to Microsoft IIS. We created a new IIS labeled zone and used VirtualBox to run a Windows image as a guest operating system.

1. Used VBox NAT to redirect listener ports (8090 8091)
2. Prevented Windows/IIS from initiating any connections to network endpoints outside of the
WEBAPP labeled zone
3. Remotely administer Windows via VRDP port
4. Remotely administer IIS using IIS Manager via 8172 from the admin network

As you can see, we utilize MAC network isolation within the system, but all external network interfaces are configured as single-level. This means that you could drop such a configuration into an existing enterprise without the need to support labeled networking using Commercial Internet Protocol Security Option
(CIPSO) anywhere in an enterprise.

Other Common Methods to Secure the System

* Follow the National Institute of Standards and Technology (NIST) guidelines to continually manage risks to the enterprise.
* Follow basic concepts that are described in the Immutable Service Containers project.
* Reducing the effective privileges on web components using Solaris Role Based Access Control (RBAC).
* Use Process Rights Management with roles to manage all web services as a role that can't assume the root role.
* Loopback mounting critical system configuration files (e.g., etc/sshd_config) from the labeled zone back to the global zone making them immutable from with the labeled zones.
* Instrument host based introspection using Solaris Dynamic Tracing (DTrace) and analyzing security events with Solaris Auditing.
* Instrument network deep packet inspection using Packet CAPture (PCAP) library interfaces and high performance techniques.

Conclusions

It's nice to see how MAC can be used for protecting Internet services and we look forward to any questions about how much we can effectively improve information assurance using readily available security components. We will be happy to post more of the internal details as a follow up for those who would like to have a better understanding of how MAC protection can help you.

The additional MAC functionality of the OpenSolaris.org Flexible Mandatory Access Control (FMAC) is extremely effective to impose even tighter (fine-grained) security controls and we also welcome your inquires to see how future FMAC concepts can also be beneficial for commercial use.

For the purpose of our initial tests, we omitted a database and the technical controls that we would apply there. However, if anyone is interested, it may be interesting for us to demonstrate the methods and techniques for improving database security. In addition, we can show how e-mail server environments, naming services and other collaboration systems can be protected with MAC to prevent other types of
attacks that may be launched to target the Internet services environment.

We are also looking forward to seeing Homeland Security Secretary Janet Napolitano this week to learn more about our real world challenges and urgency for significant improvements.

Thanks again Bill for giving us the challenge and posting our findings that should help to protect Internet services using MAC for commercial use.

Some people may wonder when I am going to run out of reasons to move to Open Source. I feel like I have the opposite problem. I find it difficult to limit the number of reasons I highlight to move to open source.

I remember back in the 80’s and 90’s everything software-related was focused on “best of breed”.  Best of breed was a term that made companies and organization feel special. It made them feel like a solution was tailored to fit their specific problem. Best of breed appealed to egos but mostly it was a term created by a marketer trying to sell product.

Soon, best of breed went the way of other boom technology terms such as robust. However, perhaps in times like today when retro is in, best of breed may make a comeback as the #6 reason to move to open source is the ability engage with a community to get specific requirements into a product.

Governments do not need to settle for the packaged solutions that a vendor is selling them. They can take existing open source solutions, join the community process, and add the features that are right for them, not what a vendor “thinks” is right for them. This is happening all over the government in the Intelligence agencies with examples like FMAC and SE Linux in places like NASA with the World Wind Java 3D project DISA's Government Forge.mil project and many, many, more.

Open source code creates a vehicle for a community of developers (including government organizations and the SIs) to contribute creating applications that meet the government’s requirements. Much like the community development process undertaken by the Nationwide Health Information Network (NHIN), open source put thousands of developers available to develop a truly customized solution made by the masses. NHIN The Office of the National Coordinator developed a pilot 'Reference Implementation' solution based on Sun's open source middleware software that enables multiple federal agencies and private sector organizations to securely link their existing systems to NHIN-CONNECT, allowing for the beginnings of a true interoperable electronic health care record information exchange. The pilot was developed with no need for long procurement cycles or massive costs since the entire software backbone is 100% open source.

I am toying with the idea of posting two more blogs on reason 7 and 8 to move to open source...stay tuned

Generally speaking, you receive better quality with commercial open source software because of the larger number of reviews the code needs to go through on its way to a production product, and the larger number of people reviewing the code. In most cases, you will see that commercial open source products don't have as many patches or patch cycles as proprietary products. It's important to understand that public scrutiny tends to improve the overall quality of software, just like public scrutiny improves the security of software.

Public scrutiny improves many things, for example, if a movie star is going to have a beach scene in his next film, where he takes off his shirt, he is going to
work out for six months before that scene, right? Because he is going to get publicly scrutinized. That is why movie stars always look in such good shape in the movies

If you are a proprietary software developer, and your boss walks into your office and says "Fix this before you go home," you will just do whatever you need to get something working so you can head home. It's not as important to you how many memory allocation errors or security flaws you have, because your changes will be included in the next build, and odds are, that as long as it meets the functionality requirements (and does not crash), no one else will even look at your code.

But if you are an open source developer under the same pressure, once you complete that code, you have to submit it to the community for inspection. That community is an average age of 30, and has an average coding experience of 11 years, these are not amateurs. If fact, if you look at places like Slashdot where some of the design discussions take place, they can be ruthless. If they don't like how your code is written, they will criticize it like crazy (along with your intelligence and the intelligence of your family ), much more aggressively than any product manager would with a proprietary vendor.

As a matter of fact, it takes Sun an average of three to four years to take a proprietary product and move its code over into an open source community. A huge amount of that time is spent "cleaning up" the code, so that developers will not be embarrassed in public (among their peers) when the code is released. There are many cases where I have asked product teams to release some products for Government review, before we open the product up, and they often "beg" for more time to clean it up before anyone else gets a chance to look at it. That community peer exposure tends to greatly improve the quality of the code both before it's released, and then after as the community engages in the review process.

After you get through the community review, then you have to go through an architecture review to get included in the product. Next, if the vendor is going to provide support for the product, you have to go through an IP infringement review. Now you will have to show that you can indemnify every line of code that you have and prove that you wrote every line of code that is included in your contribution. If you can't, they won't include it, because they can't indemnify it and guarantee the IP. If you think it's bad to have Techies review it, with open source you have to also have the lawyers review the IP issues with the code, and you know how lawyers can be (I can say that since I am married to a Techie lawyer )

After you are done with those types of inspections, you then have to go through the same kind of inspections that any proprietary vendor would do. Backward compatibilities, security view, QA tests and so on. So open source does receive a lot more inspection and generally leaves with better code. It's not a silver bullet...but it's pretty close.

As you can see from this slide, all major open source products have a community version, and a supported enterprise/commercial version. The peer/community review is done in the open source community environment and once those reviews are done, the code is "harvested or packaged" from the community version to create the enterprise version. Both are open source, but the enterprise version is usually a subset of the community version has gone through the same reviews and QA as any proprietary product. On average, commercial open source products go through about 3x more formal reviews than proprietary products do, and have about 100x more people validating the code and the product.

Generally speaking you get 90% of the functionality for 10% of the cost. However, in many cases you get more functionality for a lower cost. For example, many of the open source products "grew up" in the Web 2.0 world, so they were made from day one with security and MASSIVE scale as part of their design requirements. 

Very few proprietary products were build out of the box to support deployments the size of Google, Yahoo, Facebook, and eBay. All of these deployments are built on open source for many of the reasons I have been talking about in my blog, because open source provides better security, huge scale, all at a much lower deployment cost. If enterprise and web scale is what you need, open source is the way to go.

Alternately, it is very important to understand the licenses and support agreements and how you are going to use them. There are some examples where the open source licensing and support can be more than a proprietary equivalent. I have found these examples to be rare, but they do exist (for example if you look at the GSA schedule, RedHat on the same server will actually cost you more than Windows). It's important to know the cost of acquisition is zero, but open source is not free in a production environment, because CIOs running mission critical environments need support and indemnification.

Open source enterprise products are ready to support your mission critical applications, in the operating system area there's Solaris, Linux, in the middleware area there's Glassfish, JBoss, in the database area there's MySQL, PostgreSQL and even in the desktop area...which has been lagging behind in open source, but is starting to gain some ground with over 220 Million OpenOffice users. Government organizations can realize significant savings in support costs by moving to open source products.

Bottom line, you are saving money on the licensing cost, support cost, deployment cost, and manpower to deploy it. It's just all goodness from a cost perspective. Lately I have seen numerous government reports estimating many, many billions of dollars that could be saved by moving to open source.

First of all, for any software or hardware platforms, you want to make sure the product you select implements open standards interfaces, so that you are not locked into using only one product.  This gives you the flexibility to move from one product to another if you run into security, scaling, support, or cost issues.

However, if the product is open source, because you can see how the interfaces are implemented, it makes reverse engineering them a much more simple process. Being able to see the source code also aids with interoperability, because it removes any ambiguity on how the interfaces are implemented.

The other big advantage to selecting open source is that you can get support from multiple vendors. For example, with Solaris you can get support from HP, IBM, DELL, Sun, INTEL, Fujitsu and AMD (also true for Linux). So anyone can provide support because all of the Solaris code is in the public domain. This also gives you, what I like to call "investment protection." If a company provides you with an open source product, and then goes out of business tomorrow, the code is still in the public domain, so you can easily get another company to pick up your support requirements.

This also saves money because there is competition in providing the support. For a proprietary product, only the company that owns the code can support it. With open source, since you are not locked in, you can compete the support from multiple vendors.

That's a HUGE deal, because in the government sometimes the cycles are so long that a selected vendor could go out of business or completely change its product direction during the life cycle of your project, and that could force a very expensive change and/or extended time line. Also, vendors can often only provide support for one version of their product for about 10 years, and many government projects live longer than that, so by selecting open source products, it gives the government many other support options, for example a Systems Integrator could pick up support for an open source product version that has been EOLed by a vendor.

The selection of an open source product keeps you from being locked into a vendor and provides "investment protection" throughout the entire life of your project and beyond the life of the vendor and that's really, really important in this wild unruly world of mergers and acquisitions, changing economies and those kinds of crazy things

It's that time of year again where the DoDIIS community comes together for their annual event called DoDIIS Worldwide Conference. This year it'll be held in Orlando, FL at the Orlando World Center Marriott from May 17-21. With this year's theme of "Empowering Decision Advantage," Sun Microsystems Federal and 2 key booth partners, Paragon Systems and GTSI, are providing a venue for the IC to experience new solutions to capitalize on more secure, lower cost, more efficient ways to do more with less - a message that resonates with all government agencies.

What does that really mean....empowering decision advantage? I can tell you what it means to Sun Federal. More effective secure collaboration using visual web services and identity management, faster and more secure feature deployments using open source software products, cross domain solutions to centralize user access; and thin clients to add mobility, reduce costs, and improve security.

So what are we showcasing in the Sun booth (booth #425)? Sun is showcasing MLS thin, thick and soft client solutions; GTSI is showcasing Amber Road - the hottest open storage solution that you don't want to miss; and Paragon Systems is showcasing their Transportable Datacenter solution. Also in our booth will be nationally renowned magician, Scott Tokar, who will literally amaze you with his extraordinary talent of magic and illusion.

As for me, yes, I'll be attending the DoDIIS show too. I'll be a speaker in one of the break-out sessions on Monday afternoon from 2:00-2:45 in Ballrooms F, E, D. Guess what my topic is? (If you've followed my past blogs then it'll be clear.) If you guessed open source then you're right. Sun has a phenomenal story to share and with multiple compelling reasons to choose open source solutions - such as more secure, lower cost and more efficient - I'd love for you to be part of the session if you're attending the show. Stop by the Sun booth (#425) and tell our team "Bill's Blog sent me to your booth."

Reduced procurement time is the number two reason to move to open source. Why? You don't have to wait for the vendor to pilot and you don't need to go through long evaluations. If you take a look at Health and Human Services (HHS), their Nationwide Health Information Network (NHIN) referenced implementation is being created as an enterprise service to allow a single patient view across 26 agencies that manage your health information in the government.

HHS went to each of the agencies and looked at what they were using for their middleware. Almost all of them were using proprietary middleware. So HHS picked one vendor and went out and received an estimate to deploy it across all 26 agencies. There are 307.2 million people in the country and that vendor came back with a price of approximately $800 million to obtain a license. But we all know in government land, anything over a $100 million has to go through a multi-year, full, open procurement process. So in the meantime, veterans are not getting their prosthetic limbs, seniors are not getting their medications and everything comes to a screeching halt.

There is a HUGE problem with the information system, when we can't share information. So when HHS realized the current procurement process was going to result in a three-year delay, they looked to Sun's open source, enterprise class, middleware...recommended by their Gartner analyst because of its ability to scale and features. All they needed to do was download it. So they downloaded it in about a week, and in less than a month they had it up and running. In the following month they had a pilot, and in the third month they were well on their way to a referenced implementation that is not only being used in the U.S. (first production deployment is Social Security Adminstration), but is now being considered globally to address electronic health information exchange. Now that it is deployed, they are talking about getting a support contract in place. So the choice is simple...three months or three years?

There are numerous great examples like this one all over the federal government, mostly in defense and intelligence, where agencies have moved to open source not only because it is the most secure, but also because it can be deployed much faster...weeks verses years. It can also scale very quickly, so if it needs to be deployed to 7,000 new sites, it can be done quickly and then followed up later with a support contract. No one is held back by "the process."

Check back soon for the No. 3 reason to move to open source.

If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it's obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care about security.

We have a saying in the world of Cyber Security: Security through obscurity, isn't. However, to many, it may not be so obvious, so let me walk you through some of the reasons that commercial open source software tends to be more secure, then I will give you some data at the end to back it up.

First of all, you need to look at the supply chain issues. The reality is today, that ALL software is written globally. You need to deal with the fact that Microsoft, Oracle and IBM software is written in India, China, and Russia. In fact, the majority of all software, open or not, is written all over the world. By making the code open source, nothing can be hidden in the code. If the Trojan Horse was made of glass, would the Trojans have rolled it into their city? NO. Open governments are more secure for their citizens, and open source software is more secure for anyone running it. Public scrutiny is a beautiful thing. Just look at free press in this country and open government. We want and need security, peace and tranquility for our citizens. The founders of this country based our government on openness. Open Source enables security. It's pretty obvious when you think about it.

I'm not the only one saying that, of course.  One recent examination is in the light of large scale computer intrusions detected coming from a PRC based hacker group. This week the New York Times and CNET ran a story by John Markoff titled "Vast
Spy System Loots Computers in 103 Countries" which details these
attacks.   In a related technical report issued by the University of
Cambridge "The snooping dragon: social-malwar surveillance of the
Tibetan movement" on these widespread series of attacks, researchers point out many ways these threats could have been mitigated, including strong endorsement of open source SE Linux and Trusted Open Solaris.

Let me give you another analogy...

I usually like to use car analogies, but lately I've been using this suitcase analogy to make my point about open source and security. Imagine you enter the security line at the airport and there is a proprietary vendor in front of you with his locked suitcase telling the TSA official not to worry, and to trust him, stating he has checked everything in his suitcase and it is safe. How would this make you feel? Pretty vulnerable...right? Wouldn't it be better if the person in front of you is a true open source advocate and welcomes the TSA official to check anything he wants...because he has nothing to hide?

Who are you going to feel safe about getting on the plane with? It's a no-brainer...so why would you trust a vendor to put stuff on your server with life critical or mission critical systems, where no one can see what is on the server except for that one company, or that one group of people. I have sometimes heard some proprietary vendors say about open source code "but everyone can see how the security works." They are making the point for me! That is why open source code has to be made stronger on open source than on proprietary software products.

Proprietary (closed source software) developers say “trust us.” Commercial open source software developers say “see our security...everything we do to build security in: our documentation, models, architecture, review processes, programming language selection, coding standards, source code, verification analysis methods, instrumentation, tools, techniques, automation, certification, ongoing deployment risk management results, remediation, ...” You get the picture. For commercial open source software the security advantages are more than just the ability to view the source code, it's the entire open technology development life cycle that begins with security fundamentals and security goals very early in the process.

The newly announced Building Security In Maturity Model is a great way to openly see how experts can analyze the effectiveness of a software security group and it should be apparent that having commercial open source software developers allow their data collected and security initiatives assessed in public view will increase their resulting security if properly vetted. Think about it, all physical security is open source. You can go to any lock and see how it works at the patent office or on line, but that exposure only makes it more secure. I often hear from the proprietary vendors that they have "the right" people reviewing their code. That proprietary vendor guy in my suitcase analogy probably had "the right" people back at the office check his suitcase (in China), so the TSA official should just allow the suitcase to go through security without checking it...right? Wrong. With Open Source EVERYONE is looking at and in the suitcase...Even the intelligence agencies.

The Intelligence agencies are part of the Open community that look at code. Keep in mind there are millions and millions of lines of code out there. In Microsoft it's like 30 million lines of code, Oracle I would guesstimate at 15 million lines of code. Solaris has 20 million lines of code.  (See page 19). Then you add Linux in at around 12 million lines of code and MYSQL... it compounds quickly. There is no way that a few hundred experts can really review all of the code out there. It truly takes a village.

To make the point even more, when Sun open sourced Solaris - Solaris previously had the highest rating in security that the government offers in enterprise operating systems and still does today. Plus it is certified by the federal government, reviewed by all the best experts in Sun (there are a lot of smart of people at Sun) the intelligence agencies and lot of other smart people out there in the community. When we released the code, within one month we had 28 new vulnerabilities identified by the 160,000 people that are in the Solaris community, and we were able to fix them before some one used them to do something bad.

Same thing happened when we opened sourced Java. Java has had almost no security issues in its entire history. There were three or four issues that came up that we were able to fix before someone could use them for wrong doing. As soon as you move to Open Source there is a lot more that the community will pick up, and you are going to fix it before it can be used for an infiltration rather than after.

So that's why the national security agencies and others made this big initiative to move to open source, because, the public scrutiny increases the quality of the code just like it does with physical security. You know when you use the RSA algorithm, which you use every time you buy something online. The algorithm was done in the public, it was done in Open Source, it was criticized, it was changed, it was criticized again, and it was changed before it was put into production because we have got lots of people looking at it, lots of people criticizing it for security.

Then there was the clipper chip. So the clipper chip was done by the Clinton administration, you may or may not remember it, and the whole idea of the clipper chip was, we won't tell you how it works but you should trust it is secure.

The clipper chip was compromised within 48 hours of its release. Why, because it had a secret in its code inside the lock, the inside was made of paper (they used a 16-bit checksum). It was not open sourced, so it was immediately compromised. Had it been open source, everyone would have seen the weak checksum, and it would have been corrected before it was deployed. The RSA algorithm to my knowledge has never been compromised today other than (brute force).

Remember, security through obscurity, isn't. How many times do we have to see that truth repeated? If you look at common criteria certifications, the two enterprise operating systems with the strongest protection profile and the strongest certification are both Open Source. Open Source drives more security.

Eventually, the trend toward higher assurance levels will hopefully benefit from new open source projects such as Open Proofs and related open source tools such as Why with the associated formal methods open source software components. Again, Open Source drives more security.

If you take a look at the National Vulnerability Database, you can see almost every open source product has had less vulnerabilities exposed and less vulnerabilities exploited against it than the equivalent proprietary products. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Security’s National Cyber Security Division.

Here is some risk data provided by the Airius Risk Report® developed from Homeland Security's NVD. Here you can see that all the proprietary software products have a MUCH higher security risk than their open source equivalents.

Here they are side by side, and you can see in each case, the open source product is statistically more secure. So the Data does back up the logic. And it's not like the open source products are not widely deployed either...There are over 6 billion Java deployments, 14 million Open Solaris, 120 million Open Office, and 115 million MySQL deployments.

Clearly security is the number one reason to move to open source...Check back soon for the number 2 reason to move to open source.

Airius Risk Report:12/31/07, Copyright Airius Internet Solutions, LLC 2009

I know I said I would create six specific blogs focused on the six reasons to move to Open Source...but while I finish writing my blog on Reason No. 1 - improved security and privacy over proprietary software...I wanted to share a recent on-demand webcast I did with World Wide Technology that answers the question: Why move to Open Source? It details the benefits of Open Source and showcases Open Source products like MySQL, Apache, OpenOffice, Open Solaris and more. Let me know what you think...And Happy St. Patrick's Day.

This study is worth checking out and sharing with EVERYONE in the Federal Government:

Study: Federal Gov't Can Save Billions in IT Spending (PC World)
Meritalk predicting the gov't could save nearly $4 billion using open source software

From where I sit, the conclusion is obvious, open source is the way to achieve Open Government and save tax payers money, at a time when controlling wasteful spending could not be more important.

Also, the folks in the UK are really getting on board with Open Source, it's wonderful to see. Take a look at this story - Today, the UK government launched a new strategy for use of open source and open standards in Great Britain.

In summary, it:
*mandates use of open standards,
*mandates use of open source where it is not cheaper to use proprietary software,
*requires revision of procurement policies to make open source the equal of other options,
*encourages re-use of developed code - for example, by open sourcing government solutions.

We could learn a bit in the Federal Government from our friends on the other side of the pond!

For all of you in favor of improved security, increased procurement speed, improved quality and reduced cost to license and support, that light you see is the end of the proprietary tunnel. If you are in favor of vendor lock-ins, barriers to exit and massive integration projects and budget line items, I may not be able to help you.

From all that we have heard, read and seen, 2009 appears to be when our federal government will finally make open
source ready for primetime. And why not?

For some time, I have been touting the top six reasons for moving to open source:

1. Improved Security and Privacy over proprietary software

2. Increased procurement speed so agency's can get their programs deployed faster

3. No lock into one vendor, support can be provided by anyone since the code is in the public domain

4. Reduced cost of license and support, on average, open source products provide same functionality at a 80-90% lower cost to the taxpayers

5. Improved quality, normally, supported open source products go through three times more quality reviews than proprietary software as part of community review, indemnification review, and then productizing.

6. The Government can become part of the open source community and directly inject their specific requirements into the product.

I plan to create separate blogs on each of the six reasons for anyone still on the fence about moving to open source.

Open source has already proved itself allowing the National Health Information Network (NHIN) to develop a pilot solution that enables multiple federal agencies to securely link their existing systems to NHIN, allowing for the beginnings of a true electronic healthcare record. The pilot was developed with no need for long procurement cycles or massive costs since the entire software backbone is 100% open source.

We hope programs such as NHIN will lead the way to the day when government open source deployments will not be news anymore, they will be the norm.

Imagine a time when:

· The White House will be free from the shackles of proprietary systems and able to take advantage of both the transparency and the security of open source solutions.

· Agencies don’t need their IT solution criteria to focus on legacy and integration, and are able to seamlessly adopt new solutions based on cost and functionality.

· IT deployments are NOT antiquated before they are implemented.

Yes, that light at the end of the tunnel is approaching quickly and luckily, there isn’t a toll booth at the end.

Once the Inaugural celebrations are finished, the new Obama Administration promises to hit the ground running on a variety of critical programs. Near the top of the list is eHealth reform with more than $20 billion proposed in President Obama’s massive stimulus package.

The key to any eHealth reform program (no matter the price tag) is to facilitate information sharing across multiple agencies and to eliminate the information silos that exist today, allow the government to reduce costs and errors and to better serve our veterans, senior citizens and disabled.

Many have called me an open source evangelist (see Joab Jackson, Government Computer News). But once again, an open source pilot, which has been built and tested without a dollar of government expenditure spent on software, has done what proprietary solutions have not. Open source has enabled the secure and interoperable exchange of health care information across more than 20 organizations.

So, here is the background: If the Nationwide Health Information Network (NHIN) is the information highway for health data exchange, CONNECT is the universal on-ramp for federal agencies. CONNECT is a software solution that lets federal agencies securely link their existing systems to the NHIN. More than 20 organizations collaborated to build CONNECT through the Federal Health Architecture (FHA), and as a result, agencies are heading down the road toward interoperability.

Using Sun's entire Open Source middleware stack as its foundation, including our SOA and IdM technology, the FHA built the CONNECT gateway software from open-source code. Talk about an Open Source poster child! The solution was jointly developed by federal agencies yet it will be deployed individually at the agency level. The decision to build the solution in open source provided the usual benefits (I know you have heard these from me before):

· Cost reductions for each agency and taxpayer savings

· IT consistency and compatibility across multiple agencies

· Decreased deployment times

· Security

The CONNECT initiative sped from concept to reality in 2008. In March 2008, FHA awarded a contract to develop the CONNECT solution. The solution was built with federal agency participation, and in September of 2008, three agencies were already demonstrating the ability to share information with the private sector through the NHIN. The number of participating agencies grew to six for the December 2008 demonstrations, and the plan is to have those six federal agencies participate in the NHIN by the end of 2009.

Once completed, the CONNECT software will be available to any stakeholders in the health information exchange community for download. The goal is for CONNECT to be a platform on which government and industry can innovate. This will allow the industry to build and sell better interoperable solutions to the healthcare sector.

We are happy to say that CONNECT Gateway will be made available to the public in March of 2009. Three primary elements make up the CONNECT Gateway:

· The Core Services Gateway provides the ability to locate patients at other health organizations within the NHIN, request and receive documents associated with the patient, and record these transactions for subsequent auditing by patients and others.
· The Enterprise Service Components, which provide default implementations of many critical enterprise components required to support electronic health information exchange, including a Master Patient Index (MPI), XDS.b Document Registry and Repository, Authorization Policy Engine, Consumer Preferences Manager, HIPAA-compliant Audit Log and others. Organizatons are able to use existing applications within the NHIN CONNECT Gateway and free to adopt the components or substitute their own implementations.
· The Software Development Kit (SDK) enables agencies to develop adapter components that integrate their existing electronic health information systems with the NHIN Core Services Gateway.

CONNECT has identified a number of opportunities for federal agencies to utilize the Gateway to address their mission needs in 2009 and beyond. These citizen-centric initiatives will provide a roadmap for 2009 development. Expected FHA activities include helping agencies deliver solutions that lower cost and improve access to and quality of care:

· Collect patient status assessments as they move among various care settings to track effectiveness of treatment
· Populate patient personal health records with information from federal and commercial systems
· Support health services in combating fraud and waste
· Improve coordination of benefits with other payer organizations
· Enhance onsite care for patients during disasters and other public health emergencies
· Support data collection for analysis of potential adverse events associated with drugs and medical equipment
· Help establish local networks among community health clinics that provide care to underserved populations
· Provides anounymous bulk test data for pandemic and bio terrorism analysts

If you haven’t noticed, open source has consistently been a major focus of nearly every new proposed IT program. Perhaps the CHANGE we will see will be the opening of our IT infrastructure.

I recently met with Pierce Crowell who manages Section 508 compliance for Sun Federal. He arranged a demonstration for the Sun Federal leadership by Sun's Accessibility Program Office. I was very impressed with what the accessibility team and the open source community has done as far as adding features to Open Source Solaris and Open Office.

Even if you don't have an accessibility requirement, I believe you will be impressed with what these products can do. I don't think you can adequately describe the features without seeing them in action, so I asked the team to put together some short videos that would demonstrate the features. I would encourage everyone to take a look.

I believe from an accessibility feature point of view, the Solaris platform is becoming a leader in the software industry.

Pierce also helped me pull together all the information for this blog.

Sun has been contributing to accessibility and usability for decades, and is now leading an industry transition toward architectural support for accessibility – whereby support for people with disabilities and the assistive technologies they use is built directly into the computing platform.

Sun began this industry transition with the Java platform accessibility framework in 1997 and is doing the same with the OpenSolaris desktop (GNOME) and applications like OpenOffice.org and Firefox and Evolution. We likewise support and develop open source assistive technologies including the popular open source Orca screen reader. These are powerful and free alternatives to the traditional commercial accessibility model. Often software assistive technologies can cost many times more than the PC hardware on which they are installed.

Sun's just-released OpenSolaris 2008.11 is the pinnacle of open source accessibility, and is already receiving rave reviews from blind users. Josh Lambert, a blind user, summed up his first experiences with OpenSolaris: "congratulations to you all at Sun, and thank you so very much for making my boyhood dream come true. Ever since the early 90s when I used to dial into shell accounts, and would hear "unix r system v release, I have wanted to sit behind a Sun console. Now I and many others can."

Regarding the accessible installation experience in OpenSolaris 2008.11, Everett Zufelt responded: “I am overwhelmingly impressed with the 2008.11 accessible install.” He went on to say: “it was the smoothest operating system install that I have ever performed.”

The digital divide does not stop at mere access to IT and online information though; it is also about being able to afford access. Over 70% of blind and low vision citizens in the United States are unemployed. People with other severe disabilities have similar employment statistics. Assistive technology software costs as much as $1,095 for a screen reader that enables blind people to use their computers, which means that access to computing is out of reach for the majority of Americans with disabilities. OpenSolaris, open source and free, fosters digital inclusion that was economically impossible under the costly commercial model associated with Microsoft Windows.

Take a look at these demonstration videos to see for yourself how we are welcoming people with disabilities to the Solaris user community.

For the past year-and-a-half, the Sun Federal board of directors has been a major priority for me. I want to provide our company with a vast array of resources that will allow us to better understand and serve our government customers. It has been very important to select board members who offer a wide range of experiences in the both the private and public sectors.

It is my pleasure to add another high-powered acquisition to our board of directors – Mr. Arthur L. Money. It would be much easier for me to tell you what Art hasn’t done, as his list of accomplishments is nearly unparalleled in the government IT community. Art brings more than 45 years of public and private IT leadership to our board. He has a distinguished 20+ year career at TRW and currently is the president of ALM Consulting. Plus, Art has held several Senate appointed positions including serving as Assistant Secretary of Defense for Command, Control, Communications and Intelligence as well as the Chief Information Officer of the DoD.

I am really looking forward to having Art as an active member of the Sun Federal board. When I worked in the CIO office in the Pentagon, he was a great leader, that moved the DoD and Intelligences IT environments forward. We worked closely to set up the CIO council, complete the Y2K program, improve software quality, secure the Pentagon's networks, and he was always supportive of other progressive initiatives. In addition, Anthony Robbins worked with Art at SGI, since he was on the board there when Anthony was head of their Federal business unit. One of the reasons I believe that Anthony and I both tend to view the Federal market and customers in similar ways is due to how we were influenced by great leaders like Art. We have no doubt that Art will be an active member of our board, helping to ensure that Sun’s roster of open software and hardware solutions maximize the return on investment for our government clients.

Last week about 160 SunFed, Force3 and AMD bowlers hit the lanes at White Oak Duck Pin Lanes, on New Hampshire Avenue in Silver Spring, Maryland. For those of you out there that have never tried Duck Pin Bowling...I know last week was my first time...I highly recommend it. The balls are about the size of a cantaloupe and there are no finger holes. The pins are also smaller than regular bowling pins, and sometimes very unpredictable when struck dead on. I played with Anthony Robbins, Ken Rollin and Russ Craig. I won't tell you my score...Let's just say the event was a HUGE success and we plan to make this an annual outing. Hopefully next year, our very own Tom Vitale will once again bring his band to play...that's right, not only did we duck pin bowl, but we did it in style with "Vital Synz" rocking the lanes. For additional photos of the event, goto http://firstannualsunfedduckpinbowlinge.shutterfly.com. And, if you know of a good duck pin bowling alley in the San Francisco area...please let me know...my kids are dying to try it.

The DoD continues to be open about open source. The Defense Department’s Office of the Chief Information Officer is getting ready to put specifics behind the department’s move to widespread use and approval of open source software.

The days of the DoD placing open source and shareware and freeware in the same bucket, thankfully, appear to be over.

Those of you that follow Sun closely surely know about our open source pedigree. After all, the free and open source Solaris Operating System has the largest installed-base of any other commercial UNIX or Linux distribution. We have always believed that the benefits of open source are vast and, most importantly, measurable. Below is a great list of facts and figures about open source Solaris:

1. The free and open source Solaris Operating System has the largest installed-base of any other commercial UNIX or Linux distribution.
2. Solaris 10 has over 7,400 supported applications. There are more applications available on Solaris than any other open operating system. Even if you count just applications for x86 systems, that's 4,300 -- four times the number of apps as Red Hat 5.
3. Solaris is supported on 1,082 SPARC and x86 systems.
4. Systems vendors like Dell, IBM and Fujitsu Siemens chose to resell Solaris because of strong customer demand.
5. There have been more than 11.5 million Solaris downloads to date.
6. Solaris 10 downloads have consistently averaged in the multiple thousands per week for more than a year.
7. OpenSolaris has more than 160,000 registered community vendors. Behind Sun itself, Intel is now the second largest contributor to the OpenSolaris community.
8. Gartner rated Solaris a Strong Positive (the highest possible rating) in its recent Sun Vendor Rating.
9. Solaris 10 has set and re-set dozens of performance and price/performance world records on a wide range of benchmarks, covering a variety of workloads on x86 and SPARC systems of all sizes.
10. Publicly referenceable Solaris customers include BT, eBay and Qualcomm.
11. Solaris 10 has set more than 200 world records in price and price performance (149 UltraSPARC, 58 x64/x86). Check here for the details and stats: http://www.sun.com/solaris/benchmarks.

These challenging economic times, coupled with the need for multi-leveled security architectures, has created a perfect storm for open source implementations. The DoD’s upcoming memorandum is just one of my many actions that will increase the ability for open source to benefit both government IT administrators and American tax payers.

Thus far, September has become a true coming out party for open source software in the U.S. Federal Government. The benefits we have been touting for years, including lower cost to entry, lower barriers to exit and the ability to better customize, have caught the attention of the U.S. House of Representatives.

Just recently, the House released The National Defense Authorization Act for Fiscal Year 2009 (H.R. 5658) which includes language that calls for all DoD agencies to consider open source software when procuring manned or unmanned aerial vehicles. Including such language is a milestone for the open source movement and just the beginning!

Joab Jackson of Government Computer News wrote this in his blog, “The Defense Department has traditionally been somewhat wary of OSS, at least for official duties. So some feel the language could pave the way for greater acceptance within the Defense community.”

And that's not all. This week, come by and visit the 24th meeting of the American Health Information Community where you can see other open source projects in action. Sun Fed will show how electronic patient records can be shared across four key government agencies seamlessly and securely…all because of open source.

Also, the Navy and the OSJTF have been pushing their Modular Open Systems Approach, that not only includes open source software, but also open systems hardware.

More and more we are seeing the federal government move towards open source due to its increased security, reduced procurement times, large scalability (hey if eBay, Yahoo, Google, Army, and Navy can run on it, that is true scale), reduced cost to the tax payers, and escape from vendor lock in.

Open source will just continue to grow as the world moves to open storage (low cost hardware with open source storage management software that makes it perform as well as high cost proprietary storage devices), open network (low cost hardware with open source VoIP, routing, and switching software that make it perform as well as high cost proprietary network devices) and open source virtualization (xVM and Xen cloud computing with out the cost of proprietary virtualization and management software). All of these will bring open source into the enterprise as part of a solution, so it will be there even if people don't know they are deploying it.

So it's good to see the federal government start to recognize that open source is already thriving in their environments (including downloads of Open Solaris, MySQL, Glassfish and Open Office), and they are already seeing the benefits of it. Like the growth of the Internet in the 90's within the federal government, it's much better to embrace it and understand its value than ignore its growth.

It's nice to see that as more and more people start using Macs, the Apple users and developers are seeing more and more of Sun's technology.

Not only are OpenOffice and NeoOffice two of the most popular office productivity software products on the Macs, now Sun's new VirtualBox program brings Windows, Linux, and Solaris to the Mac. And did I mention that all Mac users can download these products for FREE!

Check out this Macworld article You can even see from the video, that the author Rob Griffiths runs Solaris on his Mac... and demos the video! And look at this Slashdot  posting filled with tons of accolades...

In addition, starting with Leopard version on the Mac OS, ZFS and DTrace are both included in Mac's operating system. You just gotta love how open source drives adoption.

Soooo...All you Mac users out there, welcome to Sun

You may have noticed that my blog has some new added features this week. I want to offer my special thanks to Wayne Horkan for his help in modernizing my blog. This will make it easier for people to find my blog, and improve international access. Not to mention an improved look and feel!

Thanks Wayne, I think it looks GREAT!

Middleware has been a passion of mine as long as I have been involved in IT. I even once wrote my own Object Request Broker back in the early 90's. It's always hard for people to completely understand middleware because it's the software "glue" or "plumbing" that holds everything together.  Like the plumbing pipes, it's not something you see every day, but you know how important it is if it's not working

So much of the technology and methodology in IT (as in many things in life) run in cycles. Distributed computing, remote procedure calls, virtualization, and cloud computing have been around since the 70's. IT tends to run in cycles of centralized and decentralized  processing depending on network bandwidth and interface demands.

Service Oriented Architecture (SOA) and Enterprise Service Buses (ESB) are both examples of another evolution of the cycles that occur around distributed computing and composite applications.  Many IT organizations are in the process of deploying or planning SOA environments.

Any distributed computing environment has many advantages as well as many challenges that need to be addressed.  To help organizations deal with end-to-end SOA deployments, we have created a complete Open Source SOA solution. This solution focuses on using SOA to address many of the business problems CIOs in large organizations are dealing with. It focuses not on the SOA technology, but instead on how SOA can increase the flexibility of legacy applications, reduce overall cost, provide composite information to end users faster, reduce deployment times, and aid in application consolidation, while still avoiding expensive proprietary lock in (it's all open source).

You can also see that Gartner provides very positive ratings on this open source SOA middleware suite.

Recently, Ashesh Badani and I got together and recorded a  that goes over in detail the evolution of distributed computing to the current state of SOA (it's always important to know the background), as well as how SOA is being used in the Federal Government, and some of the technical and business challenges involved. If you are looking at SOA or in the process of deploying a SOA environment, please take the time to listen in.

I want to be sure to recognize the Solaris & TX engineering team and some key members of the field organization
(especially Steve Gaul, John Totah, John Weeks + others) for their tireless efforts, in guiding Solaris TX through this certification process. Special thanks to Kathy Jenks' team and Jane Medefesser for all their hard work on TX and support in moving this forward...this is just the beginning for TX!

Also, thanks to Matt Hatley, who correctly pointed out to me that my statement: "Evaluation Assurance Level (EAL) 4+, the highest recognized global security certification." is not correct. See the table and information he provided below:

Common Criteria and EAL - Terms, CC Evaluation Assurance Levels (EAL)

EAL1 Functionally Tested
EAL2 Structurally Tested
EAL3 Methodically Tested and Verified
EAL4 Methodically Designed, Tested and Verified
EAL5 Semi-formally Designed and Tested
EAL6 Semi-formally Verified Design and Tested
EAL7 Formally Verified Design and Tested

More info on Common Criteria is available here...
http://www.niap-ccevs.org/cc-scheme http://www.commoncriteriaportal.org

However, I believe that the protection profile used to get this level of certification was the strongest and most aggressive of any other operating system achieving this level of certification.

It's always important to look at the protection profile that was used to achieve a level of certification, and not just the number of the level. For example, some operating systems say they have achieved (EAL) 4+, but when you look at the detail of the protection profile, they achieved it WITHOUT being connected to a network. It's pretty simple to have an OS be secure when it's not connected to a network

So what I should have said was "Achieved (EAL) 4+ with the strongest protection profile of any operating system given a rating of level 4.

We’ve talked about the rigorous certification process that Solaris 10 Trusted Extensions has been undergoing for nearly a year now. Well, the end is here and I’m glad to say that Solaris 10 Trusted Extensions has achieved Common Criteria Certification for the Labeled Security Protection Profile (LSPP) at Evaluation Assurance Level (EAL) 4+, the highest recognized global security certification.

That is a mouthful, so for the non-techies out there, here is the translation: Solaris 10 Trusted Extensions can be used for Top Secret, Secret and all other program caveats in between. Solaris 10 now can be deployed by customers requiring Multi-Level Security (MLS) protection and independent validation of an OS security model - such as financial, healthcare and government institutions.

This news is quite an honor and further proves that enhanced security can be achieved through open source software development.

As you can imagine, it's been rather busy these last couple of weeks of Q4 at Sun Federal. But I wanted to do a quick blog on our new and improved Current Sun Authorized Government Channel Partners listing on Sun.Com/Federal. It is located under the Get Started tab and has been receiving rave reviews from our partner community. It's a lot easier to read, more organized and has a cool feature where you just hold your cursor over the partners name and it provides you with the a link to their homepage, address, phone number, and a link to a contact's email and the Sun partner rep's name. Take a look and let us know what else we can do to improve it, as well as any suggestions to improve sun.com/federal.

I just received my new Tadpole M1400 Ultra-Thin Client Wireless Sun Ray from General Dynamics C4 Systems. It's very cool and you can use it anywhere...from Starbucks to hotels...and even on JetBlue Flights. It features built in 802.11a/b/g wireless technology and allows users to login at any time for access to their session any place there is Wi-Fi, or 3G cell based wireless networking for access from remote locations where there isn't any Wi-Fi. If your cell phone works, or you can get Wi-Fi, or have a broad band Ethernet connection... you can have your desktop.

Like all Sun Rays, all communication is completely encrypted/secured with an IPsec tunnel over the network (each device has its own SIM chip), with an additional 128 bit SSL tunnel within the IPsec tunnel based on a second user SIM chip on the JavaBadge (two factor) that goes all the way to the virtual desktop in the server's memory. That's two multi-factor tokens, and two sets of encrypted tunnels, along with firmware validation and dynamic packet compression with masked headers. All this works together to provide one of the most secure connections you can find short of classified rated encryption....which of course is also an option.

Can't wait to see what Bob Gourley thinks...He just received his too. We also just started testing it with some of our government partners and customers, so check back for updates and reactions.

The last couple of months have been action packed at Sun Federal.

I often talk about the future of IT, the evolution of SaaS and cloud computing, and what the future of IT will hold...so I put it into a video that talks about how IT professionals need to be ready for the Evolution of IT Services. If you have time, take a look and let me know what you think.

Also, I feel that I need to do a brain dump blog on news from Sun Federal.

I think Sun Federal VP of Sales, Anthony Robbins, did an outstanding job of summarizing the current state of Sun Federal on Federal News Radio's Amtower Off Center. Hosted by Mark Amtower, a great guy with more than 30 years of federal experience, we had the opportunity to discuss a wide range of topics from eco to open source to SEWP.

Plus check out another great video interview with Scott McNealy evangelizing the need for more open source policies in the federal government on the homepage of Government Computer News. Scott kept rather busy in Washington, DC earlier this month, keynoting several events including an SRO crowd at The Potomac Officers' Club and a Who's Who of government technology at the first annual Sun Federal awards dinner.

But, we at Sun Federal are still focused on traditional print media too...I wanted to make sure that you saw two major stories in Washington Technology. One story featured the hunt for new talent and the other focused on our new partner programs.

Stay tuned for a feature story on thin clients in Federal Times.

Last but not least, I have also been meaning to steer folks to the new and improved Sun Fed homepage. Please make sure to stop by often, as we will be updating it with new PODCasts, opinion pieces and news.

That just about covers it...Bottom line, we are getting the word out there ... radio, net talks, pod casts, articles, award dinners...You name it, Sun Federal is out there...Now I need to get back to a Sun Federal Board of Directors meeting...one of the agenda items includes introducing them to Sun's Second Life Islands... =-O

At Sun Fed, too often we have seen other industries bestow honors for excellence. From the Grammys to the Emmys to the Webbies to the Major League Baseball All-Star game, we have sat idly by as those on the front lines of government technology innovation sat quietly in the background, enabling our citizens to access critical services but never garnering the true acknowledgement that they deserve.

Well, I say that now is the time to say “No More.” No more anonymity for those working behind the scenes leveraging new and “old” technologies to keep those checks coming from the Social Security Administration or ensuring full access to all content at the Library of Congress or enabling the protection of a National Security infrastructure that secures our nation, just to name a few.

So, Sun Fed took this task into our own hands Monday night and decided to hold our first ever Innovation in Government Technology Awards ceremony at the Mayflower Hotel in Washington, DC. It was our honor to highlight best practices in three major focus areas: eco-innovation, open source and network security. The following winners were judged by a panel of Sun Microsystems Federal (Sun Fed) executives and partners:

Eco-Innovation

Victor Giordano,
Transportation Security Administration (TSA)

Giordano is the branch chief, enterprise applications and infrastructure and oversees the test, development and operations and management of all TSA applications as well as the UNIX infrastructure.

Catherine Cesnik, U.S. Dept. of the Interior

Cesnik's eco responsibilities have been large and vast including leading the first pilot test of the Electronic Product Environmental Assessment Tool in 2004. So far, Cesnik's efforts have helped to save the electricity equivalent of more than 400 household and prevent more than 19,000 metric tons of air emissions.

Open Source

Stephen Smalley, National Security Agency

Smalley has been an open source steward within the intelligence community, developing and driving the deployment of both SE Linux and now the implementation of mandatory access controls into Open Solaris.

Andi Snow-Weaver, IBM

Snow-Weaver is the worldwide accessibility standards program manager for the IBM Human Ability and Accessibility Center. She has been responsible for bringing industry-specific expertise to the development of worldwide accessibility standards for information technology.

Security

Dr. Ryan Durante,
U.S. Dept. of Defense

Durante is a program manager at the U.S. Air Force Research Laboratory Information Directorate in Rome, NY.  The lab conducts research, development, test and evaluation, and provides acquisition management services and logistics support necessary to keep the Air Force fully prepared at all times.

Stephen Smalley, National Security Agency

Smalley is as versatile as they come and we could not present a security award without acknowledging his tremendous contributions.

Excellence in Technology Award

Before we closed, we felt we needed to give one more special recognition.  Those in the government IT industry have been able to innovate and succeed in large part due to the policies and programs implemented by elected government officials.  At Sun, we believe no one has helped to facilitate the deployment of technologies to serve the public good more than Congressman Tom Davis (R-Va.).  It was our honor to recognize the departing Congressman for his tremendous work.

So, there you have it, the true Hall of Famers of the government IT industry.

Next year, we are working on a Red Carpet Show on E! and a Sunday night broadcast on a major television network.

The Information Technology environment is a complicated place with many messages about the future; and what CIOs, CTOs and business leaders should be investing in. As enterprises scale out to meet the demands of their mission, business, customers and employees; the need for open end-to-end IT solutions becomes more important every day to IT executives and business leaders.

People often ask me questions like "is Sun a hardware company or a software company?" or "Sun does too much, maybe you should focus on only one thing, and what would that be?" If you stand back and look at the forest rather than the trees, the reality is that Sun does only focus on one thing. In our view, it's many of our competitors that are trying to be everything to everyone. Sun's focus is on Enterprise and Web scale computing, we are not about printer ink, TVs or cameras. If you are a customer that is deploying Enterprise and Web scale computing that needs security, high availability, high performance, dynamic scaling, open architectures, at the best value....Sun is the company for you. We build Enterprise class, open source, hardware and software that is made to solve large scale problems at the most economic price point from the desktop to the datacenter.

To achieve this integrated solution, we focus our R&D in the following areas:

Sun is the #1 leader in Open Source. We have contributed more than any other company to the open source community. EVERYTHING we make is either already open source or going through indemnification to become open source. MySQL, OpenOffice, Solaris, Java, Glassfish, PostgreSQL, and many other products are all open source.  Our software runs on ANYONE'S hardware. Since we started open sourcing our software, SunFed's software revenue has gone up over 300 percent. We open source to improve security, increase quality, reduce cost, lower barrier to entry/exit, and engage developers. In fact, Sun's software leads the industry in security, and has passed the most rigorous government security protection profiles in the industry.

Sun has three supported operating systems that we focus on, we believe that an OS needs to at least run on the x86 Intel and AMD platforms to be viable. We focus on these three enterprise class operating systems: Linux, Windows, and Open Source Solaris. All our enterprise class middleware runs on these three operating systems.  These operating systems are supported across our hardware platforms, we even hold world record benchmarks on Windows.  Here are the support prices on the GSA schedule for each OS: RedHat - $934.78, Windows - $713.36, Solaris - $599.00. BTW, here is a copy of the production version of open source Solaris, you can get the production version for free, as many copies as you want. Also, open source Solaris focuses heavily on massive threading, since that is the way Enterprise and Web scale computing is moving.

Our servers support three chip families: AMD/Intel x64, Ultra SPARC, and the 64-way CMT. Our Intel and AMD servers are leaders in space and power reduction, and will run your Windows applications in half the space, and with 25 percent less power than HP or Dell at the same price point.Our high-end SPARC servers provide massive scale and hold world record benchmarks for large ERP and database applications. We are the first to offer a 64-way processor that will allow you to consolidate as many 64 web servers onto one low power, low cost chip (one watt per thread). Our servers start at $675.

Sun is a leader in open source enterprise class middleware.  Our SOA/ESB, Database, and Identity Management products are in Gartner's top quadrants as leaders in features, value, scalability, performance, and price. We can help you with HSPD12, with SSO, and in moving to a service oriented enterprise.

Sun is one of the top three storage vendors on the market. Thirty seven percent of all the world's enterprise and web scale storage is on Sun's StorageTek open platforms. We have a comprehensive portfolio of storage and data management products across the entire range of storage platforms.

If you are looking to reduce cost, reduce your power footprint, move to open source software, consolidate and virtualize your applications, or improve scale, performance, and security... you should be talking with Sun.  All of our products are designed to integrate together through open systems interfaces to deliver Enterprise and Web scale computing, that is what Sun is all about.

Lots of excitement during these early spring days in Washington, DC. Last week our very own Peter Korn was recognized at the Fed 100 for his dedication to Section 508 accessibility standards of the Federal Rehabilitation Act and the Section 255 accessibility guidelines of the Telecommunications Act.

Then we had Project Blackbox in the south parking lot of The Pentagon for two days, where we provided tours non-stop from 8 a.m. to 4 p.m. to numerous government officials. And now we just learned that Project Blackbox received a Best of FOSE award.

This week Scott McNealy keynoted at FOSE about Sun's open source strategy and did a great job of explaining how the more Sun open sources, the better our software revenue becomes, and the more our customers save by using open source products.

Lastly, I had lunch with my old friend David Wennergren from OSD. He continues to be very supportive of the open source initiatives he started while he was at the Navy. I hope to see more support coming from OSD in the future from a policy point of view.

Can't wait to see what the summer months hold for SunFed, but right now I'm heading back to California...glad I got to see the Cherry Blossoms this trip.

Jonathan Schwartz and I have both been blogging for about the same amount of time. Initially, when I was CIO of Sun, I maintained two blogs, one that was internally facing and another that was externally facing. This allowed me to really say "anything" I wanted to employees on the internal blog, often giving user tips on how to use IT features to be more productive, or thanking people in IT that had done a great job. On the external blog, I focused more on industry trends and where I thought things were going and how Sun had a part in the future. I felt both blogs were a great way to communicate to my user base (Sun employees), our customers, the industry, and most importantly, the members of the Sun IT team.

In one of our many meetings, Jonathan gave me a hard time about running two blogs and said I should just take the plunge and do an external only blog, which I did when I moved to Sun Federal as the President and COO.

Recently, Jonathan said I should write more about myself in my blog and that I focus too much on business. When I pointed out that 95 percent of his blogs are about business and the future of IT, he had two comments. 1) That he and each of his blogging staff had created "5 things you don't know about me" blogs - which I still plan to do 2) That my blog needed to have more pictures... which I am working on.

Anyway, I usually don't like to talk about my private life in public, so I focus on the IT industry, open source, and Sun. Well now I have a chance to talk about both the IT industry and a little about my personal life. And I will even work in a few pictures

A few months ago I was having dinner with Rishi Sood, VP of Research at Gartner, we were talking about business and then about our families. I mentioned that my wife is Shari Steele head of the Electronic Frontier Foundation (EFF) .

Being the tech savvy guy that Rishi is, he immediately recognized EFF as the organization that set up the legal constructs for the Internet, made encryption legal on the Internet so we could have the electronic commerce we all enjoy today, and the organization that is often considered the "ACLU" of Cyberspace protecting our online privacy and freedom. He followed that recognition with the comment "Wow... your wife is MUCH more important than you are." Well I had to agree with that comment as well

Shari and I have made a great team for years, and I am very proud of what she has accomplished at EFF along with everything else in her personal life. She has often been in the press and has been recognized for her accomplishments in many public forums. Shari was just selected as one of the 50 Top Women in Technology by Corporate Board Member Magazine. Shari is on the same page as Nancy Stewart, CTO at Walmart and Meg Whitman, CEO of eBay.

Shari has received a lot of recognition over the years for all the great work she has done... but don't take my word for it ... "do a Google" on her name to get an idea of how great and important my wife really is...