Intel announces Common Data Security Architecture

Intel Corp. in Santa Clara, Calif., today said it plans to offer via free download an open-source version of its software based on the Common Data Security Architecture (CDSA). The move is intended to encourage use of the software by letting software developers review the code for possible flaws and to give Linux users a common security architecture.

"By open-sourcing it, everyone has a chance to review it, and by having many eyes looking at this you make it stronger," said Intel spokesman Manny Vara. "The fact that the Linux community can now adopt it is important given the interest that the IT community has in the Linux OS."

The CDSA is a widely used middleware layer that defines a set of software application programming interfaces (API). It provides a coherent set of security services covering the essential components of security capabilities, including encryption, data integrity, authentication and nonrepudiation. Developers use the CDSA to create secure e-commerce applications that interoperate with software from a variety of vendors on a range of operating systems.

A Windows version of Intel's CDSA software will be available for free download next month for use in current and future 32-bit Intel processors. The release for Linux, available in August, will be a 64-bit version targeted for enterprise computing that will be optimized for the upcoming Intel Itanium processors.

"The good thing about having lots of development people using it is that it helps with interoperability between businesses on the Web," said Vara. "You are going to have all sorts of OSes and devices, and you want a common architecture that will help integrate all of them easily."

The Intel software is a reference implementation of CDSA functions that lets developers build software based on the CDSA Version 3.0 approved in December. The CDSA was first published in 1997 by Open Group, a Cambridge, Mass.-based, standards organization. Open Group operates a certification program which evaluates whether software meets the CDSA standards. The organization has also enforced standards for the use of Unix by software vendors.

According to Vara, the release of the source code, which will be officially announced tomorrow at the RSA conference in Munich, Germany, was prompted by the U.S. government's relaxation last December of its encryption export regulations. Vara said the laws had prevented Intel from exporting source code for security software. But he noted that several countries have regulations against importing any security software that doesn't reveal the code because engineers need to verify that software doesn't contain back doors.

Intel has been licensing out its implementation of the CDSA functions for four years. Many companies already use the software to implement the standards in their products, including IBM, which uses it in its operating systems for high-end mainframes, and Hewlett-Packard Co. in Palo Alto, Calif., which uses CDSA in its HP-UX version of the Unix operating system.

Intel argues that the CDSA APIs can help developers get secure applications to market more quickly since they don't have to develop these functions themselves.

But Abner Germanow, research manager of Internet security at International Data Corp. in Framingham, Mass., noted that although CDSA has benefited from the investment dollars of IBM and Intel, which reportedly spent $20 million developing its implementation, it has still been underused by the developer community.

"Despite the general awareness that the product exists and the ability for people to create easy-to-use interfaces into it, the marketing around it has been kind of lacking to date," said Germanow. "Taking this open source and getting it out into the market for people to play with to prove that it really does have potential to speed time to market for very high-value applications on traditional platforms as well as Linux platforms is pretty powerful."

Germanow added that CDSA encompasses a huge variety of security functions that developers want to undertake, but it isn't a silver bullet for Linux security.

"It will raise awareness of Linux as a prime-time operating system that can be used for high-value applications and increase the amount of attention paid to Linux security," he said. "I think you will see very interesting things happening with the next several Linux distributions on every aspect of security that an operating system has to undertake, like file encryption and buffer overflows."

Other companies which have incorporated CDSA include Motorola Inc. in Schaumburg, Ill., Netscape Communications Corp., Baltimore Technologies in Dublin and Apple Computer Inc.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon