Enhancing security with open source

The open source development model provides a fast-innovating and reliable resource to bring forth software that meets user needs, including security fixes

Computing security has never been more important. Increasing regulations, differing requirements from international locales and sophisticated attacks all contribute to serious challenges that call for thorough solutions.

Comprehensive security not only covers a broad range of solutions, it also offers strategies for managing systems today and into the future. Attention to security must be pervasive across all of the technologies a company uses and across all of the functionality that a company provides.

There are fundamental elements of any sound security solution that must be observed, especially:

  • Access: Security starts with defining who can access your systems, and what role each user will play. Systems must offer convenient identity management through enterprise directories, authentication of that identity through authoritative sources, and definition of roles and allowable actions through enforced access control.
  • Activities: Once identified, systems must ensure that users can only perform actions that are consistent with their roles. Protecting access or modification of data while in storage and in transit is critical.
  • Auditing: The system must be able to track and document users’ actions to meet compliance requirements, to document complex activities and to identify unauthorised actions that may have occurred through software failures or hacking.

Open source development model

Though reviewed, tested and certified for enterprise use, experience has shown that almost no software is perfect — flaws or vulnerabilities may still be found. But, the open source development model provides a fast-innovating and reliable resource to bring forth software that meets user needs, including security fixes.

Software developed using open source software principles offers technology innovation beyond proprietary alternatives. The more people have access to source code and can employ their expertise to examine it, the fewer secrets are embedded in the code. This openness helps code become more secure.

Leveraging the open source development model and its broad ecosystem of certified applications and hardware platforms, open source can help deliver more value to enterprise customers through its fast innovation, established security and reliable performance.

Integrating security into IT systems

In the current environment, a proactive security approach is one of the requirements that define a project and the architecture that structures a design as well as the technologies that implement it.

Security has to be integrated into a system as thoroughly as any other business requirement and its efficacy is defined by its ability to not only prevent security breaches in real-time, but also prevent them as early as possible.

Security-Enhanced Linux (SELinux) has been part of the open source community since 2000, when Red Hat and additional participants teamed with the United States National Security Agency (NSA) to develop the technology. SELinux provides a mechanism for enforcing access control security policies, including United States Department of Defense (DoD) Mandatory Access Controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. The strong access control architecture of SELinux is well entrenched in the Linux kernel itself.

It separates policy definitions from implementation of those policies, allowing creation of the policy rules that define and constrain system behaviour while a system is being deployed and used.

The data, programs and physical devices that compose a computing environment are critical resources, and controlling access to those resources is a crucial security challenge. Granting access to a resource is contingent on authenticating the user requesting the access, and determining whether they are authorised to make the kind of access that they are requesting.

Some operating systems rely on password protection, course-grained permissions or ad-hoc application controls to implement access control. For customers interested in an even greater level of security, the functionality of SELinux in the operating system can be extended. Policies can be written for additional applications, or a 'strict' environment can be deployed where mandatory access controls protect all resources on the system.

As the ongoing management and remediation of flaws and vulnerabilities is just as important as the initial development process, organisations should implement a robust and open security programs. Using security solutions have been reviewed, tested and certified for enterprise use, with ongoing security provided by a robust security process and a dedicated security team, would help in preventing critical security problems.

Dirk-Peter van Leeuwen is vice-president and general manager at Red Hat Asia-Pacific

Join the newsletter!

Error: Please check your email address.
Show Comments