SAN FRANCISCO -- Concerns about security may keep some IT shops from choosing Linux. Those concerns aren't justified,
says Dan Frye, director of IBM Corp.'s Linux Technology Center. In this interview, Frye discusses Linux's few security shortcomings and the security advances coming in the 2.6 kernel.
Are there gaps in enterprise Linux security today?
Frye: The technology exists today to create and manage reasonably secure environments for Linux enterprises. In the hands of a competent administrator, Linux is roughly as secure as the other operating systems. That's not to say that improvements aren't needed. [In] the next version of the kernel, we'll have significant security enhancements, particularly in the area of policies. So enterprise Linux security continues to improve. It's good, but it will continue to improve.
What's missing today is the ability to set policy in radically different ways. The next release of the Linux kernel will have a formal architecture that allows different policies, different attributes, to be added by users. It's not that there are weaknesses in Linux security so much as these features in the next kernel will improve the flexibility to set different levels of policy.
What security improvements will we see in Linux 2.6?
Frye: The major improvement with the new kernel is the Linux Security Module. It's an architecture that allows different components to be bolted on, providing customizable security for different users. It's much more modular, much less intrusive, and it should be easier to manage and easier to understand. It will accommodate increases in functionality over time. It's a basic infrastructure that really allows people, if they want to, to write their own policy and/or create a portfolio of different policies.
Is there a dearth of third-party security products for Linux, in comparison with the offerings for Windows and Unix?
Frye: Yes. Linux does not have as robust a portfolio of third-party applications as other platforms. That's something customers need to examine before they move to Linux. If an IT shop does security itself, this isn't a big issue. If that IT shop gets its security in part from a third-party application, then the availability of applications becomes a big issue. Frankly, however, no operating system has every application available on it, so you have to ask that question even if you're going to Windows or Unix.
The good news is there are more than 5,000 commercial applications available on Linux today, including many security programs. That number continues to increase.
What's happening and set to happen in assuring the quality of enterprise Linux security solutions?
Frye: The National Security Agency did a proof of concept a while back, in terms of the state of heightened level of security functionality in Linux. That got the community to really galvanize to do more in terms of improving Linux security. The other thing you're going to see over time is formal certification of Linux, and a formal assurance of Linux by government bodies. That will work in the same way that any other software product is certified. The software will have to be put through a formal process in order to get a stamp of assurance. That has not happened yet with Linux, but we expect it will soon.
Will such certifications be welcomed by the open-source community?
Frye: Yes. There's significant interest now. Open-source developers know that certifications give customers and users assurance that the claimed level of security is actually there.
How does open-source software security compare with that of proprietary software?
Frye: The fact that your software is proprietary isn't going to stop the bad guys from seeing your code. The difference with open-source software is the much larger number of good guys helping you find security holes in your software before it ever gets to the field. Those good guys will also be searching for a fix if and when bad guys strike. That doesn't change the number of bad guys who are out to get you, but it radically changes the number of good guys who are on your side.
If a company is migrating to Linux, what's the most important thing that IT managers can do to ensure top-notch security?
Frye: They have to understand how security alerts and patches are disseminated in the open-source world. Other than that, securing Linux is the same as securing other operating systems. You have to lay out a security strategy, set up policies and processes and stick to your plan. There's not a magic pill. It takes time and effort, whatever the OS.
Considering the fact that many IT shops today are understaffed, isn't the time and effort required to secure systems a sticking point?
Frye: By far, it's the biggest problem. IT shops often don't have enough time to deal with security issues. Vulnerabilities don't usually come from a security weakness in the infrastructure but from the security policies that are not implemented. Or, if the policies are implemented once, they aren't kept up to date. What drives vendors crazy is that they will publish a patch that will close a security hole, and lots of customers won't install it, even if they know about it. That has nothing to do with Linux; that's just a general problem in the industry.
So, lacking time and resources, are many IT shops just doing what they can and hoping that works?
Frye: Yes. And that's not going to do the trick. Although the security functionality of Linux is good, it is not magic.
FOR MORE INFORMATION:
FEEDBACK: What security shortcomings are present in Linux today?
Send your feedback to the SearchEnterpriseLinux.com news team.