Open Source and Security:Engineering Security by Design

Jeremy BrownManager, Solution ArchitectsRed Hat

December 2011

Overview

What has Open Source got to do with Security?

Red Hat – Enforcing Security by Design

Re-inventing the engagement model

Virtualisation and mobility – Cloudforms

What has Open Source to do with security?

Security is fundamental and needs the scientific approach of peer review

If you translate the scientific approach of peer review to software,the only way to do it is to be Open Source

If you use Solaris, AIX, HP UX, SCO or SCADA you need to understand that OpenSource is the feeder for your world

93% of all major internet traffic moves using OpenSource derived architecture, predominantly on Linux, enterprisessecured by Red Hat account for almost 70% of all workloads

87% of all Clouds run on OpenSource, Amazon AWS,Rackspace, Google, Facebook, Yahoo etc (IDC, Forrester data)

Sunk by Windows NThttp://www.wired.com/science/discoveries/news/1998/07/13987

The OpenSource community historically with it's release early, release often / peer review / fast fix history is traditionally the most proven security release model in computing.

If you are concerned about how your platforms evolve you needto have engagement with Red Hat – sooner rather than later

Security is a LOT more than CERT advisories and version control – what risk your data and reputation ?

Security in Depth – Open Source evolution

Red Hat – Enforcing Security By Design

We employ 70% of all of the contributors to the mainstreamLinux kernel projects / technologies.

SELinux (NIST adopted), sVirt, SPICE, Gluster, Apache,LibVirt, KVM – all Red Hat led projects by staff on our payroll

Linux technologies empower DAX, NYSE, NEXT, FTSE

Linux in Defence is already in use in NATO, US, Australia

Ever increasing government adoption of certified Linuxpartnering with Red Hat in supported programmes

Red Hat – Security Certifications and Accreditations

Red Hat Enterprise Linux is the most certified operating system available today.

RHEL has passed the Common Criteria process 13 times on four different hardware platforms.

Red Hat Enterprise Linux 5 has even received Common Criteria certification at Enterprise Assurance Level 4 (EAL 4+) under the Controlled Access Protection Profile (CAPP), Label Security Protection Profile (LSPP) and the Role-Based Access Control Protection Profile (RBACPP), providing a level of security and a feature set that was previously unheard-of from a mainstream operating system.

JBoss Enterprise Application Platform is Common Criteria certified at EAL 2+.

Red Hat – Reacting to Security Threat

Fourteen year track record in CERT advisory publication andpatch creation.

Industry leading reaction speed to patch creation, testing, documentation and push not just to our supported customersubscription base but to the entire community (which willappear often months later in Oracle Linux, SuSE, Ubuntu, and AIX 5.x).

Acknowledged by US Gov, NIST, Symantec & CERT as the most prolific security patching and release of anysoftware vendor including Microsoft.

Red Hat – Reacting to Security Threat

Source: http://www.awe.com/mark/blog/20110520.html

Red Hat – Security in Depth - Realtime

Microsoft time to patch release on ave 14-17 days for minor system security releases, often longer, 9-11 days for majorsystem vulnerabilities in cycle – rarely sub 7 days for a patch

Red Hat average time to release a patch is one day, oftenthe release of a documented advisory and the release of bothfix AND source to customer and the wider community is lessthan 18-24 hours post discovery. Sometimes quicker.

This is part of the Red Hat commitment to security and our stance on reputation protection and end user valuefor our subscription customers across the board.

Virtualisation / Mobility – new threats

Cloud – new security audit / accreditation / threat fabric / GRC

Misunderstood / non defined audit model for vendors

Risk of vendor non compliance / governance control

Mobility of data and application – what can we migrate ?

Understanding the hidden costs of Cloud aligned to security

Vendor selection process – involving Red Hat at Day One

Understanding security within cloud application lifecycle

Virtualisation / Mobility – new threats

Cloud – new security audit / accreditation / threat fabric / GRC

Misunderstood / non defined audit model for vendors

Risk of vendor non compliance / governance control

Mobility of data and application – what can we migrate ?

Understanding the hidden costs of Cloud aligned to security

Vendor selection process – involving Red Hat at Day One

Understanding security within cloud application lifecycle

Virtualisation VulnerabilitiesIBM X-Force 2010 Mid-Year Trend and Risk Report

ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USEN.PDF

Engagement Model

Are you a consumer of technology or do you see yourself asa thought leader / decision maker in platform evolution ?

Understanding how / when to engage – event or vendor driven ?

Picturing risk and building threat fabric models – modelling risk

Protecting core platforms from zero day attack and exploit

Re-educating sovereign governments around accreditationand empowering the future of your IT ownership

Reducing core implementation costs / protecting platforms/data

Delivering the ability to protect at sovereign territory level withconfidence and with backup from Red Hat globally and locally

Cloud introduces new management challenges

Moving ahead – next steps

We are already engaged with Governments and Agency’s around the world.

We are MORE than a Linux OS provider!! We are an Open Source company and Security is at the heart of what we do

Red Hat are part of the evolution of where you are already going

How can we assist you ? Accreditation / Applications / Ambition

Security of platforms and architecture – Red Hat should be partof your business as usual process – we're here to help you

Engage with your local Red Hat EMEA organisation

Thanks for listening

Questions? - jeremy@redhat.com