Software // Enterprise Applications
04:55 PM

More-Secure Linux Still Needs To Win Users

NSA put its efforts into SELinux, but complexity is likely to hold back adoption

The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt.

For more than a decade, the National Security Agency has worked on a way to use a computer's operating systems to control how software applications and users can access data. The agency succeeded years ago in creating these "mandatory access-control" features for specialized operating systems, but very few users deployed them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is Security Enhanced Linux, which it hopes can raise the nation's overall level of cybersecurity.

"Quality of [software] code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said last week at an SELinux symposium. The directorate's mission is to research and develop the technology and processes that industry can use to protect itself and critical U.S. infrastructure from cyberattacks, George added.

NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause.

Debian, Novell, and Red Hat, three major distributions of the Linux operating system, only recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. However, Red Hat and Novell differ markedly in their perception of SELinux's usefulness.

Red Hat encourages users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4--based on the 2.6 kernel--is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat customers can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux.

Novell believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it can't be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says.

SELinux is an advancement in operating-system-level security, Schlaeger adds. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than the operating system, he says. For example, with application-level security, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications.

Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. And NSA has a list of security improvements it's working on (see box above). That will cast a spotlight on the technology's shortcomings and likely lead to improvements that ultimately diminish the need for companies to seek highly secure and specialized operating systems.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.