Is Security Key To Linux Small-Biz Success?
Linux security has long been a selling point for enterprise users. Could the right mix of smart marketing and high-profile certifications make Linux just as successful among small and midsized firms?
Security Certified
Another argument against Linux, mainly by competitors, was that Linux could never be security-certified. This aspect has dissuaded enterprises that require those certifications, such as government institutions, from using Linux. Competitors also have argued that open source was too unwieldy and too undisciplined. Therefore, because the process could not be certified, the system could not be certified.
Yet as one of the biggest vendors notes, the criticism is unfounded.
"In fact, we found the opposite was true," says IBM's Frye. "It was easier and cheaper and faster to do the certification because it was open-sourced, and you have access to all the information you need, and because the design of the overall system is so modular." IBM, with SUSE Linux, claims to have achieved the first-ever security certification for Linux back in August of 2003.
The formal level to which Linux is certified today is CAPP/EAL4, and the next level, labeled security protection profile (LSPP) —a form of multilevel security that is fairly leading edge at the enterprise level —will take another year to achieve, according to IBM's Frye. CA (formerly known as Computer Associates) has its view on the security aspect as well.
"We believe that the way the kernel needs to be hardened is through something we contributed to the open-source community and that's a hardening of the hook," says CA's Greenblatt. "So when the system had to do an asynchronous or synchronous call to an event, we'd basically be able to harden it so it would call the event and that it would become trusted also."
But, not everyone is in agreement on the approach, and CA's efforts have not yet been accepted. "We've had it out there two years. So we are at an impasse with the 'kernel people' believing that Linux is secure enough and they don't need our stuff. Basically, at the last summit in Ottawa in April [it was decided] there was no reason to make any significant changes to Linux," adds Greenblatt. As in the past, 2006 is likely to see quite a bit of discussion and debate in and outside of the Linux community when it comes to security. Two things are likely, though: security will remain a priority with community members fixing patches almost as soon as problems are found, and the SMB segment will become, albeit slowly, more "Linuxized."
About the Author
You May Also Like