OPENING UP A DISCUSSION ON COMPUTING: FINDING SECURITY ALTERNATIVES AND MORE.
You continue to wonder--each time you find yourself gearing up for a cyberassault threatening mass destruction, each time you look to scale up your enterprise and each time you face new challenges bringing your company online--if there is a better way to get things done.
There may be.
Open source software and operating systems have been garnering a lot of popular attention in the past few years, partly because they offer solutions to these security issues. The term open source, while coined in the mid-nineties; is based on a method of computer development and programming predating the Microsoft era.
What open source means, in the most cursory of explanations, is that the code underlying a given operating system or software package is made public. What this may mean in terms of your business, however, could be much simpler: secure operating systems and customized computing capabilities.
But First, A Little Background
At the heart of technological progress for businesses is software development. Software is the primary development platform used to create new tools that can offer convenience and efficiency, while improving the quality of your work. Source code is the foundation for the software that programmers write.
The term open source refers to code that is open to the public. Open source code can be examined by anyone with a sophisticated understanding of programming language, and altered to function in user-specific ways. Open source has been the catalyst for many groundbreaking technologies, including TCP/IP, e-mail, XML (a markup language) and Web servers.
Now, open source code has begun to receive increased attention due to the fact that, via its inherent collaborative qualities, it can provide tighter computing security for businesses, as well as support for expanding businesses during and after they increase the size and functionality of their organizations.
Allowing software to be free for public use was a common trend in the early 1970s. Computer companies distributed free software and early techies would frequently exchange software in order to share ideas and create new programs. By the mid-eighties, however, software and operating systems had become almost exclusively proprietary. This meant that the exchange of software was difficult, given the licensing restrictions. Many programmers and tech-types began feeling frustrated by the limited capacity to create new software and operating systems--and generally better methods of computing. What soon evolved from this community was an idea to move from free, source-accessible software, to free, source-accessible operating systems.
In order to bring back free software, many in the tech world knew they had to develop free operating systems on which to run that shared knowledge. (If you are running a Windows operating system you can only use software compatible with that system.) In the early 1990s, Linus Torvalis released the source code for Linux, an operating system he created to run the UNIX operating system on his home PC, and the open source movement, as it has come to be known, has been growing ever since.
Commercial company support for open source has been snowballing since 1998. In January of that year, Netscape announced the release of Navigator's source code. A year later, Hewlett Packard and SGI announced Linux support for their machines. IBM followed suit in February. In March, Apple Computer released Darwin under an open source license and Hewlett Packard extended around-the-clock technical support for Linux. Rounding out the midyear in July 1999, Amiga announced Linux would be at the core of its next-generation OS.
Two Examples of Open Source Already at Work
Does all this talk of open source sound like techno-speak and computer babble? Probably. According to an October 2000 poll on the HowStuffWorks Web site, open source has yet to become a household term. Forty-eight percent of respondents, when asked, "What is your experience with open source software?" clicked on the "What is open source?" answer.
The best way to start learning about open source is to first learn how it has already enhanced the computing world, if not your network specifically. Although you may not be aware of the terminology of the field, you have definitely heard of the products open source computing is credited with enhancing and developing.
1. Creating Security
Many security appliance businesses are using open source as a foundation to build products such as firewalls and virtual private networks (VPNs) that may already be in place within your computer security infrastructure.
The three main reasons businesses including WatchGuard, Sonic-WALL, Netscreen, Cisco and Nokia are almost exclusively utilizing open source in developing their security appliances are:
Adaptability: As Charles Kolodgy, research manager and security expert with IDC, a technology research company based in Framingham, Massachusetts, explains' "If new features need to be added or a patch has to be given, the ability to change the operating system in the box is so much easier than waiting for someone else to update the operating system."
Tighter code: This is what Kolodgy refers to as "the hardening of the code." The operating system can be made tighter, or more secure, by taking out all of the things that are not needed. This allows for fewer security backdoor breaches and cleaner code, leading to a more efficient system.
Lowered costs: Because these companies are utilizing advanced programming tools that are open to the public, the cost of internally upgrading and experimenting with a variety of security products is minimal compared to the costs of much of the software on the market today. This increases the flexibility programmers have, enabling them to come up with the most secure and efficient product possible.
2. Making the Web Reliable: Apache's Web Server
Web servers are the tools that, among other things, enable Web sites to be viewed by visitors. Every computer connected to the Internet that contains a Web site must have a Web server program. It is more than likely that a site that you visit or run utilizes an Apache Web server because Apache's Web server is more widely used than all other Web servers combined. It is freely available and distributed under an open source license. While Microsoft's Web servers are gaining ground in the Web server market share, a Netcraft Web server survey, tallying information from over 30 million sites, found that in July of this year, 60 percent of active sites were utilizing Apache.
What Makes Open Source More Secure?
If you are using a Windows operating system, why not stick with what you have? You may decide to do just that, but you may also have found yourself increasingly frustrated with the problems that are cropping up regarding security and privacy. For example, Microsoft's most recent operating system, Windows XP, scheduled for release this month, has been accused by many, including senator Charles Schumer (D-NY), of violating consumer rights by making it harder to run non-Microsoft applications, especially from the desktop. Adding to this, features such as Smart Tags, a feature built into the XP operating system to scan keywords in user documents and offer links to relating Web sites--many of them operated by Microsoft entities or partners--are making users increasingly uncomfortable with regard to computer privacy. There are other options for consideration.
The more features written into a code, the more chances there are for holes to develop, leaving increased virus and bug vulnerabilities. If Windows code were more accessible to public scrutiny, experts assert, these holes could be better detected, and unwanted features and qualities of the system could be removed or altered to better serve the individual user or company.
A good example of this happened this past summer. Georgi Guninski, a Bulgarian bug hunter, discovered a hole in Microsoft's Outlook e-mail program. The hole existed in the Outlook View Control, an ActiveX control that is installed with Outlook 98, 2000 and 2002. The flaw found within this feature could allow an attacker to have full control over Outlook and to run a destructive code on the user's machine.
After learning of this hole, Microsoft's development team had sole responsibility for fixing it. It took them five weeks to release the appropriate patch.
Since Outlook is closed source, Guninski was not examining the Outlook code. Rather, he was spending a great deal of time attempting to exploit holes within it. If Georgi Guninski had been an attacker, he could have unleashed a virus instead of exposing the hole. He did not do this, however, and because of his efforts, Outlook is much more secure. Unfortunately, the turn around time for the patch to be released, not to mention the time it took for the hole to be discovered, could have resulted in a major security problem for Outlook users.
When viruses make their presence known, intrusion prevention on closed source business networks is limited. While open source operating systems are just as vulnerable as closed source systems to viruses once those viruses have been released, the key distinctions between the two systems may limit the impact and probability of such attacks.
Open Source vs. Closed Source: Fundamental Differences.
"Security through obscurity" is a common misconception. In practice, attackers do not need to know source code to find vulnerabilities, as shown in the Outlook incident explained above, and keeping source closed impairs individuals from diagnosing and correcting the problems they find.
To understand what differentiates open source from closed source, you first need to understand how the open source software packages and operating systems are written in order to foster continuous development.
With the open source model, security bugs can be fixed as they crop up. Closed source software, such as that developed by Microsoft, depends on a small development team to locate, decipher and problem solve every hole, or weakness, in the code. Once this process is done, the patch, or remedy for the hole, must be reviewed by a committee, and then rectified on the user's end when the vendor of the closed source program sends an updated version of the program to the user. Unfortunately, a limited body of programmers means that security exploits can go largely unresolved, just waiting to be found by malicious attackers.
The open source model allows users to review the product at the most basic level for security holes. The result has often been that security holes are fixed within days or hours of discovery.
By allowing source code to be open to peer review, there is also an accountability placed on the programmer or group developing the software. This eliminates sloppy code development. Not only are numerous eyes able to spot even the most minute holes, but the knowledge that computer fanatics across the globe are examining the source code often creates friendly competition among programmers eager to write the perfect code.
Public Access Does Not Mean Access to Your Computer
Widely available source code does not mean that your business network is laid bare for all to see. Nor does it mean that every patch that is created to fix existing holes makes its way to your computer or network.
Take, for example, Red Hat, a Linux operating system vendor. Red Hat takes what it refers to as a snapshot of the Linux operating system, tests it, runs multiple quality assessments (QA), packages it, and then sells it to consumers with the added benefit of technical support. While the Linux operating system itself does not cost anything, most consumers are not technically knowledgeable enough to run the system themselves and need added technical support.
Given the QAs and testing involved in developing packaged operating systems, consumers understandably feel a greater level of trust in the quality and security of the software because it is rigorously analyzed before the user installs it.
The team at Red Hat are constantly analyzing and interpreting the patch proposals that are circulating within the open source community in order to determine whether the patch is necessary, effective and more secure, and then updating--either via a network connection or by sending updated software--the consumer's existing Red Hat Linux operating system.
Paul Cormier, executive vice president of engineering at Red Hat, explains the benefits and processes involved in security reviews:
"Security holes are, for the most part, things that are overlooked ... With so many people looking at pieces [of code] in the open source, there's much less of a chance that [a hole] is going to go unnoticed before the software actually hits the streets.
"When there is something discovered, it is fixed overnight. Because there are so many people with access to the source, they are capable of fixing it quickly, then the [open source and Red Hat] community comes around that and can quickly have a discussion and determine the best course of action or the best fix with much more brain power than in the back of one person's office."
Users are told of a security breach, and a patch is sent as a means of fixing it. If they choose not to include the patch, they are not required to do so. No final decision about the structure of a user's specific operating system is made without the user's knowledge and consent.
Yes, But Is Open Source Business Friendly?
Imagine this scenario: A truck company, in order to ensure the security of its engines, decides to weld shut the hoods of all the trucks it produces.
While this limits the ability of vandals to maliciously tinker with the internal engines, it also makes it harder for minor mechanical difficulties to be quickly fixed. Buyers must trust that the truck company (or vendor) has built everything under the hood to work error-free. When it malfunctions, they must rely on the vendor to diagnose the problem correctly, then send out a mechanic to crack the hood and fix it. Sound frustrating?
While not entirely analogous, there are elements to this scenario that are quite similar to the difficulties facing consumers of closed source software. While some companies are happy to utilize the truck they purchase from the floor, larger enterprises are more interested in building on allocated resources and creating a monster truck of business. Given the mission-critical nature of business, these enterprises are not able to wait for an outside mechanic to arrive.
Although the information technology (IT) staff of a closed source software consumer can, in keeping with the analogy, touch up paint chips, replace dented bumpers, fix the transmission and handle the occasional blown out tire, it cannot get under the hood. When building a monster truck, big wheels and a snazzy paint job are ineffective without the added power the engine needs to run.
Thus, many companies leading the global business community are embracing open source software as a valuable business tool in conjunction with the security benefits of such systems. A good example of this can be seen in the enthusiastic approach to open source that comes from Morgan Stanley Dean Witter.
W. Phillip Moore, executive director of Morgan Stanley Dean Witter's enterprise application infrastructure, is quoted in a cnn.com article as saying, "A lot of open source technology continues to beat commercial technology hands down. When I am trying to craft my enterprise, some changes are small, and if I have to go back to the vendor to make changes it is an uphill battle. They control the changes. With open source, I can make the changes I need for my infrastructure." Morgan Stanley relies on the open source community for patches, bug fixes and customized modifications.
The flexibility afforded users of open source operating systems is an added benefit to business networking. Linux, for example, is a dual-platform operating system. This means it can run on either a Mac or a PC. This could greatly simplify and streamline large dual-platform business networks.
Opponents of the open source movement, namely Microsoft, lean on the idea that open source poses an inherent threat to businesses in its nonprofit, nonproprietary roots.
Another article on cnn.com ardently disputes the idea that open source software is financially detrimental to businesses. "Open source software poses as much of a threat to corporate profits as do articles that appear in the New England Journal of Medicine to hospitals and biomedical companies," the article states. "Actually, think about what kind of shape hospitals and biomed companies would be in if no research journals existed, or if sharing medical knowledge was treated as some subversive activity."
In fact, businesses are realizing that open sourcing their projects means better products because it allows companies to collaborate toward a solution, and it allows them to take advantage of the computer programming public to contribute improvements to their products. As the cnn.com article concludes, "Better products mean happy customers and sales growth at the bottom line."
Continue to Explore Your Options
It is important to note that this article did not address the varying degrees of accessibility to source code that is offered within the different off-shoots of the open source community. Companies such as Sun Microsystems, while making its source code available for the public to view, allows for limited to no alteration of the code underlying many of its products and systems.
If your company feels comfortable with the level of security and the computing power at its fingertips, there is probably no reason to deviate from your present system. Open source operating systems can be less user-friendly than the Windows platform. While many companies are working to remedy this, the fact remains that Windows is relatively easy for the less technically inclined to navigate.
Nonetheless, the open source community is continuing to grow and evolve, and has been picking up steam within the last few years. The possibility to extensively limit the number of security breaches and virus outbreaks within your organization makes a more thorough investigation of the myriad open source alternatives worth your while.
While you may not be able to prevent cybertsunamis from forming, it is within the realm of possibility to create a watertight organization that the wave will pass harmlessly over.
|Printer friendly Cite/link Email Feedback|
|Comment:||OPENING UP A DISCUSSION ON COMPUTING: FINDING SECURITY ALTERNATIVES AND MORE.|
|Date:||Oct 1, 2001|
|Previous Article:||Electronic Legal Bill Review.|
|Next Article:||THE ADVANTAGES AND CHALLENGES of Online Loss Control.|