open source and security: engineering security by design - prague, december 2011
DESCRIPTION
This was a talk I did at the International Conference ITTE 2011 - Cyber Security and Defense in Prague - http://www.afcea.cz/ Originally a colleague, Richard Morrell, was to give this talk and my slides are based on his but heavily modified. The audience was a military audience who were at the conference to discuss Cyber Security.TRANSCRIPT
Open Source and Security:Engineering Security by Design
Jeremy BrownManager, Solution ArchitectsRed Hat
December 2011
Overview
What has Open Source got to do with Security?
Red Hat – Enforcing Security by Design
Re-inventing the engagement model
Virtualisation and mobility – Cloudforms
What has Open Source to do with security?
Security is fundamental and needs the scientific approach of peer review
If you translate the scientific approach of peer review to software,the only way to do it is to be Open Source
If you use Solaris, AIX, HP UX, SCO or SCADA you need to understand that OpenSource is the feeder for your world
93% of all major internet traffic moves using OpenSource derived architecture, predominantly on Linux, enterprisessecured by Red Hat account for almost 70% of all workloads
87% of all Clouds run on OpenSource, Amazon AWS,Rackspace, Google, Facebook, Yahoo etc (IDC, Forrester data)
Sunk by Windows NThttp://www.wired.com/science/discoveries/news/1998/07/13987
The OpenSource community historically with it's release early, release often / peer review / fast fix history is traditionally the most proven security release model in computing.
If you are concerned about how your platforms evolve you needto have engagement with Red Hat – sooner rather than later
Security is a LOT more than CERT advisories and version control – what risk your data and reputation ?
Security in Depth – Open Source evolution
Red Hat – Enforcing Security By Design
We employ 70% of all of the contributors to the mainstreamLinux kernel projects / technologies.
SELinux (NIST adopted), sVirt, SPICE, Gluster, Apache,LibVirt, KVM – all Red Hat led projects by staff on our payroll
Linux technologies empower DAX, NYSE, NEXT, FTSE
Linux in Defence is already in use in NATO, US, Australia
Ever increasing government adoption of certified Linuxpartnering with Red Hat in supported programmes
Red Hat – Security Certifications and Accreditations
Red Hat Enterprise Linux is the most certified operating system available today.
RHEL has passed the Common Criteria process 13 times on four different hardware platforms.
Red Hat Enterprise Linux 5 has even received Common Criteria certification at Enterprise Assurance Level 4 (EAL 4+) under the Controlled Access Protection Profile (CAPP), Label Security Protection Profile (LSPP) and the Role-Based Access Control Protection Profile (RBACPP), providing a level of security and a feature set that was previously unheard-of from a mainstream operating system.
JBoss Enterprise Application Platform is Common Criteria certified at EAL 2+.
Red Hat – Reacting to Security Threat
Fourteen year track record in CERT advisory publication andpatch creation.
Industry leading reaction speed to patch creation, testing, documentation and push not just to our supported customersubscription base but to the entire community (which willappear often months later in Oracle Linux, SuSE, Ubuntu, and AIX 5.x).
Acknowledged by US Gov, NIST, Symantec & CERT as the most prolific security patching and release of anysoftware vendor including Microsoft.
Red Hat – Reacting to Security Threat
Source: http://www.awe.com/mark/blog/20110520.html
Red Hat – Security in Depth - Realtime
Microsoft time to patch release on ave 14-17 days for minor system security releases, often longer, 9-11 days for majorsystem vulnerabilities in cycle – rarely sub 7 days for a patch
Red Hat average time to release a patch is one day, oftenthe release of a documented advisory and the release of bothfix AND source to customer and the wider community is lessthan 18-24 hours post discovery. Sometimes quicker.
This is part of the Red Hat commitment to security and our stance on reputation protection and end user valuefor our subscription customers across the board.
Virtualisation / Mobility – new threats
Cloud – new security audit / accreditation / threat fabric / GRC
Misunderstood / non defined audit model for vendors
Risk of vendor non compliance / governance control
Mobility of data and application – what can we migrate ?
Understanding the hidden costs of Cloud aligned to security
Vendor selection process – involving Red Hat at Day One
Understanding security within cloud application lifecycle
Virtualisation / Mobility – new threats
Cloud – new security audit / accreditation / threat fabric / GRC
Misunderstood / non defined audit model for vendors
Risk of vendor non compliance / governance control
Mobility of data and application – what can we migrate ?
Understanding the hidden costs of Cloud aligned to security
Vendor selection process – involving Red Hat at Day One
Understanding security within cloud application lifecycle
Virtualisation VulnerabilitiesIBM X-Force 2010 Mid-Year Trend and Risk Report
ftp://public.dhe.ibm.com/common/ssi/ecm/en/wgl03003usen/WGL03003USEN.PDF
Engagement Model
Are you a consumer of technology or do you see yourself asa thought leader / decision maker in platform evolution ?
Understanding how / when to engage – event or vendor driven ?
Picturing risk and building threat fabric models – modelling risk
Protecting core platforms from zero day attack and exploit
Re-educating sovereign governments around accreditationand empowering the future of your IT ownership
Reducing core implementation costs / protecting platforms/data
Delivering the ability to protect at sovereign territory level withconfidence and with backup from Red Hat globally and locally
Cloud introduces new management challenges
Moving ahead – next steps
We are already engaged with Governments and Agency’s around the world.
We are MORE than a Linux OS provider!! We are an Open Source company and Security is at the heart of what we do
Red Hat are part of the evolution of where you are already going
How can we assist you ? Accreditation / Applications / Ambition
Security of platforms and architecture – Red Hat should be partof your business as usual process – we're here to help you
Engage with your local Red Hat EMEA organisation
Thanks for listening
Questions? - [email protected]