Open Source and Security: Engineering Security by Design - Prague, December 2011


Published on

This was a talk I did at the International Conference ITTE 2011 - Cyber Security and Defense in Prague -

Originally a colleague, Richard Morrell, was to give this talk and my slides are based on his but heavily modified.

The audience was a military audience who were at the conference to discuss Cyber Security.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Open Source and Security: Engineering Security by Design - Prague, December 2011

  1. 1. Open Source and Security:Engineering Security by DesignJeremy BrownManager, Solution ArchitectsRed HatDecember 2011
  2. 2. Overview What has Open Source got to do with Security? Red Hat – Enforcing Security by Design Re-inventing the engagement model Virtualisation and mobility – Cloudforms
  3. 3. What has Open Source to do with security?Security is fundamental and needs the scientific approach of peerreviewIf you translate the scientific approach of peer review to software,the only way to do it is to be Open SourceIf you use Solaris, AIX, HP UX, SCO or SCADA you needto understand that OpenSource is the feeder for your world93% of all major internet traffic moves using OpenSourcederived architecture, predominantly on Linux, enterprisessecured by Red Hat account for almost 70% of all workloads87% of all Clouds run on OpenSource, Amazon AWS,Rackspace, Google, Facebook, Yahoo etc (IDC, Forrester data)
  4. 4. Sunk by Windows NT
  5. 5. Security in Depth – Open Source evolutionThe OpenSource community historically with its release early,release often / peer review / fast fix history is traditionally themost proven security release model in computing.If you are concerned about how your platforms evolve you needto have engagement with Red Hat – sooner rather than laterSecurity is a LOT more than CERT advisories and versioncontrol – what risk your data and reputation ?
  6. 6. Red Hat – Enforcing Security By DesignWe employ 70% of all of the contributors to the mainstreamLinux kernel projects / technologies.SELinux (NIST adopted), sVirt, SPICE, Gluster, Apache,LibVirt, KVM – all Red Hat led projects by staff on our payrollLinux technologies empower DAX, NYSE, NEXT, FTSELinux in Defence is already in use in NATO, US, AustraliaEver increasing government adoption of certified Linuxpartnering with Red Hat in supported programmes
  7. 7. Red Hat – Security Certifications andAccreditationsRed Hat Enterprise Linux is the most certified operatingsystem available today.RHEL has passed the Common Criteria process 13 times on fourdifferent hardware platforms.Red Hat Enterprise Linux 5 has even received Common Criteriacertification at Enterprise Assurance Level 4 (EAL 4+) under theControlled Access Protection Profile (CAPP), Label SecurityProtection Profile (LSPP) and the Role-Based Access ControlProtection Profile (RBACPP), providing a level of security and afeature set that was previously unheard-of from a mainstreamoperating system.JBoss Enterprise Application Platform is Common Criteria certifiedat EAL 2+.
  8. 8. Red Hat – Reacting to Security ThreatFourteen year track record in CERT advisory publication andpatch creation.Industry leading reaction speed to patch creation, testing,documentation and push not just to our supported customersubscription base but to the entire community (which willappear often months later in Oracle Linux, SuSE, Ubuntu,and AIX 5.x).Acknowledged by US Gov, NIST, Symantec & CERT asthe most prolific security patching and release of anysoftware vendor including Microsoft.
  9. 9. Red Hat – Reacting to Security Threat Source:
  10. 10. Red Hat – Security in Depth - RealtimeMicrosoft time to patch release on ave 14-17 days for minorsystem security releases, often longer, 9-11 days for majorsystem vulnerabilities in cycle – rarely sub 7 days for a patchRed Hat average time to release a patch is one day, oftenthe release of a documented advisory and the release of bothfix AND source to customer and the wider community is lessthan 18-24 hours post discovery. Sometimes quicker.This is part of the Red Hat commitment to security andour stance on reputation protection and end user valuefor our subscription customers across the board.
  11. 11. Virtualisation / Mobility – new threatsCloud – new security audit / accreditation / threat fabric / GRCMisunderstood / non defined audit model for vendorsRisk of vendor non compliance / governance controlMobility of data and application – what can we migrate ?Understanding the hidden costs of Cloud aligned to securityVendor selection process – involving Red Hat at Day OneUnderstanding security within cloud application lifecycle
  12. 12. Virtualisation VulnerabilitiesIBM X-Force 2010 Mid-Year Trend and Risk Report
  13. 13. Engagement ModelAre you a consumer of technology or do you see yourself asa thought leader / decision maker in platform evolution ?Understanding how / when to engage – event or vendor driven ?Picturing risk and building threat fabric models – modelling riskProtecting core platforms from zero day attack and exploitRe-educating sovereign governments around accreditationand empowering the future of your IT ownershipReducing core implementation costs / protecting platforms/dataDelivering the ability to protect at sovereign territory level withconfidence and with backup from Red Hat globally and locally
  14. 14. Cloud introduces new management challenges
  15. 15. Moving ahead – next stepsWe are already engaged with Governments and Agency’saround the world.We are MORE than a Linux OS provider!! We are an OpenSource company and Security is at the heart of what we doRed Hat are part of the evolution of where you are already goingHow can we assist you ? Accreditation / Applications / AmbitionSecurity of platforms and architecture – Red Hat should be partof your business as usual process – were here to help youEngage with your local Red Hat EMEA organisation
  16. 16. Thanks for listeningQuestions? -