Cloud Security Authors: Elizabeth White, Pat Romanski, Maria C. Horton, Liz McMillan, Ravi Rajamiyer

Related Topics: Open Source Cloud, Cloud Security

Open Source Cloud: Article

Open-Source Security: Better Protection at a Lower Cost

Open-Source Security: Better Protection at a Lower Cost

At first glance, using open-source software for a firewall or other security application seems counterintuitive, even absurd. Why would a corporation use code that's available to anyone - hackers, cyber-terrorists, disgruntled employees - to protect their most vital information assets? Yet that's what's happening at places like Stanford University, EDS, and Los Alamos National Labs, to name but a few of the many organizations using open-source security software.

What do these people know that the Wintel world doesn't? That, when properly implemented, open-source products are more affordable and more secure than closed proprietary systems. In other words, an open-source security suite can keep data safer while saving companies money.

Let's examine these claims in more detail.

Open Source Is More Affordable
Open-source security suites cost far less than closed systems because development expenses are radically lower. At Astaro, the company where I serve as general manager, the cost of integrating open-source tools into a comprehensive security suite is roughly one-fifth that of creating such tools from scratch. These Linux-based apps generally have lower hardware and training requirements as well, further slashing costs.

An April 2002 study by Cybersource Pty. Ltd. compared the total cost of ownership for open-source platforms versus Microsoft Windows systems, factoring in hardware, software, training, and support costs. Their conclusion? Open-source software could save a medium-sized business more than 34 percent over three years.

The lower cost leads to greater security, especially for companies who lack the big IT budgets of Fortune 500 corporations but whose security needs are every bit as real. These smaller companies can't afford to protect every asset, so they play Russian roulette every day and focus on what they think are the most vital and vulnerable ones. Given the lower costs of open source, more company assets can be included within the security umbrella. More importantly, it frees up firms to spend money in areas that are often neglected - such as educating end users on how to implement best practices - that have a greater long-term payoff.

Open Source Is More Secure
The security of open-source code is a matter of intense debate, which was fueled even more by the recent discovery of security flaws in the widely used Apache Web Server software and OpenSSL protocols.

The fact is that no piece of code, open-source or proprietary, is 100 percent secure. But thanks to the process of broad, continuous peer review, open-source code is less likely to suffer flaws. According to a study by Forrester Research in August 2000, IT managers cited security concerns as their number one reason for switching to open-source software.

The approach of "security through obscurity" used by closed source software doesn't work as well, in large part because proprietary code is obscure only to those who might otherwise be inclined to find and fix the flaws.

"Sophisticated hackers don't need your source code to find security problems," notes security researcher John Viega in a September 1999 paper. "Hackers can observe program behavior, analyze your binary, and even run your program through a decompiler to get a reasonable replica of your source code. But even if they get in, you won't gain from the 'many eyeballs' phenomenon&. By taking away the source code, you make the program harder for people to analyze, and thus they are less likely to help you improve your product."

Open Source Gets Fixed Faster
When security holes are discovered, they're patched much more quickly with open-source software than with proprietary software. For example, repairs for the Apache flaw were available within two days of the hole's discovery. Compare that to the typical lag time for, say, a certain leading operating systems vendor to issue a software patch.

In security, rapid response is everything.

A SecurityPortal study published in January 2000 found that open-source vendor Red Hat took an average of just over 11 days to patch a bug in its Linux OS. By contrast, Microsoft took 16 days to fix flaws in its software, while Sun customers had to wait nearly three months for solutions.

Open Source Is Simply Better
Thanks to peer review, open-source software undergoes a process of continuous improvement and frequent updates. Unlike with proprietary software vendors, customers won't have to wait months or years for a new version to roll out. This ultimately leads to a more reliable, higher-quality product.

When Microsoft released Windows 2000 in February 2000 the code contained more than 63,000 defects, according to an internal Microsoft memo. In May 2001, Lansing, Michigan-based insurance firm J.S.Wurzler Underwriting announced it would raise its premiums up to 15 percent for companies that relied on Windows NT on their Internet servers. The reason? The underwriters found that clients using NT were more susceptible to hacking and other attacks than those who employed open-source security products.

The open-source model also lends itself to more vigorous and timely after-sale support from an active community of users, which in turn lowers the cost of support - once again saving companies money.

Integration Is Key
While open-source programs are traditionally available for little or no licensing fee, simply cobbling together a series of firewalls, intrusion detectors, anti-virus utilities, and other security apps may actually be more expensive and less secure in the long run. For one thing, network admins must master a different interface for each app, which means companies will spend more time and money training them. And the need to continually patch each app individually greatly increases the odds of missing an update vital to the app's security - thus making data more vulnerable.

An integrated approach - one that takes the best open-source apps and integrates them via a single interface - offers the best of both worlds. The benefits are many: administrators will have only one interface to learn, one set of updates to install, and one contact to call when they need help. And they'll have that active community of Linux diehards helping to make them more secure.

Bottom Line
Top-notch data security doesn't have to come at a premium price. Open-source tools are already protecting the networks of thousands of corporations and organizations around the world, and doing it better and for a lot less than proprietary solutions.

More Stories By Steve Schlesinger

Steve Schlesinger was most recently vice president, corporate development, at SoundBite Communications. He was previously at Workgroup Technology and at Easel Corp.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.