Securing with Open Source
Open source security solutions are coming of age, offering enterprises the benefits of customization and control at much lower costs
By KTP Radhika
IT security threats are growing at an exponential rate today. Sample this: a report from global security firm Symantec states that 403 million new variants of malware were created in 2011, a 41% increase from 2010. McAfee Labs predicts mobile worms will increase and cyber criminals and hacktivists will be refining tools and techniques and large-scale attacks will be made to destroy infrastructure, cripple businesses, steal intellectual property and to cause as much damage as possible in 2013. And as executives use more and more unmanaged mobile devices in their office networks, security threats will further push enterprise IT to its limits.
According to research from IDC, the emerging “predictive security” market is expected to grow from $198 million in 2009 to $905 million in 2014.
As attacks are growing and getting more targeted, organizations are also increasing their IT security budgets. However, switching to open source security software helps organizations to offset some of these budget to other areas and, at the same time, harden and customize their security according to their specific needs.
According to Andy Karandikar, Pre-sales & Services Head – Red Hat India, in the open source development model, security is very much built into the enterprise open source software. “Lots of security software are part of open source solutions rather than proprietary. There are also very specific security software being built on open source. These open source security tools offer a great deal of flexibility with other added benefits.”
Multiple benefits
Security software built on open source provides affordability, control and customization benefits. Affordability is one of the main reasons for adoption. Says Karandikar, “Security is an economic issue. In an interconnected environment, you are only as secure as your neighbor. So access to strong security must be affordable enough to be ubiquitous. Open source is very economical compared to proprietary.” Open source solutions are highly affordable even for small businesses. Getting the source code at no charge is a big attraction for budget-conscious IT departments.
Another benefit is maximum control. Open source tools provide companies with greater agility and control over their security. In proprietary software, if the vendor comes up with a new version and stops updates and support for the earlier version, user companies will be stuck. However, with open source, organizations can reduce dependence on software vendors. Also, access to the source code gives enterprises complete control over the way their network functions. “Security is a prime matter of concern for all businesses. In open source security software, users get the complete source code and can thus get full control over their own security,” points out Biswajit Banerjee, Director, Tetra, an open source consulting company. And once you get the freedom to know how the program works, then you can adapt it to your needs.
Such adaptability or customization is of great value to enterprises. “Open source software will allow IT managers to do plug-ins and developments. This will help them to complement and customize according to the company’s specific needs,” says Vaidyanathan Iyer, Country Manager, Security, Software Group, IBM India/South Asia. “With customization and improved flexibility, open source solutions will help companies to harden the security to any level and fine-tune it. And in some cases they can also unharden it. Both can’t be done in a proprietary software.”
Another factor driving the open source security software is its increasing user-friendliness. Earlier, open source software used to be developer-friendly but relatively difficult for the average user. With graphical user interface (GUI) coming into the picture, today it matches the proprietary software in ease-of-use, say experts.
Steadily catching up
According to industry experts, currently the adoption of open source security solutions is in a nascent stage. “Reliance on open-source security tools in enterprises is relatively slow but it is in an increasing mode,” says Banerjee. At the moment, most organizations use open source security tools in entry-level functions like vulnerability penetration tests and analysis.
Affirming this, Iyer of IBM says, “The trend we can see today among the users is that the core security things are taken care of by IP-specific (proprietary software) and the peripheral one, which is less sensitive, is are taken care of by the open-source counterpart.” One of the main reasons for this is that enterprises are used to proprietary tools and cannot easily migrate their existing infrastructure.
In other security areas like anti-virus, anti-spam, malware detection, etc, adoption of open source tools is catching up fast. For instance, updates of ClamAV, a popular antivirus and anti-malware, are getting downloaded to nearly one million unique IP addresses daily. Open source tools are also used for network monitoring, password management, web filtering, user authentication, etc.
Secure networking protocols like Secure Socket Layer (SSL) are also finding application in secure Web server access. Other security tools, such as those for file systems permission and authentication, are also being used by enterprises.
The challenges
As of now, the adoption of open source in the security domain faces some challenges. For one, the open source solutions have to attain more maturity to receive higher adoption rates among enterprise users. Developing them further to a higher level will take some time. As IBM’s Iyer points out, “Today, developers are building so many features of security into many existing open-source software. First, this has to mature. And that will help in developing more open-source security software according to industry needs.” So enterprises are using open source security tools with caution or for peripheral functions, while continuing to use proprietary tools for core security. However, as the maturity level of open source security tools grows, the existing hybrid model will have a faster and smoother migration to a security regime that is totally based on open source—at least for a significant number of organizations.
Another hurdle is to build confidence in open source among the user community. For this, there should be many more choices than are currently available. “Non-availability of apt tools is causing hindrance for widespread adoption,” says Karandikar of Redhat. Also, many open source tools are not enterprise-ready. In many cases, companies end up mending together many open source tools along with some code developed in-house in order to create a complete solution.
Most Indian companies, especially SMBs, have grown up on the Windows platform using proprietary software. Many of them are not even aware of the alternatives available. This is one of the main hard blocks for open source security software. “However, we are seeing widespread adoption of the Linux platform with the growing popularity of software-as-a-service (SaaS) where the vendor manages the infrastructure. In such cases, vendors are getting more and more proficient in using the open source solutions for security,” explains Rushabh Mehta, an open source enthusiast and founder at Web Notes Technologies.
That said, experts feel that there lies a shining future for enterprise open source in general and security in particular. Once the sector matures and provides good choices for the enterprise community, organizations will start implementing it to their core security needs as well. As Iyer puts it, “Open source security solutions will start dominating more and more into the periphery first and then will start penetrating into the application area and, in advanced stages, will come into the identity and access management space.”
The current grim economic scenario could prove to be a driver for open source solutions, including security tools. Says Mehta, “With the economic crisis gripping the industry and companies trying all methods to cut costs, there is a huge scope for open source software solutions in general and security in particular.” Also, as adoption increases and the industry matures, more and more targeted tools will pop up in the industry. “Open source security solutions will develop in parallel and in tandem with the central development of open source software,” says Iyer of IBM.
Even if big enterprises would take some time to migrate to open source software, there is a major opportunity for these tools in the SMB space, where cost is an even bigger concern and which have fewer legacy issues than large enterprises.