Cracking open source: Can we say goodbye to security concerns?

security

Share this content

Facebook
Twitter
LinkedIn

There was a time when Open Source (OS) technologies were fringe: when security concerns trumped the benefits and large organisations – particularly those handling sensitive information – would steer clear. Now, big players in sectors from tech to finance and even governments, are adopting free or low-cost solutions for data storage, accounting, project management and more. Accenture, Intel and Microsoft are just a few of the tech giants that have put their names to the movement.

So what’s changed? How have these technologies, which can be modified by anyone with the know-how and often come with no security guarantees or community support, overcome the risks and vulnerabilities that have historically put off big business? Especially when it comes to data storage: with data one of our most valuable assets, we need to know it’s protected.

We spoke to a number of industry experts and asked them: are cyber threats an issue for organisations relying on OS storage software? Should IT teams consider OS storage? And what advice would you give them? Here is what they told us.

Protecting against cyber-attack

Cyber threats are on the rise – and it’s not just the number of attacks, their impact is growing too. According to researchers at Cybersecurity Ventures, global ransomware damage costs are set to exceed $265 billion by 2031. And although all technologies are vulnerable there is often an assumption that OS solutions are an easier target. Is that true?

Perhaps not. CMO of SoftIron, the leader in purpose-built and performance-optimised data centre solutions, Andrew Moloney explains: “Reports of attacks on the software supply chain, whether it be Open Source or not, have become much more common in recent years; but there’s a level of transparency inherent in Open Source that can at least assist in revealing attacks that might otherwise be obfuscated.”

And despite the fact that code vulnerabilities leave the OS model open to security risk, CTO of Spectra Logic, a global leader in data management and data storage solutions, Matt Starr believes OS solutions may actually have an advantage over vendors’ own: “In many cases, Open Source is faster to patch against a new-found variant due to community collaboration.” The key is to constantly and consistently patch OS technologies to counteract known issues.

Sounds like OS storage is pretty secure? There is a catch, according to Veniamin Simonov, Director of Product Management at NAKIVO, a US-based corporation dedicated to delivering the ultimate backup, ransomware protection and disaster recovery solution for virtual, physical, cloud and SaaS environments: “Namely global availability, that allows anyone to modify, examine and share the software, making it a central attraction point for cybercriminals”.

And here’s why: “OS software code gets updated frequently by developers around the world; unfortunately, not every developer is well-intentioned and this global accessibility makes creating a breach less challenging. Since Open Source software lacks service and support packages, mitigating the impact of such incidents on business operations can be very challenging. Hedging bets would not be the best action when the stakes include critical data, considering the global ransomware threat,” he adds.

Rakesh Jain is Senior Researcher & Architect at IBM Research and member of the Soda Foundation – established to standardise and improve the quality of OS solutions. He says: “[OS] vulnerabilities are public knowledge and need to be addressed on a higher priority basis. However, one can plan for it by deploying the storage software such that there are multiple layers of protection; for example, have a setup such that it is not easy for adversaries to reach the storage software to be able to exploit it. Simply put, do not expect to not have any cyber security issues, but plan in advance on how to address them on short notice.”

We’ve heard from the vendors – what about the analysts? Those with a bigger picture view across the whole industry. Senior analyst at Evaluator Group Krista Macomber is clear: “Cyber criminals do not discriminate. Additionally, Open Source software has some unique security vulnerabilities that hackers will exploit and oftentimes organisations have lax practices when it comes to tracking and updating known vulnerabilities of the various OS components that they use.”

Interoperability: another sticking point?

The security risk is compounded when you consider the historic challenge of integrating OS solutions. Interoperability is not always straightforward and has been another sticking point when it comes to adoption. Back to the Soda Foundation, part of the Linux Foundation, it brings together industry leaders to promote standardisation and best practices across a wealth of OS technologies. With members including Fujitsu, IBM, NTT, Scality, Seagate and Vodafone, it’s got the weight of the industry behind it.

The Foundation is set on creating a network of certified suppliers with standard specification for products, compliance and certification, along with a compliance lab for seamless interoperability. The benefits of such a programme? Over to CMO of Scality, which propels companies to unify data management no matter where data lives — from edge to core to cloud, Paul Speciale: “Standardisation is a powerful way to simplify data management and promote data autonomy and mobility for end users. That is the reason Scality is one of the founding members of the SODA Foundation.”

A standardised framework could accelerate OS solution creation and adoption. Jain explains how this makes OS so attractive: “Open Source technologies have had considerable impact on faster development, both of Open Source projects and tools, as well as proprietary software.” He adds: “This is because the processes and methods used in the Open Source world are time tested and matured and now used in proprietary software product and services development.”

And, according to Scott Sinclair, Senior Analyst at ESG Global, this helps to level the playing field: “Open Source technologies have made it easier for new start-ups to enter the space, which fuels more innovation.”

SoftIron’s Moloney supports the idea of vendor certification but sees its limitations: “For all of the advantages of Open Source, its flexibility comes at the expense of complexity. So any attempt to abstract some of that complexity away through testing and certification to help broader adoption can only be a good thing for the community as a whole.

That said, while this type of testing and certification can be useful in assuring some basic levels of compatibility between what can quickly become a huge number of Open Source projects, in our experience the real challenges tend to happen as you integrate into the customer environments, which often encompass integrations beyond those within the scope of any of these types of projects, especially with more proprietary projects which almost inevitably exist.”

Spectra Logic’s Starr takes it a step further: “I do not think certified suppliers should be considered, mostly because of the number of certifications out there. For example, certifications like this do nothing to allow a storage device to connect to a secure government network. Those certifications are completely different and the same goes for many corporations.”

1, 2, 3: steps to take when adopting OS storage solutions

The OS model has an extraordinarily strong appeal: according to VMware, 95% of companies use OS software in production. It’s not without risk though and although it’s easy to try free or exceptionally low-cost OS software away from the production environment, organisations considering these technologies should go through an exhaustive checklist before diving in.

“Implementing enterprise-grade data protection and strong security would be at the top of the list,” Macomber from the Evaluator Group tells us.

And then? “It really comes down to examining the potential for success that the Open Source platform has for your organisation,” says SoftIron’s Moloney. “We see a lot of companies adopting Open Source technologies and then finding out that there wasn’t the sort-of “enterprise-ready” support structure to deliver what they needed at the production level. In those cases, they have to find the support out in the wild, which can be a real challenge. Doing some due diligence is critical to both the short and especially long-term success of an Open Source implementation.”

This is a widely-held view among vendors, given that OS software often lacks the refinement of commercial systems. Scality’s Speciale, explains: “We do see organisations using Open Source storage software for dev/test and pilot projects. Many of those same projects later elect to use commercially supported software in production, for a combination of reasons related to ease-of-use, features/capabilities and quality of support. Also, from those customers who have elected to use Open Source in production, the cost of the enterprise support offering from those vendors often equals the cost of commercial license subscriptions, so any perceived cost advantages are quickly negated.”

OS offers cost and speed benefits for example, but it may fall down when it comes to scope and/or quality. An OS project could be realised quickly, but it may also fail just as quickly. Spectra Logic’s Starr, expands: “Open Source projects are great in a university setting where innovative science projects are encouraged. However, usage of Open Source storage by mainstream enterprises can pose massive issues. For example, when the system goes down, the corporate CIO does not want to hear that there is no support for the solution because it was ‘designed’ over the weekend.”

Today, a large number of businesses rely on OS software to enhance the delivery of their services, without realising this risk. Yes, with the OS model solutions are developed faster, bugs tend to show up quicker and organisations are able to tap into external talent pools. But it’s down to users to be proactive: to keep on top of product issues and to take steps to minimise or eliminate the resulting impact.

Jain, of the Soda Foundation and IBM Research, reinforces these points: “Given that Open Source software doesn’t come with any warranty and official support, the organisations have to spend some extra effort in ensuring that its quality is up to the mark to their expectations. I would recommend that the organisations adopting an Open Source storage software become actively involved in that project’s community, become a member of the end-user community if the project offers one and employ a full DevSecOps approach while adopting the software so that any issues can be identified early in the cycle and can be addressed by the community as well.”

Tell us about the benefits

In a market where business agility is paramount, the capability to rapidly adapt can spell success (or doom) for an organisation. OS cuts out wasted time. Focusing and building on a specific aspect of technology rather than starting back at the beginning, leads to much shorter times to market at a fraction of the cost – or at no cost at all.

“Open Source storage software enables businesses to meet their storage needs more affordably than proprietary software,” according to NAKIVO’s Simonov.

CTO of CTERA, Aron Brand agrees: “Open Source technologies such as Linux, Kubernetes and Samba, provide IT vendors with a huge base of intellectual property they can build upon, totally free. By publishing portions of our code on Open Source, we were able to access a deep reservoir of technological knowledge and expertise and benefit from highly professional peer review and feedback. If your company has the technical chops for Open Source, this can be a great way to leverage the knowledge of the community and reduce your maintenance burden,” he adds.

The OS approach also encourages commercial innovation. “The combined efforts of the OS Community respond to the needs of that space and gradually build out a solution that supports all the valuable features and capabilities. That process continues until all significant needs are met and restarts as needs change over time,” according to Curtis Anderson, Software Architect at Panasas, the data engine for innovation.

“Successful Open Source projects allow significant innovation, but they also disrupt any existing commercial solutions unless those are responsive to customer needs. If they are not, the Open Source alternatives will grow much faster and the commercial solution will be forced to change and innovate. Having an Open Source project in a market niche breaks up enclaves dominated by solutions that are not responsive to customer needs.”

Ready to take the plunge?

When it comes to our experts, the jury’s still out on OS, but for security teams the advice remains firm. Starr points to examining the entire process, from initial development to deployment in production environments “[OS] technologies have paved the way for faster products and services development], but you still need to test OS software. So the development efforts are faster, but the testing remains the same.”

Data storage industry expert and Chair of the Storage Networking Industry Association (SNIA) EMEA, Alex McDonald does not mince his words: “I like Open Source projects for their initial impact and vision, but they can lead to longer-term poor maintenance processes and responsiveness and a lack of development direction as they mature. Faster doesn’t mean better either.” And remember: once a piece of code is shared with the Open Source community, a developer may build something new with it and there’s no guarantee it will become a reliable and stable technology.

SoftIron’s Moloney agrees: “There’s a double-edged sword here: quickly deploying Open Source technologies on generic hardware can produce some very mediocre results without the skilled intervention of (a team of) talented engineers.”

Beyond the security sphere, Tim Klein, President and CEO at ATTO explains how he’s conflicted over OS: “I have mixed feelings on Open Source technologies. Open Source can easily make some developments and collaboration quicker, but sometimes innovation can get stifled because IP can be too free flowing, resulting in hold-backs on truly wonderful ideas because of IP concerns.”

This is a valid point: before a developer opens up their code to the OS community, they need a solid business plan that won’t be jeopardised by making the code available to other developers. This could indeed slow down or even stop the development of innovative technologies that could be benefiting organisations across the globe.

However, many vendors have come round to the idea that OS may make financial sense for them (looking at you, Microsoft). And this is good news for the customer.

“SoftIron has built its business from the outset with Open Source at its heart. Our approach enables us to produce the best outcomes for our customers without locking them into our solution,” SoftIron’s Moloney tells us. “When we eliminate vendor lock-in for our customers, it forces us to do whatever is necessary to cater to their needs or risk losing them to someone else. You will see us continually make investments into the communities we are a part of, including contributing code, participating in the ongoing maintenance of these communities and engaging with them to solve modern challenges.”

For similar reasons, Speciale explains why Scality has been keen on Open Source from the start: “Since Scality was founded in 2009, we’ve been very involved in open communities and development; when object storage was in its infancy, Scality was one of the first adopters of S3 with an Open Source project. In 2017, our dedicated engineers built and released Zenko, an open software code-base for managing data across AWS, Google Cloud and Azure to avoid cloud vendor lock in.

Zenko was accepted as a SODA Foundation EcoProject and Linux developers can use it with the support of industry-standards organisations such as SODA and the Linux Foundation. We have also used OS technology extensively in our storage solutions; for example, we leverage Kafka, Redis, Docker, Kubernetes, MongoDB and of course our own OS Zenko technology for multi-cloud enablement.”

So where to now? The benefits of the OS approach are significant: from reduced costs to increased flexibility and shorter times to market. However, relying on the general developer community to spot and address issues can be a risky strategy. As an end-user, to benefit from the advantages of the many OS technologies available today, it would be wise to select solutions with some form of commercial support to avoid encountering problems that may have significant impact on your security, productivity and ultimately, your bottom line.

By Federica Monsone, Founder, A3 Communications

Newsletter
Receive the latest breaking news straight to your inbox