Open source as the secure alternative: a case study

FEATURE 2. Schwartz, Mathew. ‘Sony Data Breach Cleanup To Cost $171 Million’. Information Week, 23 May 2011. Accessed Jan 2013. www. informationweek.com/security/ attacks/sony-data-breach-cleanup-tocost-171-mil/229625379. 3. Stevens, Gina. ‘Data Security Breach Notification Laws’. Congressional Research Service, April 2012. Accessed Feb 2013. www.fas.org/sgp/crs/misc/ R42475.pdf.

4. Kark, Khalid. ‘The cost of data breaches: Looking at the hard numbers’. TechTarget, March 2007. Accessed Feb 2013. http:// searchsecurity.techtarget.com/tip/ The-cost-of-data-breaches-Lookingat-the-hard-numbers. 5. Acquisti, Alessandro; Friedman, Allan; Telang, Rahul. ‘Is there a cost to privacy breaches? An event study’. Twenty Seventh International Conference on

Open source as the secure alternative: a case study

Information Systems, Milwaukee, 2006. Accessed Feb 2013. http:// citeseerx.ist.psu.edu/viewdoc/ summary?doi=10.1.1.207.1470. 6. ‘2011 Cost of Data Breach Study’. Symantec and Ponemon Institute, March 2012. Accessed Feb 2013. www.symantec.com/content/en/ us/about/media/pdfs/b-ponemon2011-cost-of-data-breach-us.en-us. pdf.

Kate Craig-Wood

Kate Craig-Wood, Memset Open source is actually more secure and reliable than the alternatives. This is a conclusion based on the experience of creating a hosting/cloud Infrastructure as a Service (IaaS) company using entirely open source software and an ‘automate everything’ philosophy.

UK-based Memset turned to open source for a number of reasons: UÊ *ÀˆVi\ you don’t need to pay for proprietary software anymore, simply download the open source software and install it, and don’t pay a penny. Furthermore, you usually get unrestricted access to the source code, enabling you to modify it to suit your requirements. UÊ i݈LˆˆÌÞ\ once you have the software installed you are free to host your applications wherever you like. This means you no longer need to put all your information in one basket, say with Google, so instead you’re able to separate the software from the host and own February 2013

your own data. A good example of how to achieve that would be Zimbra, an open source, web-based Software as a Service (SaaS) suite of office applications that can be hosted by any managed hosting provider. UÊ vvˆVˆi˜ÌÊÃÞÃÌi“Ãʈ˜Ìi}À>̈œ˜\ by using open source software and adapting it to suit the company’s needs, with fairly minimal development effort, Memset has been able to build on those foundations to automate a large number of its processes, such as account billing, administration, provisioning, maintenance and monitoring activities so that they require very little staff input. Memset’s preferred core tools are: Python (programming language);

MySQL or SQlite (databases); Django (application framework); and Ngnix and Apache (web servers). A key part of the firm’s approach is ‘one database to rule them all’. Thus, its database handling configuration management, billing, and everything else (dubbed ‘The Database of Doom’) was custombuilt by Memset using the above tools. As with most development approaches the starting point was an object model provided to Django to turn into a database structure and provide hooks for other code. The in-house stuff takes care of the following: UÊ ˆÀiÜ>ÊÀՏiÃʓ>˜>}i“i˜Ì° UÊ
ÃÃiÌʓ>˜>}i“i˜Ì° UÊ *Ê>``ÀiÃÃʓ>˜>}i“i˜Ì° UÊ œ“>ˆ˜Ê >“iÊ-iÀÛiÀÃÊ­ -®° UÊ 6
ÃÊ>˜`ÊÃ܈ÌV…Êv>LÀˆVÊ management. UÊ iÌܜÀŽÊVœ˜˜iV̈ۈÌÞÉL>˜`܈`Ì…Ê regulation, shaping and accounting. UÊ
Õ̜“>Ìi`Ê«ÀœÛˆÃˆœ˜ˆ˜}ʜvÊ>>-° UÊ ÕÃ̜“iÀÊ>VVœÕ˜ÌÃÊ>˜`Ê`iÌ>ˆÃ° UÊ ˆˆ˜}Ɉ˜ÛœˆVˆ˜}°

Computer Fraud & Security

15

FEATURE That might seem like quite a lot but actually, thanks to extremely powerful and highly-efficient open source tools, it has all been built, and is maintained with a very small development team (counted in single digits). However, that is just the core, and in many ways it is little more than a rather large and complex, database-driven, object-oriented spiderweb of applications. The clever bit is that it also stitches together a whole bunch of open source applications, much like the conductor of an orchestra. Below are some examples of the individual open source tools and applications that comprise this orchestra: UÊ 8i˜ÊÞ«iÀۈÜÀÊ̜ÊV…œ«ÊÕ«Ê>ʅœÃÌÊ server into multiple Miniserver VM virtual servers (more on this below). UÊ œ}ˆV>Ê6œÕ“iÊ>˜>}iÀÊ­6®ÊqÊ does the hard disk bit of Miniserver VMs. UÊ "«i˜-Ì>VŽÊ̜ÊÀ՘Ê̅iÊi“Ã̜ÀiÊ cloud storage service. UÊ ˆ˜ÕÝÊ6ˆÀÌÕ>Ê-iÀÛiÀÊ­6-®Ê>˜`Ê Heartbeat to run the Performance Patrol clustering and load balancing service. UÊ *Ì>LiÃÊqÊÀ՘ÃÊ̅iÊvˆÀiÜ>Ã° UÊ >}ˆœÃ]ÊÕÃi`ÊvœÀʓœ˜ˆÌœÀˆ˜}Ê>Ê servers and services in the estate. Because all those pieces of software are

open source, and therefore built with the intention of being transparent and easily accessible, it has been very simple to integrate them. Most of them are actually driven by simple textual configuration files, which are auto-generated and automatically propagated to the appropriate places. Because of this elegant simplicity it also means that the systems are very reliable. On the one hand, there is not much to go wrong, and on the other when something does go wrong it is easy to poke around and figure out what the problem is without having to get in touch with some third-party software vendor’s hopeless support desk.

Cheap enhancements Another of the beauties of open source solutions is that, unlike their proprietary counterparts, it is possible to modify or enhance them yourselves relatively inexpensively. Memset has done exactly this with many of the solutions it uses – for example, by improving virtualisation technologies to enhance their fair scheduling (ie, making sure that one VM cannot monopolise the host’s resources). Another good example is with OpenStack SWIFT, the object-storage system used for Memstore. Normally it

The low cost of open source allows the server estate to be expanded with the lowest cost.

16

Computer Fraud & Security

does not come with a content delivery network element nor the ability to upload files via FTP or SFTP. Memset added those pieces of functionality, giving the company an edge over other SWIFT users. In some cases, the modified code has itself been open sourced – for example, the FTP server add-on to Memstore. Memset has taken over as the lead developer on a project that had been ailing for lack of support and others are now using that software. They can be anywhere in the world: for example, a Russian ISP is one of the organisations that has been helping to further develop that package with detailed testing and improvement suggestions as well as some of its own patches. By being open itself, Memset is tapping into a wider communal resource that it would not otherwise have access to. In effect, some of the minnows are able to group together to compete in terms of software development with the major players in the market.

Mobility Because all the systems are web-based, it is easy for people to work from home or on the road – one of the many advantages of a SaaS model but without the usual lock-in associated with proprietary providers. A good example of such a package is Trac – an integrated wiki, ticketing and project management system and software repository, it contains staff job lists/workflows as well as all company documentation. Further, because it is possible to see all the inner workings of the systems in use, it’s possible to be completely confident about their security. For instance, even someone with rudimentary or rusty coder skills can comprehend Trac’s security measures as well as the defences put around it as part of the self-hosting process (access control, access only via HTTPS, location of the data, who has physical access to the machines it is on, and so on). This offers a much greater level of confidence than an opaque, proprietary SaaS service. February 2013

FEATURE Memset has migrated most of its staff to *nix-based systems (mostly Linux, but some staff use Mac OS X), and all they need is a browser and an email client. Firefox and Thunderbird are certainly enterprise-quality these days and indeed the collective view is that using, say, Ubuntu (an open-source desktop/laptop operating system) with the likes of Firefox, Thunderbird and LibreOffice is actually significantly more reliable than Microsoft Windows platforms. This opinion comes from a point of many years experience among systems administrators – they love Linux because it is more reliable and more secure (see below) than MS Windows as a personal operating system.

Transparency with no lock-in Open source is not solely about publishing your code and getting a community of developers and users to collaborate to build, maintain and improve it. It is also something of a design mindset. When you are building something that needs to be easily understandable and maintained by many, you have to be transparent and easy to comprehend from the ground up. This means that most open-source applications store their information in very accessible ways, most commonly in databases such as MySQL, and usually with very clearly defined and accessible structures. This means that it is very easy to export and import data between systems. It also means that you can do data mining and analytics very easily. Memset exploits very large data sets (collecting about five million data points per day) to inform its management decision-making. This is done without any expensive software nor any special expertise, yet provides instantly accessible statistics from any of the company’s systems using tools that the development team cooked up, sometimes in a matter of minutes, that

February 2013

Ubuntu is an open-source operating system that some consider more secure and reliable than Windows.

simply run a query on the appropriate database.

“Most open-source applications store their information in very accessible ways, most commonly in databases such as MySQL, and usually with very clearly defined and accessible structures” This open design approach is in stark contrast to proprietary solutions where the vendor’s strategy is to make it very hard to dig into the data so that: a) the users get locked in to that solution; and b) they can monopolise the addition of helpful services or data analytics tools and make more money on that part too.

Increased security It is the opinion of everyone at Memset (all experts in their fields and many fully ‘bi-lingual’ in terms of Linux and Windows operating systems) that, in general, open-source applications are more secure than their commercial equivalents. This may seem a bold claim, but let us examine it. The source code for open source software is just that – open and public. Open-source applications stand naked and anyone in the world may scrutinise them

and attempt to hack them with this significant advantage. The result of this is that if there are any exploits they are rapidly discovered by the open source community of developers with an interest in a particular project, who then release a patch.

“Using Linux and open source software for the core infrastructure also means it’s possible to use commodity servers for everything from firewall-routers to virtual machine hosts” By contrast, proprietary (closedsource) software is not open to this wide scrutiny. Instead, the usual way exploits are discovered is by hackers somewhere in the world who busily take advantage of the exploit or bug for their personal gain – and your personal loss. Inevitably, news of such exploits gradually leaks out and the corporations behind the software patch the hole. However, it can often be many days or even weeks before the likes of Microsoft become aware of the hackers making merry with a flaw in their code, and it is not uncommon for it to again take many weeks to get the patch rolled out. In the intervening time there is often significant damage done. For evidence of this you need only look at the security advisory sites to see that Computer Fraud & Security

17

FEATURE

An example of Xen in use.

there are, in general, many more serious security exploits for closed-source products than open-source products. Further, such sites also demonstrate that it is more common for exploits in open source software to be first discovered by white-hat hackers who do not exploit the bugs. To take two more simplistic examples, if you put a Linux server online with no firewall and default settings then it is extremely unlikely to get ‘rooted’ – it is secure by default. In contrast, as a hosting company we rapidly learned that you cannot deploy a default-install Windows machine without a firewall since it immediately gets hacked, usually by automated malware. The record was 17 seconds from the completion of boot up! This is why the Miniserver VM virtual servers are provided with a free basic firewall with Windows machines.

Open hypervisor All the Miniserver VMs use Xen, which is an open-source virtual machine monitor or hypervisor originally developed by Dr Ian Pratt at the University of Cambridge’s computing department. Since then it has had contributions from many major companies, including IBM, Microsoft 18

Computer Fraud & Security

and Intel. Originally the main goal of the design and development was being able to run up to 100 full-featured OS instances on a single computer or server. Xen provides secure isolation, resource control, quality of service guarantees and also protects each individual account on the system. The advantages of having this technology are clear and for applications such as web hosting, where server load and higher amounts of processor or memory power are not needed, the benefits and cost savings are huge.

“You cannot deploy a default-install Windows machine without a firewall since it immediately gets hacked, usually by automated malware. The record was 17 seconds” One reason that Xen is more effective than commercial software such as Virtuozzo is that operating systems must be explicitly modified to run on Xen. This enables Xen to achieve high-performance virtualisation and also prevent any sharing of memory or processes, or having any individual account on the server disrupting any

others. Xen also allocates each account on the system its own sub kernel, making it a dedicated machine at an operational OS level. This means that should one account fail or crash the others would continue unaffected. Virtuozzo, on the other hand, relies on the services of a single kernel – all of the VPSs on a given server must run basically the same operating system. And should the underlying OS kernel fail, all VPSs running on the server would be brought down. Xen uses a technique called paravirtualisation to achieve high performance – typical performance penalties are around 2%. At the other end of the spectrum, emulation solutions entail performance penalties of around 20%. Xen was chosen after extensive testing even though a reasonable amount of bespoke work was required to port Linux operating systems to the server. Many other hosting companies have now jumped on the virtual server bandwagon and most of these have decided to use Virtuozzo. That is because it is very easy to set up and administer and also allows them to put up to 60 accounts on one server. Memset puts only 5-10 VM accounts on each physical server and as a result performance and uptime is excellent.

Open source advantage Being open source, Xen also makes it possible to allow customers the ability to manage and change their kernels and also, as Xen supports different operating systems on the same server, a choice of operating systems. Memset’s firewalls use open source Linux IPtables, automatically configured from the master database (open source MySQL, of course) with custom-made scripts. Open Stack software is used for the cloud storage solution, Memstore. Open source implementations of vLAN and bridging software (for creating a virtual switch on the host servers) all use standardised, open interfaces and protocols. Using Linux and open source software for the core infrastructure also means February 2013

FEATURE it’s possible to use commodity servers for everything from firewall-routers to virtual machine hosts. By doubling up on everything (which is made economically very feasible when using commodity hardware and not paying licence fees) it’s possible to achieve huge levels of resilience for very little outlay.

Security and brand concerns Moving into the government hosting space, Memset has been able to dispel some of the myths that open source is insecure and unsuitable for high-security requirements. In fact, the company firmly believes that open source is more secure than closedsource software. Recent penetration tests carried out by Encription – a CREST- and Tiger-certified organisation – found there were no vulnerabilities or warnings of any kind. The tests included attempts to launch attacks on VMs sharing the same host server, and the failure to cause any impairment to the security performance of the attacked VMs demonstrates the integrity of the Xen-based hypervisor layer.

“It’s arguably better to trust the projects that are a labour of love, provided you can be confident that, if push came to shove, you could take it on and become the lead yourself” Gaining cross-government CESG accreditation for its service, including the open-source hypervisor, even though Xen itself was not certified, proves that any virtualisation software could be used to

February 2013

put multiple government servers on the same machine, regardless of the software’s security certification, as long as the different servers were themselves all the same security level. There’s a lot of debate around virtualisation and whether VMware is better than Xen. But it’s not a big issue. You need to have a separate infrastructure stack on IL3 hosting anyway, as it can’t be connected to the public Internet. It’s possible to use Xen in that setting. If some people still have an issue, it’s possible to provision a private cloud. The Government ICT strategy, released in March 2012, said that OS solutions should be considered alongside proprietary frameworks during digital procurement. By 2015, the Government hopes to procure 50% of ICT through cloud-based solutions, and this highlights the need to get up to speed with a platform that’s relatively new to the public sector.

Is open source really enterprise-ready? Despite the fact that there are several enterprises using open source to run mission-critical functions, there are some CIOs who still prefer proprietary software for their enterprise requirements. Their major concern is about the software being supported in the future with open source projects, and being reliant on an unpaid community of volunteers. There are several flaws in this perspective. First, you have this problem with commercial software. What if the supplier fails, or in the case of one like Microsoft, what happens when they change version and stop supporting yours?

Second, while some open-source packages are indeed more of a labour of love than something commercially motivated, as with the example of Memstore’s FTP/SFTP server, there is an increasing number of commercial entities that recognise the value in pooling their efforts in a collaborative manner and have bet the farm, so to speak, on open-source solutions. It’s worth remembering that OpenStack (the leading open-source cloud IaaS solution) is actually RackSpace’s code – the multi-billion dollar, number one managed hosting company. The company saw its market share being eroded by Amazon Web Services and its answer was to fight back by open sourcing its code base. It was a very clever move – the company has, in effect, united a number of Davids in the war on the Goliath that is AWS. Third, those CIOs simply do not understand developers. It’s arguably better to trust the projects that are a labour of love, provided you can be confident that, if push came to shove, you could take it on and become the lead yourself. This is because, unlike C-level executives, developers (at least, open-source oriented ones) are in general extremely bright people who are not overly motivated by money but are more interested in having engaging and challenging problems to solve. They also take satisfaction from collaboration, a bit like scientists, and are highly motivated by the kudos that contribution to open source projects brings. Even if a project does stop being supported, because of the aforementioned transparency and because (if you’re wise) the solutions are self-hosted (ie, you’re getting the software from someone Continued on page 20...

Computer Fraud & Security

19

CALENDAR ...Continued from page 19 other than the organisation providing the hosting) you are in total control of your own data and can easily migrate to someone else. Memset does not use Google Docs, for example, mainly because it’s not wise to put your company information on servers belonging to a company you don’t wholly and utterly trust. Instead, why not put your faith in a community of enlightened, liberal, intelligent people who are just trying to make things work a little better?

About the author

...News continued from page 3 UÊ /…iÊÌ>ŽiœÛiÀʜvÊVÕÃ̜“iÀÊ>VVœÕ˜ÌÃÊ increased dramatically, meaning that data-driven identity crimes now constitute the vast majority of all fraud in the UK. UÊ œ˜ÛiÀÃiÞ]ÊvÀ>Õ`ÃÊVœ““ˆÌÌi`ÊLÞÊ̅iÊ genuine account holder or applicant have all declined – the most notable being the decrease in fraudulent misuse of an account which fell by over 15% from the record levels seen in 2011. CIFAS cites the fraudulent use of identity information – either fake data or stolen identities – as “the biggest and most perturbing fraud threat”, accounting for around half of all frauds committed in 2012. There has also been a marked increase in ‘facility takeover’ fraud where, for example, a victim’s bank account is hijacked. This is achieved by a number of means, including hacking, phishing and other social engineering

attacks. This kind of fraud rose by 53% during 2012. Frauds committed by the actual account holders actually declined in 2012, which is good news on one hand, but also masks the significant rise of other forms of fraud in the overall statistics. “Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing,” said Kate Beddington-Brown, CIFAS head of communications. “In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously.”

British entrepreneurs Kate and Nick Craig-Wood founded the hosting/ cloud Infrastructure as a Service (IaaS) company Memset. They have recently attained a cross-government CESG accreditation for its service under the G-Cloud project. From the start they have exclusively used open source software for their business and infrastructure systems, combined with in-house development.

EVENTS 11–15 March 2013 Troopers Heidelberg, Germany www.troopers.de

12–15 March 2013 Black Hat Europe Amsterdam, Netherlands www.blackhat.com/eu-13/

25–26 March 2013 8th International Conference on Information Warfare and Security (ICIW) Denver, US http://academic-conferences.org

5–7 April 2013 Security BSides Puerto Rico San Juan, Puerto Rico http://bit.ly/Q6wWFn

8–11 April 2013 Hack in the Box Amsterdam, Netherlands http://conference.hitb.org

14–16 April 2013 ASIS European Security Forum and Exhibition Gothenburg, Sweden www.asisonline.org/education/programs/ gothenburg/

15–17 April 2013 InfoSec World Conference & Expo Orlando, Florida, US http://bit.ly/infosecworld

16–17 April 2013 Trust in the Digital World (EEMA) Brussels, Belgium www.eema.org

23–25 April 2013 Infosecurity Europe 2013 Earls Court, London, UK www.infosec.co.uk CIFAS research shows a rise in most forms of fraud, particularly those crimes related to identity.

20

Computer Fraud & Security

February 2013