Reliant Security experts share technology tips, retail industry insight, and other tidbits.
By Richard Newman–Managing Partner, Reliant Security
When throwing ideas around about how we could better raise awareness about our company, Reliant Security, starting a blog where we share information and opinions with the world quickly rose to the top of the list. In July 2009 the act of blogging isn’t a new concept, but we think it is an important thing for us to do. After all, our company is driven by an open systems philosophy. For us, the best way to secure a system is by transparently using techniques and controls that are comprehensive, identifiable, and understood by all. For some, transparency and security may seem at odds with each other. One leg of the famous infosec C.I.A. triad – Confidentiality, Integrity, and Availability – is confidentiality, or the practice of protecting information (i.e. secrets) from unauthorized disclosure. Much of security, naturally, has to do with keeping secrets. Organizations that are steeped in security (for example, the other CIA – Central Intelligence Agency) are anything but open or transparent. They keep their secrets very secret, and often the methods and technology they use to protect them.
Does secrecy make a system more secure?
There is significant debate as to whether or not secrecy makes an organization or system more secure. By design, secrecy makes the transmission of information more difficult. Unfortunately, this also affects those who are intended to have access to the data in question. In government we have seen examples where two agencies that should be cooperating with each other have a hard time doing so due to both security technology and an overall culture of secrecy. In the mainstream technology world this debate can be seen in discussions about open source systems versus closed solutions relative to security. Open source is open and transparent with the technologies and actual code used to secure them out there for anyone to review. Closed systems, like Microsoft Windows, don’t have this characteristic. The implementation of controls might be described by a vendor, but not with the same transparency that is an implicit aspect of open source. Additionally when a vulnerability is discovered by a closed systems vendor, they sometimes elect to keep it secret until a patch is made available. Closed source vendors are often the best positioned to discover vulnerabilities not only because of the information they gather through their support organizations but because of the R&D they do on their own systems supported by access to the underlying code. There have been some great discussions as to whether or not open source is inherently more secure than closed systems. To read more on this see blog posts by David A. Wheeler, and Bill Vass of Sun Microystems.
We are in the open source camp…
Reliant Security is firmly in the open source camp. The company’s core solutions are based on the notion that open source provides a lower cost, and often a more effective alternative to traditional closed source security solutions for dealing with complex compliance requirements. We work in a space where the security solutions we help our clients implement are subject detailed scrutiny because of the requirements for outside audit that comes from compliance mandates such as PCI. “Security through obscurity” isn’t an option for us. Audit guidelines require that we both provide detailed design information and use industry standard solutions. It makes sense for us to engage in a policy of full disclosure with our clients and provide them with detailed information as to where our solutions come from, how they are developed, and how they work. In fact, the GPL, BSD and other open source licenses we use require us to provide our clients with full source code. I guess you could call this “open security.” As a commercial business whose purpose is to make money, we do have to take steps to protect our intellectual property, but secrecy isn’t an option. Instead, we count on two things:
- Our clients and competitors would have a difficult time re-inventing our architecture from scratch – even if provided with all of the open source code
- We have a process patent on the overall design
Still, we rely on the open source community for many aspects of our solutions and take the trouble to contribute back. This blog is going to be another way for us to do that. We are encouraging everyone at Reliant Security to post information here that the community at large will find both interesting and useful. Enjoy!