Interviews

SELinux now enabled in AppArmor’s openSUSE

On Friday, Aug. 22, openSUSE announced that its newest version, 11.1, will support Security Enhanced Linux, or SELinux. Novell’s security tools, AppArmor and SELinux, have traditionally been considered intense rivals. In this interview, openSUSE’s Andreas Jaeger, Roman Drahtmüller and Matthias Eckermann discuss openSUSE’s support of SELinux.

OpenSUSE now has basic enablement with SELinux. That’s great for SELinux users now, but will openSUSE be able to integrate new patches for SELinux?

Andreas Jaeger : OpenSUSE is developed with a community approach; We are proud to have opened the openSUSE build service to the community, with the option to develop and package open source software cross-distribution.

As SELinux is a cross-distribution effort, we encourage members of the SELinux community to participate in the openSUSE build service: to develop, test-drive and integrate new user land patches and tools into openSUSE and other distributions using our cross-distribution service. This way, all distributions running with SELinux enabled in the Linux kernel will benefit.

Is support of SELinux indicative of a larger industry trend toward interoperability?

Roman Drahtmüller: Novell observes a tendency in the industry to increase the security value of a system by introducing additional controls beyond the scope of the application. This means the application is exposed to these controls but cannot change them.

In moving from AppArmor to SELinux, does a company sacrifice compliance benefits?

Drahtmüller: AppArmor profiles for application containment and confinement are comparatively easy to manage throughout an infrastructure. Creating them is a distinct, low-pain checkmark item. The same applies to evaluating log messages that record possible violation attempts against protected system services.

For customers, the transition to SELinux may need a change in thinking and architecture, but also allows for the definition of a complete policy in a system. It helps to disallow actions that are not subject to a defined policy. There are environments that require such a functionality — regardless of the cost associated with it — for compliance reasons.

We anticipate that customers with these requirements will aim for a SUSE Linux Enterprise operating system, as it targets the special needs of customers working in compliance-bound environments.

Security tools have created a tradeoff between capability (SELinux) and usability (AppArmor). Is Novell’s approach to this tradeoff changing with its basic enablement of SELinux?

Matthias Eckermann: As in earlier releases of our product, openSUSE 11.1 reflects our belief in the value of additional security mechanisms in the operating system. The benefit of such mechanisms is maximized if the configuration and administration is as transparent, straightforward and as easy as possible for administrators.

Security needs that aim toward mandatory access control, mandatory integrity control or even multi-level security require a suitable architecture. With the basic SELinux enablement, we will allow our partners and customers to use such an architecture to implement solutions that fulfill their specific needs.

Nevertheless, we want our users to be able to choose their own priorities between administrative effort and functional benefit.

What do you think? Leave a comment below or contact chunter@techtarget.com.

Varonis explains data governance, product DatAdvantage

During the week of LinuxWorld, Johnnie Konstantas, a marketing VP at Varonis Systems, a data governance software provider, talks about the company’s release of DatAdvantage and approaches to data governance within a company. 

What does DatAdvantage do?                                                                                                                     
Johnnie Konstantas: The focus … was to automate user-to-data mapping such that only the right users have access to only the data they need at all times. A sophisticated mathematical engine computes permissions revocations so that user access to data is always warranted by business need. DatAdvantage also ensures that data use is business warranted by providing the means to continuously monitor what users are doing with the permissions they have. DatAdvantage logs every user’s every “file touch” (i.e., open, delete, create, rename) and provides this information as part of a consolidated and searchable record. 

Why is data governance so important, even more so than it was five years ago?                               
Konstantas: IT managers are currently responsible for controlling access to business-critical and sensitive data — 80% of which takes an unstructured form (i.e., documents, spreadsheets, presentations, image and multimedia files, source code). A system of data governance that includes people, processes and technology for ensuring that access is warranted is the only way to implement access controls that are consistently applied and enforced through data growth and change. The rate at which unstructured data is created outpaces that of five years ago. Digital images from scanners and cameras, portable audio files, podcasting and Web content are being added to the scores of documents and spreadsheets that are produced for business communication. All of this now “business relevant” data must be protected, and access to it controlled as it is for documents and software code. In the next three years, the rate of data creation will increase still.  

What trends has Varonis seen in data access rights within a company?                                            
Konstantas: As a general trend, companies are seeing the need for unstructured data management become more acute as data growth explodes. IT operations are turning to Varonis to automate a process which is largely manual and quite costly. The steps taken for data management auditing and control for unstructured data are being rolled into the thinking, models and projects for overall data governance. 

How should a company think about data governance to make the most of DatAdvantage?   
Konstantas: Since most enterprises have not reviewed their data entitlement settings in some time (the process is almost impossible without Varonis which automates it), step one is to have IT review and clean up unwanted access controls. Then the data management shift from IT staff to data stewards can take place. A good governance environment has a specialized team in charge of entitlement management, but also involves IT in auditing the process.

How does data governance overlap with data security? How does DatAdvantage differ from data center security software?                                                                                                                   
Konstantas: Data governance as a model and framework includes the safeguarding of data that is business-sensitive. IT greatly reduces the risk of data loss and misuse by revoking unwarranted permissions and limiting control according to a business’s need-to-know. Data governance comprises much more than security, however; it ensures that data stewards rather than IT staff manage entitlements to data and determine which data is worthy of archiving, deleting, preserving and protecting. The two products in Varonis’ data governance suite provide the means to both manage entitlement to and determine treatment of data. DatAdvantage helps IT remove excess permissions and identify data business owners. Varonis DataPrivilege puts data stewards in charge of their data by giving them the means to manage all entitlement requests and to audit data use.

Novell’s Steinman upbeat on growth, partnerships

Novell Inc. may be a distant No. 2 to Raleigh, N.C.-based Red Hat. Inc. in sales of its open source operating system. But that doesn’t daunt Justin Steinman, Novell’s director of product marketing, Linux and Open Platform Solutions.

In an informal chat over lunch at the Naked Fish around the corner from Novell headquarters in Waltham, Ma., Steinman said his landing at Novell four years ago, right out of MIT’s Sloan School of Management, was great timing ahead of the current growth curve and a great opportunity to be part of Roger Levy’s management team. (Levy is senior vice president, general manager, Open Platform Solutions.)

Growth is the story with Novell’s SUSE Linux Enterprise, with billings climbing 200 percent last year, due to $156 million in sales of Microsoft SUSE certificates during the past six quarters, plus organic growth in SUSE’s core customer base, Steinman said. SUSE added 4,700 new customers last year, which collectively are an “arrowhead for growth,” helping to boost new business orders by 69% in the first quarter of 2008 and 38% in the second, he said. Novell’s status as a preferred partner to Microsoft and SAP might sway some prospects into the customer column as well, he said.

”But Microsoft (which committed to selling $240 million in SUSE certificates as part of its 2006 agreement with Novell), is less and less a part of our Linux business because the core [customer base]is growing,” he said. “I’m very bullish on Novell.”

The economics of open source are “very compelling,” and businesses like having the control that comes with access to the source code, he added.

Steinman wasn’t divulging any secrets over lunch but he did say hat Platespin, which was acquired earlier this year, should be fully integrated into SUSE by Nov. 1 and that SUSE 11 is on track for release in the first half of next year.

Novell also is busy completing work on open-source translators for Microsoft’s System Center, he added, including systems management, document format, accessibility for the disabled, directory and identity, virtualization and the Moonlight open source version of Microsoft’s Silverlight web browser plug-in.

With customers like Wal-Mart, Southwest Airlines and German Air Traffic Control, Novell is proving that Linux is ready for mission-critical workloads, he added. At the same time, Novell SUSE is reaching out to small- and medium-sized businesses with its JeOS (Just Enough Operating System) mini-operating system appliance for building applications because it enables ISV’s to serve that market, he said. JeOS is downloadale in beta. More building tools for JeOS are expected soon.

Animating Red Hat Summit

Among those tapped to deliver keynotes at this year’s fourth annual Red Hat Summit are some traditional choices, those who will likely tout the business benefits of using open source technologies, speakers like John Halamka, the CIO of Harvard Medical School and Beth Israel Deaconess Center, and Jim Whitehurst, the president and CEO of Red Hat Inc.

But also included are some colorful choices, like keynote speaker Joel Cohen, a writer and the associate producer of The Simpsons, who will discuss how the business values of open source have fueled creativity and innovation for the series, now in its seemingly unstoppable 20th season. In a recent interview, Cohen admitted that he knows little about open source technology — let alone Red Hat — but according to the PR firm the Lavin agency, his speech really addresses how to stay innovative in pressure cooker-type competitive business environments. The title of Cohen’s address is “The Business Tao of Homer: Lessons in Creativity and Innovation from The Simpsons.”

Given the focus of some of the later sessions — from tracks on middleware and beyond the operating system to granular sessions on decoding code and open source in virtual environments — this keynote may set the tone and give some perspective on why attendees use open source in the first place: Flexibility, openness, and fresh ideas are always the building blocks of business.

Ubuntu Server receives positive reviews

Ubuntu isn’t just for desktops. Behind the scenes, corporate IT managers have put Ubuntu to work on servers. Don’t believe me? Well, I can name names. I can also tell you up front that Ubuntu Server gets high marks for its corporate support; easy backups, installs and upgrades; documentation, and more. 

So I set out to find some IT pros who could talk about Ubuntu Server, which wasn’t hard. I just asked, “Who’s using Ubuntu?”  in a SearchEnterpriseLinux.com newsletter. Here are some respondents’ views of Ubuntu Server, both positive and not-so-positive.

In the past, Linux has gotten dinged for poor corporate-level support; but Canonical Ltd. — Ubuntu’s corporate parent — got support right with Ubuntu’s Long Term Support (LTS), according to Jim Read, an IT administrator for a financial institution.  “We have stuck with 6.06 LTS, and it has worked well,” Read said. If he changed support providers, he’d have to do major system reconstruction, but LTS 6.06 hasn’t given him a reason to consider a change.

Another common point in Ubuntu’s favor is its ease of use, particularly with upgrades and backups.

 ”Backups are so very simple, there is lots of advice about what to back up other than data so that server recovery is reasonably straightforward,” said Iain McKeand, IT systems administrator at Oxford Policy Management.

One admin has had such a smooth Ubuntu upgrading experience that he will upgrade even though he doesn’t have to. His Ubuntu servers “just sit there cranking” and don’t have to have “the latest stuff,” but he’s found that the Ubuntu upgrade process is painless and easy.  “We’re going to upgrade the 6.06 machines within the next few months as time allows,” he said.

Ubuntu Server gets mixed reviews for ease of use in other categories.

Sometimes the need for manual system configuration outweigh the cost savings of using a Linux server, some IT pros say. You’ve got to know Linux pretty well to get the most out of Ubuntu.

Read has encountered problems with dependencies: “The largest issue I had was when I had to install an application from source to make sure I had all the dependencies that were needed to compile the source effectively.”

Linux-savvy admins can get around such problems, Read added. He recommends source applications on Ubuntu over graphical user interface-based ones.  Though they take a long time to mount, source applications allow for more administrator control.

Some users have found Active Directory particularly easy to integrate with Ubuntu, but some have encountered problems. Those in the latter category  say that previous releases of Ubuntu haven’t been easy to use with Microsoft Active Directory, particularly in authentication. They think the new Hardy Heron release should solve that.

On the positive side, Dan Smart, an IT admin at a Fortune 500 mining company, reported, “The new Active Directory integration is excellent. The application they use, Likewise Open, is so much easier than using the PAM Kerberos method or PAM WinBind method of authentication. Works seamlessly.”  

McKeand also found that integration of Ubuntu and Active Directory was fairly straightforward and “has surely been easier year on year.”

Even Windows-friendly administrators have turned to Ubuntu. Ubuntu’s performance marks are very strong, said several of our respondents who have benchmarked it themselves against Windows servers. Some also said that their shops that run mostly Windows servers use Ubuntu for applications Windows does not support.

When compared with Windows, Ubuntu’s support and product pricing has attracted corporate IT managers.  Jim Mirick of Automated Member Services Inc., said: “Our business would be quite different without Ubuntu, because we would have had to spend a lot of time and energy trying to mash more stuff onto one Windows box [due to budget limitations].”

Ubuntu Server has served some companies so well that they don’t want their competitors to know they use it.  “We do both Linux and Windows, [as] I didn’t want to limit my opportunities,” explained an IT pro and respondent, who wished to remain anonymous. He stopped publicizing his decision to use Ubuntu as a core server technology because “I felt this was a competitive advantage.”

If you don’t have to keep your Ubuntu Server a secret, then write to us. Chime in with your Ubuntu Server stories in the comments section below or by emailing me at chunter@techtarget.com.

Rowgen the full package, IRI CoSort says

Data protection and security may become easier if a new Linux-friendly product from IRI Cosort delivers on its promises. The product, Rowgen, integrates the formerly independent tasks of data sorting and data synthesis.

“A lot of security softwares are device-centered or hard drive-centered. We’re applying protection to specific fields so that you can access the parts of a document that don’t need to be protected,” IRI CoSort’s David Friedland told me recently. Friedland, vice president of business development, said the product reveals a new vision of software security.

IRI’s CoSort’s product page for Rowgen explains, “Until now, you could either forgo adequate testing and make inaccurate suppositions and extrapolations, or, you could spend a lot of time writing custom 3GL or shell programs to build specific test sets with the layouts you want,”

Friedland claims that Rowgen is breaking new ground in being able to run comprehensive tests while administrators perform multiple other tasks simultaneously. The software is compatible with a variety of Linux flavors, including Itanium, SUSE, Fedora Core and Ubuntu.

The target customer for Rowgen is the “security-sensitive manager,” Friedland said. These IT managers have a great need for stronger data protection as information theft crime is on the rise, he said.

On the flip side, automating data security in this way may have a negative impact for lower-level security administrators. Fewer programs will mean fewer employees required to manage them; data center security will change shape in more ways than one.

Sailing on Linux (and chicken) wings at MIT

In response to the last post I wrote for this blog, a user commented: “It’s the opposition that has the boring names. Linux is fun, don’t ya know.”

Well, now I know.

This week, I went to my second Boston Linux and Unix Users (BLU) group meeting at MIT. It was also my second time going alone, and I once again felt a tad timid. A young, female reporter at a BLU meeting, I have learned, is much like a hippie at an NRA meeting — people are curious.

The topic of the night’s presentation was High-End Audio on Linux. I figured I would get to hear some music and pass out my business cards to Linux admins and potential interviewees. And I was right; my pencil broke early on because I took mounds of notes on audio software engineering while periodically perking up for music demos.

But they weren’t done with me yet. Two Linux admins chatted me up after the meeting, subsequently inviting me for free chicken wings at MIT’s student hangout, the Muddy Charles.

I followed and learned about the rise and demise of the legendary Boston Computer Society, the largest such group in the world at one point, and about MIT’s other student bar, The Thirsty Ear. “Does it usually have live music?” I asked. No, that’s just the name. On the third leg of my progressive Linux party, I saw a video of the MIT Salsa club in action. I made a new buddy when I said I had taken Flamenco classes in Spain.

So I haven’t drunk any Kool-Aid but have now officially eaten the Linux chicken wings. Can I take off my “Ms. Linux Chicken” name tag now?

Linux on the desktop: Soon, but not yet

This blog was contributed by SearchEnterpriseLinux.com expert Sander van Vugt.

At Novell Inc.’s annual BrainShare user conference in Salt Lake City, I talked to Guy Lunardi, one of the most important guys behind Novell’s SUSE Linux Enterprise Desktop (SLED). I had one pressing question for him. I showed him my new Dell XPS laptop, which has a lot of fancy stuff and runs out of factory Windows Vista (since that is the only OS that will allow me to use all the fancy stuff). So I asked him, “When will I install SUSE Linux on that?”

He responded, “Sander, if you go to a shop, buy a Vista DVD and install it on your laptop, do you think it will all work?” The answer was of course not.

When you introduce new hardware, one of the major issues is driver support. “Currently we are talking a lot with the people that develop the devices that are in these new computers to make sure that Linux drivers will be available,” Lunardi explained. “We help them wherever we can and it’s only getting better. It helps that we have some major customers like the Peugeot car manufacturer in France that demand specific functionality. They ask [for] a feature, we’ll make sure they get it and the result of all the effort will be in our new software.”

So there have been lots of developments recently. As a result, when it comes out later this year, openSUSE 11 will be as good as Windows Vista in supporting devices. “But,” Lunardi assured me, “you’ll always have to complete the installation of your operating system by downloading and installing additional drivers. That’s the case for Linux, [just] as it is the case for Windows.”

Fair enough. I’ll give it a try when openSUSE 11 comes out.

IT job strategies: Vendor vs. generic certifications

IT pros are divided on the value of brand-name certifications. On the one hand, vendor-neutral certifications seem a better fit today’s world of commoditized products. Then again, a Red Hat certification certainly appeals to the majority of Linux-friendly employers.

Last week I chatted with Linux Professional Institute (LPI) president and CEO Jim Lacey about the merits of vendor-neutral certification. In November, LPI joined forces with several organizations, including Hewlett-Packard, IBM, Microsoft, Novell and Sun, to revitalize the certification market by forming the Information Technology Certification Council (ITCC). Responding to the Lacey interview, users generally agreed that specialization is useful and can win jobs; but today’s IT environments require IT pros who can think outside just one vendor’s box.

Jesse Becker, a member of the DC Linux User Group (DCLUG), values peers who can apply their specific knowledge to a larger scope of products and technologies. “A good generalist can probably do whatever is needed, even if they may take slightly longer than someone focused on a specific product or system,” Becker said. “Knowing how IP, disk partitions or file systems all work is much more useful than just knowing how to run tools or knowing the magic options to ifconfig, or fdisk or fsck.”

Most Microsoft pros are not good generalists, and most Linux pros are, says Ed Kohlwey, technology director of The ASCII Group of Bethesda, Maryland. Largely, Linux pros have had to be able to work in heterogeneous data centers. Microsoft pros have not, but that’s changing.

Linux administrator Ed Sawicki of Lake Oswego, Ore. thinks vendor-neutral certs encourage innovation and could help break up IT vendor monopolies. “Corporations tend to solve problems in ways that maximize their profits. I don’t believe this changes just because the vendor is selling open source software like Linux. Vendor-specific certifications encourage people to build social capital in specific brands, thus encouraging the formation of a monopoly. We’re all better off if certifications are neutral.”

Vendor-neutral certifications are most useful with commoditized, broadly available and rapidly changing technologies, according to Forrester Research analyst Jeffrey Hammond. They also help IT pros deal with issues independent or orthogonal to specific technologies like programming languages and database products.

On the flip side, Kohlwey told me, vendor-neutral certs may lack clout with employers, who don’t know what those certs mean. It’s easy to recognize the value of a certification from a big vendor, such as Novell, Red Hat, Microsoft or Sun. So, employers most often judge the merits of an IT professional based on their own experience with and current usage of a certain product.

Vendor certs are effective marketing tools for IT professionals, says DCLUG’s Becker. He thinks that’s unfortunate. He’d rather work with or hire an IT pro “with no certifications and a firm understanding of the tasks at hand,” instead of someone who has many brand-name certifications and can’t think outside the box.

If you want to sound off, leave a comment below. Thanks to the DC Linux User Group for sharing their thoughts on the subject.

Vendor-neutral Linux certs becoming popular

Linux Professional Institute President and CEO Jim Lacey told SearchEnterpriseLinux.com that he believes vendor-neutral Linux certifications are becoming more popular and signal a larger trend within IT of area specialization versus proficiency with a single product. Lacey also tells us where he thinks Linux managers face challenges in the enterprise.

SearchEnterpriseLinux.com: Recently, HP announced that it would require LPI certification as a prerequisite for its HP Certified Professional Program. What are the trends in Linux certification? Which certification sets have fared well in the Linux marketplace?

Jim Lacey: Linux and open source are becoming more entrenched in larger organizations, and the consistent growth of the LPI organization over the past eight quarters is evidence of that. One of the reasons we are seeing growth is because we aren’t allied with a certain product. Our programs are vendor independent.

Vendor-neutral certification is becoming more important. As things become more ubiquitous, it’s becoming more difficult to standardize on any one product or platform; people are becoming more IT focused in different areas rather than skilled with specific products. Whether you started out on Unix or Windows, you really need a wide variety of skills. Obviously, professionals working in markets that are most saturated, such as the Windows certification markets and even in the server market, aside from the [professionals with] power-user certifications, are looking to expand their skill set. Vendor-independent certifications are really starting to take hold, and that’s where we are seeing some of the growth coming from in the IT space.

SEL: So if certifications have become less product oriented, how do people track their professional development? Are they following specialized area interests in, say, virtualization or Web services?

JL: Definitely. This is one of the things that we are starting to see, as people become more familiar with the technology. To address these more specialized areas, LPI launched the LPI Level 3 certification in January 2007. As we took our questions to the global marketplace, we heard that operating in a mixed environment was important to enterprise customers. More specialization occurs at the top, in different vertical areas, such as virtualization and also security, Web services, mail and messaging. These areas can become much more vertical in the future, especially in mixed environments.

SEL: How are Linux administrators using these certifications?

JL: At the higher levels of certification, people who are more senior in the enterprise with three or more years of experience with Linux in a corporate environment are moving into more mission-critical areas.

In years past, people were certainly using Linux, sometimes unbeknownst to the CEO and CIO of their organization, because it was solving print services or Web services problems. But now that it has become more entrenched, people are looking to upgrade what their Linux OS does or Linux environment does. And that’s why you’re seeing success in the Linux IT space, with products like Sugar CRM being deployed, proving its value. Others are also making that same transition.

SEL: What challenges do you see facing Linux managers in the enterprise-level IT space?

JL: Even if a manager is working on a mission adoption curve, a disruptive technology such as Linux or open source always presents a challenge. I think that the biggest challenge is in the amount of applications available. As companies look to migrate, they are looking to user-end applications. Security, portability and scalability are also to be addressed.

When you look at the trends for North American enterprises with between $50 million and $1 billion in revenue, whether they’re in applications, servers, database management or software development, more than 50% of these companies are doing something with open source, including widespread adoption, limited adoption, and evaluating a pilot. And in the enterprise, we are seeing a growing wave in services. As more funding goes behind services, open source usage in companies trends upward.

Some of the figures to which Lacey referred to can be found in the following reports:

Optaros 2005: The Growth of Open Source Software in Organizations
Actuate 2007
Ovum Research 2007

We would like to hear from you. If you have an opinion on vendor-neutral certification, please share it in the comments section below.