Comment: Open source can also be highly secure

Hocking expects a move away from expensive license-based ICT systems to more open, interoperable ones
Hocking expects a move away from expensive license-based ICT systems to more open, interoperable ones
Marc Hocking, Becrypt
Marc Hocking, Becrypt

The UK government’s recently reaffirmed aim of moving to open-source software is a good one for driving cost savings, particularly in light of austerity measures. Open-source products, however, often need to be fortified with ‘secret sauce’ (i.e., proprietary software components) in order to make them fit for purpose and to pass the stringent CESG approval processes.

Using open-source software for the basis of a technology stack is obviously a cost-effective approach to take because the software is free and there are few licensing issues. Nevertheless, the caveat has always been the security issues. The prevailing opinion within the IT industry has been that proprietary must be more secure and therefore better – this is not always the case.

When combined with layers of specialist software, which is the value add from the vendor, open-source systems can deliver highly robust applications that are not only fit for purpose, but extremely cost effective. Due to their open nature, such systems are very portable, scalable and interoperable. These attributes further protect investment, making these systems a very real option for industry and commercial enterprises, as well as government.

It has been reported recently that open source ‘is effectively banned’ from government IT because it cannot get clearance from CESG, the information assurance arm of GCHQ. Pure open-source products would indeed struggle to meet CESG approval; however, taking a blended technology approach, products can achieve CESG approval. Becrypt is testament to this.

As the government continues to drive cost-cutting measures in the coming years, more and more of the IT vendor community will move towards providing solutions based on open-source technology, simply because market forces will demand it.

However, it is never going to be as straightforward as organisations simply downloading open-source products and giving staff open season to choose what they want. While open source has been embraced on the server side, with Apache Web Server being one of the most popular and included in many other branded servers (such as IBM Websphere), there are still issues with its adoption on the desktop.

Open-source products generally need to be hardened to make them fit for purpose, particularly in a government environment, and at the moment there is confusion about who owns that risk. ICT good practices still need to be followed, and open-source products need to be selected with the same amount of due diligence as when selecting any new IT product. Good engineering practices are still required when vendors produce new products based on open source, and blending the open source with the proprietary ‘secret sauce’ will still require highly skilled and experienced developers.

The IT industry is cyclical, like any other. In 1981 IBM built the first business PCs, but it expected to be selling mainframes forever, and Microsoft supported the hobbyists and home users. Now, thirty years later, we are once again poised for change as people are moving away from the desktop towards the cloud. In computing terms this is the old mainframe model jazzed up for the modern age.

As organisations – including the government – move to the cloud model, and people get used to new ways of working, we will begin to see a change to the desktop. People will no longer insist on Microsoft Office, scared to try any other products in case their Word documents won’t work. People will be happy to use an open-source word processing application, and compatibility with other products will be the norm, much like in the early days of the PC when there were other products, such as Lotus 123 and WordPerfect. Currently security is often given as an excuse not to use open source, but with blended technology that is fully approved this fear evaporates.

While it will clearly take many years before large corporations are running their ERP systems on open-source based systems, the trend towards cheaper software is certainly here – we are seeing this in the huge proliferation of extremely cheap apps and games available for iPhone, iPad, and Android devices. It will start with government and SMEs looking for more cost-effective ways of working, with the more agile vendors stepping in to plug this gap in the market. The next stage will be divisions of large corporates looking for ways to differentiate themselves for individual projects or products/services.

Eventually we will see a move away from expensive license-based proprietary ICT systems, to a much more open, interoperable and cost-effective way of working. 


Marc Hocking is chief technology officer at Becrypt. Before joining Becrypt, Hocking was with the UK Government Cabinet Office where he worked closely with major departments to develop solutions to support the delivery of a number of cross-government projects. He spent 10 years in a variety of roles within global financial institutions, working on systems that included PKI, authentication, authorisation, and privilege management infrastructure.

What’s hot on Infosecurity Magazine?