IBM works with gov't on open source security trial

The Cabinet Office and IBM are working together on a secure open source environment for public and private sector organisations.

The Central Sponsor for Information Assurance (CSIA) said this week the initiative had been launched to assure public and private sectors that Linux could provide security in a complex environment.

The design is based on Security Enhanced Linux (SELinux) and IBM Websphere, a mandatory access control application, which gives "need to know" access to security.

Stephen Marsh, director of CSIA, told silicon.com sister site ZDNet UK: "We've been looking at Websphere middleware to say we can apply SELinux and a suite of applications with a security policy in a complex environment."

On Unix and Windows the administrative privilege rights can allow the wrong people to get unrestricted access to a system, said Marsh. "Mandatory access is controlled by the security policy, which defines what the administrator can do. The administrator can only do what the security policy says you can do, even if you escalate the privilege to root user," Marsh explained.

Hackers commonly gain control of systems by giving themselves administrative access as the root user, allowing them all rights and permissions in all modes.

Open source software has been growing in popularity in recent years, primarily on the server but increasingly on the desktop, too. The CSIA is keen to test it from a security point of view.

Marsh said: "Linux is emerging from academic and developer communities, and we wanted to see how it could work in a complex business environment. That meant work developing tools to allow systems administrators to simply apply a security policy."

Over the next month IBM, with partners Belmin and Tresys, will pilot Websphere in Durham and Darlington Health Trust. CSIA anticipates a smooth crossover from the Trust's existing Linux platform to SELinux.

Adam Jollans, IBM Linux strategy manager, said: "SELinux is a good example of how you take security to the next generation. We wanted to have wider access between government departments but also wanted to increase the level of security, without locking down functions."

CSIA affirmed its commitment to encourage the development of secure open source architecture for public sector organisations but said it would also work with vendors and recommend proprietary products where appropriate.

Harvey Mattinson, head of accreditation at the CSIA, said: "It is government policy to use open source where we can. We have a good working relationship with Microsoft but we're agnostic - we work with everybody.

"We're trying to provide a menu of different techniques in transforming government architecture."

Graeme Wearden and Tom Espiner write for ZDNet UK