Policy Support for FLOSS Implementation
Free (as in Libre) and Open SOurce Software (FLOSS) has not yet being implemented widely. I am of the opinion that it has many possiblities, especially in the Public sector and can save IT implementation costs considerably. Herewith a report I compiled to this effect.
As the CIO of Department X, I wish to report on the research of the development of a possible FLOSS implementation Policy and on IT Security.
Our department was recently under a severe virus/malware/Trojan attack which not only destroyed our data, but also affected the productivity of the whole department. We lost 3 weeks in man hours while all 250 client computers had to be cleaned from viruses and the server environment had to be re-installed. Not only did the Antivirus solution not update daily automatically, but our internet access also allowed users to gain access to malicious sites, thereby being prone to malware attacks. We also lost R75,000 in thefts of Notebooks because we do not have proper policies with regards to access control.
With our recent virus attacks, we also found that our proprietary operating systems had numerous ports, back-doors and other security loopholes, making it easy for hackers and malicious code to enter our network. We've discovered that many servers and services could be rendered by Free/Libre Open Source Software (FLOSS) which proved to be more secure.
With regards to our systems infrastructure, our department is also under huge financial difficulties of which licensing fees amounts to R500,000 per year for a relative small department of 250 users. To extend some of the services necessary to improve our policies, we will have to procure more expensive proprietary software with yearly and per seat licensing fees. By utilising FLOSS where equivalent software are available, we could save on these implementations and in some cases, even improve in the safety and productivity of our networking environment.
In this report, we will give a brief overview of IT Security and FLOSS and consequently will indicate the policy options available.
Brief Description of IT Security & FLOSS
The importance of IT security cannot be over emphasized. Since computers were introduced in business, many different security issues have been encountered by the industry ranging from computer hardware theft to computer viruses, malware and adware applications, to obtain information or money. These crimes have cost many companies billions. A few examples:
- A desktop computer was stolen from VISA’s offices in California in 1996 which cost the company $6.3 million in replacement of VISA cards of affected customers. Imagine the effect it could have if the card information was used for purchases (Worldsecuritycorp, undated). In 2008 a group of hackers stole 45 million credit and debit card numbers by using “a combination of war-driving, sniffer software, and SQL Injection attacks” (Swanson, 2008).
- The Journal of Commerce reported in 1993 that an ex employee of Hauser Chemical Research has stolen $60 million worth of sensitive information. Apparently, the suspect took the data because he thought he could use it in his new position (Worldsecuritycorp, undated).
Sentor (Sentor, 2009) reported in September 2009 of a Facebook fraudster from Moscow who lets you pay for Facebook hacking and passwords. After payment, obviously nothing is been given to you. Because one was trying to do something illegal, no report can be laid to the police!
- Many Facebook profiles reveals personal (and often too much) information that is not set to “private”, which effectively give fraudsters the opportunity to use personal information for fraudulent activities, for example, to open a bank account.
The University of Texas’ Information Technology Services offers a guide to its students to protect themselves and report that many Facebook users have been in trouble because “information you post on a social networking site may reveal indiscretions and worse to future employers, college professors, or even your parents” (The University of Texas, 2009).
- Already in 2001, the ICSA Computer Virus Prevalence Survey (Bridwell & Tippett, 2001) found that virus attacks rises yearly and was costing companies on average $69,000 per attack in 2001 (2001, p.22). There is no doubt that IT security is a major threat to businesses as well as individuals alike in spite of the fact that many organisations does not even report security violations (Moore et al., 2001, p.1). “Organizations wish to avoid the publicity that accompanies computer abuse” (Baskerville, 1993, p.376).
Many different security threats exists in Information Technology, of which social engineering is probably currently the biggest due to the popularity of social networking sites like Facebook and MySpace. Social engineering is the process where a fraudster will use personal identification to access information he/she should not have access to. Typical examples are brute force cracking techniques to crack passwords to gain access to personal information or computer profiles, thereby pretending to be someone else. Another example is malicious code (malware) which extracts personal information by using key loggers, or fraudsters hacking into institutions’ systems and gain access to their data etc. Generally, these threats can be classified in threats that are destructive in nature (like viruses, worms, Trojans) and threats that is non-destructive but provide access to sensitive or confidential information (malware, phishing etc), or deny proper service (worms, spyware, adware). A brief description of the most common threats is:
- Phishing is when users can click on a link which takes them to a counterfeit web site where users provide information to their personal data. Recently, most of the South African bank clients were attacked in this fashion. “A phishing email might look exactly like a legitimate email from the recipient's bank and may request that the recipient confirm some personal details or visit the website to carry out some sort of transaction” (Haythorne, 2009). These banks recently issued warnings that such emails are not coming from the bank and are therefore not legitimate.
- Malware/Spyware/Adware is any software code that runs without the knowledge or intent of a user to perform actions not requested by the user; either to attack data on the hard drive, or to effect a “Denial of Service” attack. Spyware aims to extract information without your consent and adware is often used by companies as advertising.
- Trojan / Backdoor / Worms are small applets that enable remote access to networked computers, or executes when another program is executed, consequently starting a routine on your computer. These small applets can give remote access to a fraudster, can erase information or can crash the stability of your operating system.
In summary, IT security measures therefore aims to protect the physical assets from theft and damage as well as to protect the integrity of data on systems and the integrity of the users of IT.
FLOSS / OSS / FOSS are the common acronym by which Free / Libre Open Source Software (FLOSS) is referred to. FLOSS has its root in the GNU Foundation, started in 1984, to provide free software. In general, FLOSS is wrongly perceived as “free” software, meaning software that is available at “no cost”. Stallman (2008) explains that free software is not (necessarily) free in pricing, but the freedom of changing and distributing the source code as one wishes. The emphasis is on sharing the source code, “the GPLv2 just says that you have to give source code back” (Torvald, 2007). “Open-source software puts the right to make changes to the software in the hands of the public, rather than a company” (Devaney, 2009). The aim of GNU was to develop a free Unix-like operating system and software.
But, when one talks about free software, everybody thinks it’s about Linux. Linux is not GNU and vice versa. Linux is an operating system developed by Linus Torvald and forms part of the GNU open source development. Exactly because of the GNU mission, the source code was shared and distributed, resulting in many distributions (called distros) of the Linux source code (Gentoo, Red Hat, Fedora, SuSe etc). Some of these distributions come even at a price (ex. Red Hat Enterprise), emphasising that it doesn’t necessarily mean free. Linux forms part of the GNU project of Open Source Software and is the operating system part thereof.
The biggest threat to achieving of this department’s strategic objective is the protection of institutional knowledge and information. It is therefore paramount that we should develop a policy to enforce the security measures to safeguard our information. As CIO, I therefore propose the following policy guidelines in this regard:
Antivirus Software and protection against malware, Trojans, spyware etc. The department should install Antivirus software which can be managed and updated centrally to all clients’ computers. No client computer should have the option of manually disabling the antivirus software. The IT unit should ensure that the Antivirus definition files are up-to-date. Preferably, the Antivirus solution must also be able to protect against spam.
Access control: No user of Department X should be allowed in the server room. All users will adhere to the username and password policy (frequent changes, length etc.) and will only have access to the information necessary to perform their duties. This can be controlled by Microsoft’s Group Policies or by Kerberos rules and certificates and group and user permissions in Linux. Logical access to files and folders should be monitored and controlled by user rights and permissions on a file and folder level. Physical access control should also be implemented at all the entrances to the building, preferably with RFID (Radio Frequency Identification) tagging of Notebooks and other ICT equipment.
A combination of a hardware firewall and a proxy server should be installed to monitor and control inbound and outbound access. A proper hardware firewall should be installed and monitored for any security breaches. A proxy server with NAT and IP security rules should be installed. The proxy server should have the ability to grant different levels of access to different users, and protect against access of inappropriate web sites.
Users should be trained in the proper use of email and the internet to ensure that they are not victims of phishing attacks. A proper study should be undertaken to determine the value social networking might have to Knowledge Management for the department. Consequently, users should also be trained in the safe and proper use of social networking with the purpose of managing the tacit knowledge of the department.
As part of the policy guidelines, one should never forget that human beings sit behind IT. As stated on a presentation by Peter Kornerup, “security is a people problem” (Kornerup, 2008, p.15), and being a “people problem”, it is equally important that “people skills” are also implemented. Therefore, we should also ensure that the principles suggested by Dhillon and Backhouse (2000) are implemented. “Inculcating a subculture where responsibility, integrity, trust and ethicality (RITE) are considered important and are the first steps in securing the information assets of the organization in the future” (Dhillon & Backhouse, 2000, p.127).
FLOSS is more and more becoming a worthy competitor in the software market. Many governments worldwide, “are increasingly converging to open standards to reap significant benefits, namely interoperability, flexibility, and avoidance of vendor lock-in” (Simon, 2005, p.236). The Mark Shuttleworth Foundation has launched a major campaign in 2007 (Go Open Source) to convince the South African Government of the benefits of Open Source Software (OSS). Other countries have even gone further on the FLOSS roadmap. The Malaysian Government has opted “to move all public administration to Open Source software” (Lynch, 2008) and president Barack Obama asked Sun to explain how the US government can benefit from OSS (Asay, 2009)1. Li & Zheng argued that “OSS will help China solve the piracy problem, as well as change the competitive landscape of the software industry” (2004, p.52) and make bold proposals to promote OSS in China. It is clear that FLOSS is becoming more and a viable choice for governments.
The licensing costs for the Windows platform are a major concern for business and government, especially in the support and maintenance costs thereof. Business in South Africa launched a campaign after the turn of the century (BSA) to get rid of pirated software and get legal. Russia, for example, has been listed as the country with the most pirated software, but the Russian government “has hit out at Microsoft, claiming the software giant's overly strict and costly licensing regime is to blame for the high rates of consumer piracy in the country” (McCue, 2007). Gartner also warned business in 2004 that licensing costs can rise with up to 50% in 2006 because of technological advancements.
This is because four emerging trends in hardware threaten the traditional pricing model used by Oracle, IBM, Sybase and many other software companies based on hardware capacity or central processing unit (CPU). The trends include:
- The move towards multi-core chip architectures
- The move to virtualise hardware resources across physical servers
- Growing availability of servers to support capacity on demand
- Increased interest in rapid provisioning tools
(Gartner, 2004). It is reported that the US government has “spent $3.7 billion on software in 2000” (Comino & Manenti, 2005, p.4). Research done by the FLOSSPOLS project in 2005 (Gosh, 2005) found that “the need for customisation and perceived high license fees are strong drivers for FLOSS” (p35). Although costs are found to be a factor in adopting FLOSS, Cassel found that government’s implementation of FLOSS was often driven more by “independence and self-determination than by a desire to cut costs” (Cassel, 2008, p.193).
As a result, many governments do opt for FLOSS. China is reported to have a “massive adoption” (Gosh, 2005) for FLOSS software and in Brazil there is a requirement that 80% of new software purchases must be free software (Gosh, 2005). The South African Government adopted a policy in 2007 which states:
- “The South African Government will implement FOSS unless proprietary software is demonstrated to be significantly superior. Whenever the advantages of FOSS and proprietary software are comparable FOSS will be implemented when choosing a software solution for a new project. Whenever FOSS is not implemented, then reasons must be provided in order to justify the implementation of proprietary software.
- The South African Government will migrate current proprietary software to FOSS whenever comparable software exists.
- All new software developed for or by the South African Government will be based on open standards, adherent to FOSS principles, and licensed using a FOSS license where possible.
- The South African Government will ensure all Government content and content developed using Government resources is made Open Content, unless analysis on specific content shows that proprietary licensing or confidentiality is substantially beneficial.
- The South African Government will encourage the use of Open Content and Open Standards within South Africa” (2006, p.3).
The policy statement of the South African Government states that this policy “establishes a clear preference for FOSS/OC in the South African Government” (Dept of Public Service and Administration, 2006, p.4). Brazil took a hard stance towards FLOSS implementation and endeared much criticism for this, in that such a governmental endorsement of FLOSS is creating a “different kind of monopoly that excludes proprietary software makers” (Kim, 2005, p.57)2. But, such a governmental endorsement will foster FLOSS development. As Stallman puts it in the Forward to Wong’s book, “mandating migration to Free Software in government agencies will create demand for these graduates’ skills, and build a local economy of Free Software support” (Wong, 2004, p.v). Waring & Maddocks (2005) also concluded that FLOSS “has to some extent revived the enterprise spirit of the programming community and has started to bring competitive choice and freedom back to the software marketplace” (p.422). Although the SA Government policy clearly shows a preference for FLOSS, it is not mandating FLOSS, thereby promoting the benefits associated with FLOSS implementation, but also leaves room for proprietary software to compete. And as Comino and Manenti’s (2005) research has shown, the informative policy “is the less intrusive one and, at the same time, it is the policy that performs better in terms of welfare” (p.19).
The roadmap towards an EU Policy with regards to FLOSS makes very useful remarks by stating that, although the debate focussed in the past to prevent monopolisation by proprietary software developers, the focus has shifted more and more to the increasing demand and dependence on software development. “So the EU policy for OSS can be viewed as having two main goals–primarily that of ensuring the freedom for OSS to prosper and be successful, by protecting competition. This in turn will imply the second goal–that of positively supporting OSS development and take-up with active measures to encourage new avenues while creating employment inside the EU, and possibly elsewhere.” (Forge, 2005, p.491). Forge thus concludes that FLOSS is not only about cost savings, but FLOSS can foster new initiatives in the development of software.
The Provincia di Roma has, under the leadership of the Italian minister of Innovation & Technologies, set up a directive for the promotion of FLOSS in public administration. Their research found the following advantages:
- “Initial low cost and cost reduction (not just licences)
- Supplier’s independency
- Control, Reliability, Flexibility, Security
- Better opportunity for local enterprises and European market
- Reuse and easy distribution of ICT solutions and knowledge
- Competition enhancement
- Democratic model for managing information and knowledge”.
- (Marzano et al., 2005).
- Gutsche (2005) has done research on the competition between FLOSS and proprietary software and how the playing field can be levelled. In his research, he has shown that several FLOSS policy initiatives have been employed by governments. Gutsche categorizes these initiatives as follows:
- “Demand-side instruments which aim at increasing the demand for OSS...
- “Supply-side instruments try to foster the supply of OSS”
- “Informational instruments” – helping governments to migrate to OSS
- “Level playing fields” (2005, p.196)
Apart from introducing clear policies like the South African Government’s FLOSS policy, it will also ease the gradual migration towards FLOSS if the use of Open Source software and systems are encouraged. Other models of implementation are tax incentives and campaigning for FLOSS implementation (Comino & Manenti, 2005, p.4). There are therefore many examples and a clear roadmap from many governmental organizations towards implementing FLOSS from which we as a department can learn.
Although OSS is free, it’s still an open question whether organizations will benefit from migrating to OSS without proper investigation, as support and re-training of its users might be a costly exercise. The biggest caveat of OSS currently is the availability of support and the choice and availability of appropriate business software. Because of the economical benefit, it is fairly obvious that most developers would prefer developing for the Windows platform than contributing in an environment where their source code must be shared and distributed freely. But, all is not lost for the OSS software development as Mark Shuttleworth “believes that Open Source development is the best way to stimulate innovation because collaboration and participation are encouraged” (Shuttleworth, 2008). By encouraging the migration to OSS, both caveats can be resolved over time. Therefore, in the light of:
- The physical and logical security threats that is endangering our department’s data integrity (for example, virus attacks, information breach, hacking, network vulnerabilities);
- The preference of FLOSS in and for the South African Government as per policy, as well as in many EU local government authorities (Gosh, 2005);
- The preference of FLOSS on cost, security and total cost of ownership ;
- Perceived high license & customization fees;
- Dependency on proprietary vendors and software;
- The possibilities of enhancing initiatives for greater involvement in software development;
As the CIO I wish to recommend that we as Department X should embark on policy development for IT Security and the implementation of FLOSS. Our approach should focus on, as Gutsche (2005, p.196) put it, “supply-side” directives to encourage the developmental initiatives of FLOSS software development. Our policy should also include measures to also level the software playing field not to create a new unequal advantage to FLOSS. Currently, the “playing field” is much in favour of proprietary software. We believe the South African FLOSS policy statement does foster FLOSS and create opportunity for proprietary software to compete (Wong, 2004, p.27), (Comino & Manenti, 2005, p.19) and should be followed in our department’s implementation. This approach will ensure that we cut costs with regards to software licensing, eliminate piracy and foster the initiatives for FLOSS software development.
FLOSS also offers interoperability and flexibility. “The environment in which governments operate is changing more rapidly than ever before” (Simon, 2005, p.229). Wong (2004, p.3) lists these benefits of a governmental endorsed FLOSS policy strategy:
- Strategic benefits – developing local capacity and the local IT industry, foster the development software, thereby developing local software development skills, and especially relevant to our situation, increase and enhance IT security (Wong, 2004, pp.5,8).
- Economic benefits – reducing imports, reducing risk of copyright infringement fines, increase the competition, reducing the TCO, vendor independence.
- Social benefits – increasing access to information.
With regards to IT security, this approach will also work towards a more secure IT environment and protects institutional assets, which includes hardware, software, data & information, services and employee’s productivity.
It is therefore clear that our roadmap towards FLOSS and IT Security Policy Development holds many benefits to our department and should be implemented as soon as possible.
- Asay, M., 2009. Obama wants to know: Why open source? [Online] Available at: http://news.cnet.com/8301-13505_3-10147920-16.html [Accessed 3 May 2009].
- Baskerville, R., 1993. Information Systems Security Design Methods: Implications for Information Systems Devolpment. ACM Computing Surveys, 25(4), pp.375-414.
- Bridwell, L.M. & Tippett, P., 2001. ICSA Labs 7th Annual Computer Virus Prevalence Survey. TrueSecure Corporation.
- Cassel, M., 2008. Why Governments innovate: Adoption and Implementation of Open Source Software by Four European Cities. International Public Management Journal, 11(2), pp.193-213.
- Cavusoglu, H., Mishra, B. & Raghunathan, S., 2004. A model for evaluating IT security investments. Communications of the ACM, 47(7), pp.87-92.
- Coetzee, N.S., 2002. Free and Open Source Software in Africa. [Online] Available at: http://unimondo.opencontent.it/index.php/content/download/17881/117629/file/Africa.pd [Accessed 16 September 2009].
- Comino, S. & Manenti, F.M., 2005. Government Policies Supporting Open Source Software for the Mass Market. Review of Industrial Organization, 26(2), pp.217-40.
- Cukier, K.N., 2005. Source vs. Force: Open Source Software meets Intergovernmental Politics. In J. Karaganis & R. Latham, eds. The Politics of Open Source Adoption. pp.37-46.
- Davini, E. et al., 2005. Open Source Software in Public Administration. A real example OSS for e-government Observatories. In Succi, M.S.a.G., ed. Proceedings of the First International Conference on Open Source Systems. Geneva, 2005.
- Dept of Public Service and Administration, 2006. Policy on Free and Open SOurce Software use for South African Government - Appendix A. [Online] [Accessed 22 September 2009].
- Devaney, L., 2009. Why open-soure software is a trend. [Online] Available at: http://www.eschoolnews.com/news/top-news/index.cfm?i=58176 [Accessed 3 May 2009].
- Dhillon, G. & Backhouse, J., 2000. Information System Security Management in the New Millenium. Communications of the ACM, 43(7), pp.125-28.
- Fleming, G. & Sutton, T., 2007. Answers for FOSS4G sceptics. [Online] Available at: http://www.eepublishers.co.za/print.php?sid=15419&DC100SID=61bf6beed8dd6a19e1640514394b56e4 [Accessed 15 October 2009].
- Forge, S., 2005. Towards and EU policy for Open-Source Software. In Wynants, M. & Cornelis, J. How Open is the Future. Brussels: VUB Brussels University Press. pp.489-504.
- Gartner, 2004. Gartner Says Cost of Software Licenses Could Increase by at least 50 Percent by 2006. [Online] Available at: http://gartner.com/press_releases/asset_115090_11.html [Accessed 2 May 2009].
- Gosh, R.A., 2005. Free/Libre/Open Source Software in Government. [Online] Available at: http://www.flossproject.nl/papers/20051018/RishabGHOSH-eurooscon-flossgovt.pdf [Accessed 22 October 2009].
- Gosh, R.A. & Glott, R., 2003. Open Standards and Open Source Software in The Netherlands. Maastricht: Merit Universiteit Office of the “Programma OSOSS”, the Ministry of the Interior and Kingdom Relations. http://www.noiv.nl/files/OSOSS_Survey_finalversion_26112003.pdf.
- Gutsche, J., 2005. Competition between Open Source and Proprietary Software, and the Scope for Public Policy. In Scotto, M. & Succi, G., eds. Proceedings of the First International Conference on Open Source Systems. Genova, 11th-15th July, 2005.
- Haythorne, J.R., 2009. Don't know your ARP from your Elbow? [Online] Available at: http://www.h-spot.net/threat_glossary.htm [Accessed 22 October 2009].
- Jaafar, A. & Ahmad, S., n.d. The Use of Open Source Software in the Public Sector in Malaysia. Research, Reflections and Innovations in Integrating ICT in Education, pp.1035-40.
- Kim, E., 2005. F/OSS Adoption in Brazil: The Growth of a National Strategy. In J. Karaganis & R. Latham, eds. The Politics of Open Source Adoption. 1st ed. Social Science Research Council. pp.53-57.
- Kornerup, P., 2008. Computer Security Course Slides. [Online] Available at: http://www.imada.sdu.dk/Courses/DM524/ch01.pdf [Accessed 25 October 2009].
- Li, M. & Zheng, J., 2004. Open Source Software Movement: A Challenging Opportunity for the Development of China’s Software Industry. Journal of Electric Science and Technology of China, 2(Sep), pp.47-52.
- Lynch, I., 2008. Malaysian Government's World Leading Open Source Strategy. [Online] Available at: http://theingots.org/community/node/6100 [Accessed 2 May 2009].
- Marzano, F., Nagler, M. & Ghosh, R., 2005. How Local Authorities can help in bridging the digital divide: the Province of Rome’s policy for FLOSS. [Online] Available at: http://hdl.handle.net/2038/1636 [Accessed 18 October 2009].
- Matusow, J., McGibbon, S. & Rowe, D., 2005. Shared Source and Open Solutions: an e-Government Perspective. In Succi, M.S.&.G., ed. Proceedings of the First International Conference on Open Source Systems. Genova, 2005.
- McCue, A., 2007. Russia Attacks Microsoft Licensing Cost. [Online] Available at: http://news.zdnet.co.uk/itmanagement/0,1000000308,39285968,00.htm [Accessed 28 April 2009].
- Moore, A.P., Ellison, R.J. & Linger, R.C., 2001. Attack Modeling for Information Security and Survivability. Technical Note. Carnegie Melon University.
- Sentor, 2009. The Dangers of Facebook Fraudsters. [Online] Available at: http://www.sentormss.com/it-security-news/The-dangers-of-Facebook-fraudsters-19370537.html [Accessed 22 October 2009].
- Shuttleworth, M., 2008. Free Software and Wealth Creation. [Online] Available at: http://itc.conversationsnetwork.org/shows/detail3994.html# [Accessed 29 April 2009].
- Sieverding, M., 2008. Choice in Government Software Procurement : A Winning Strategy. Journal of Public Procurement, 8(1), pp.70-97.
- Simon, K.D., 2005. The value of open standards and open-source software in government environments. IBM Systems Journal, 44(2), pp.227-38.
- South African Government, 2006. Policy on Free and Open Source Software use for South African Government. [Online] Pretoria.
Stallman, R., 2008. GNU Operating System. [Online] Available at: http://www.gnu.org/gnu/the-gnu-project.html [Accessed 2009 April 2009].
- Swanson, E., 2008. The Cenzic Blog. [Online] Available at: http://blog.cenzic.com/public/item/220779 [Accessed 25 October 2009].
The University of Texas, 2009. Security Awareness : The Dangers fo Facebook. [Online] Available at: http://www.utexas.edu/its/secure/articles/social_networking.php [Accessed 22 October 2009].
- Torvald, L., 2007. Linus explains why open source works. [Online] Available at: http://www.linux.com/archive/feature/118380?theme=print [Accessed 29 April 2009].
- University at Albany, undated. Office of the CIO : Security Threats. [Online] Available at: http://www.albany.edu/its/security_threats.htm [Accessed 22 October 2009].
- Waring, T. & Maddocks, P., 2005. Open Source Software implementation in the UK public sector: Evidence from the field and implications for the future. International Journal of Information Management, 25, pp.411-28.
- Wong, K., 2004. Free/Open Source Software : Government Policy. New Delhi: Elsevier United Nations Development Programme-Asia Pacific Development Information.
- Worldsecuritycorp, undated. World Security Corp. [Online] Available at: http://www.worldsecuritycorp.com/crime_stories.htm [Accessed 22 October 2009].