U.K. government and IBM test a secure Linux

The Central Sponsor for Information Assurance (CSIA) said this week that the initiative had been launched to assure public and private sectors that Linux could provide security in a complex environment.

The design is based on Security Enhanced Linux (SELinux) and IBM Websphere, a mandatory access control (MAC) application, which gives "need to know" access to security.

"We've been looking at Websphere middleware to say we can apply SELinux and a suite of applications with a security policy in a complex environment," Stephen Marsh, director of CSIA, told ZDNet UK.

On Unix and Windows the administrative privilege rights can allow the wrong people to get unrestricted access to a system, said Marsh. "Mandatory access is controlled by the security policy, which defines what the administrator can do. The administrator can only do what the security policy says you can do, even if you escalate the privilege to root user," Marsh explained.

Hackers commonly gain control of systems by giving themselves administrative access as the root user, allowing them all rights and permissions in all modes.

Open-source software has been growing in popularity in recent years, primarily on the server but increasingly on the desktop, too. The CSIA is keen to test it from a security point of view.

"Linux is emerging from academic and developer communities, and we wanted to see how it could work in a complex business environment," said Marsh. "That meant work (toward) developing tools to allow systems administrators to simply apply a security policy."

Over the next month, IBM--with partners Tresys and Belmin--will pilot Websphere in Durham, England, and Darlington Health Trust. CSIA anticipates a smooth crossover from the Trust's existing Linux platform to SELinux.

"SELinux is a good example of how you take security to the next generation," said Adam Jollans, IBM Linux strategy manager. "We wanted to have wider access between government departments, but also wanted to increase the level of security, without locking down functions."

CSIA affirmed its commitment to encourage the development of secure open-source architecture for public sector organizations, but said it would also work with vendors and recommend proprietary products where appropriate.

"It is government policy to use open source where we can," Harvey Mattinson, head of accreditation at the CSIA, told ZDNet UK. "We have a good working relationship with Microsoft, but we're agnostic--we work with everybody."

"We're trying to provide a menu of different techniques in transforming government architecture," said Marsh.

Graeme Wearden and Tom Espiner reported for ZDNet UK.