Selecting a Secure Enterprise OS: Don't Make the First Step the Wrong Step
Selecting an operating system for use in your enterprise can be a complicated decision. Licensing costs, supported software, hardware options, reliability, and current administration capabilities all are part of the equation. Security is also a concern, but sometimes it's difficult to determine what "security" really means with respect to selecting an operating system. Further, the major operating system choices have a great deal of marketing hype with respect to security, but it's hard to cut through the hype and make a decision that's best for your environment.
Ultimately, the choice you make in operating systems for your enterprise is a choice you'll have to live with for years. Migrating from one operating system to another can be an expensive proposition. So it's best to make your choice in an educated manner. Security, while maybe not your highest priority, is an aspect of the operating system that will certainly have long-term ramifications. This article provides one view of operating system security that I hope will help you in your decision. While I have my own opinion on what OS you should choose—I'll just tell you upfront that I'm a FreeBSD zealot—I'm going to try not to let my opinions get in the way of the facts at hand.
In order to understand which OS meets your needs, you must understand what "security" really means in an operational construct. Operational security is about the ability to maintain a secure and robust environment over the long term. It's not enough to have a single host system that's resilient to attack in the here and now; all the systems in the enterprise have to be able to stay secure as technologies, attacks, and applications change.
Anyone can be trained to lock down a host. There are host lockdown guidelines from the likes of Microsoft and NIST that are very well done and are easy to follow. Any reasonably savvy IT professional can follow these directions and make a system difficult to compromise. But ultimately, these procedures are really just part of the equation. If you have to constantly change your system configuration or don't have any idea of how the security of your operating system is going to change from version to version, then you still haven't achieved operational security.
The manner in which your operating system is developed can have a profound impact on your enterprise. Operating system development encompasses the entire lifecycle of the software. How it's planned, designed, implemented, tested, and maintained ultimately affect your environment, but the effects are a matter of debate. Some would say that a rigorous, structured process is the only way to create secure and scalable software. This is a very corporate view of software development and is commonly evangelized in complex systems development. However, others would argue that simply using a process doesn't mean that the software is really more secure—just that it was developed in a consistent manner.
Conversely, the open source world tends to take a different view of this problem. A large number of developers developing software in a relatively ad hoc manner puts more eyeballs on the code and forces only "important" things to be integrated. This development model may create software that has the correct feature set, but there's nothing inherent in it that addresses security concerns at a tactical or architectural level.
The three major operating systems in use in datacenters (Microsoft Windows, Linux, and FreeBSD) have three very different development models. Let's take a look at each and consider how the development process affects security.