Since its inception in 2004, Ubuntu has been built on a foundation of enterprise-grade, industry leading security practices. From the toolchain to the software suite and from the update process to the industry standard certifications, Canonical never stopped working to keep Ubuntu at the forefront of safety and reliability.
In 2014, the UK government security arm CESG had published a report of its assessment on the security of all ‘End User Device’ operating systems.
Its assessment compared 11 desktop and mobile operating systems across 12 categories including: VPN, disk encryption and authentication. These criteria are roughly equivalent to a standard set of enterprise security best practices, and Ubuntu 12.04 LTS came out on top – the only operating system that passed nine requirements without any “Significant Risks”.
The security assessment included the following categories:
• Secure Boot
• Platform Integrity and Application Sandboxing
• Malicious Code Detection and Prevention
• Device Update Policy
• Event Collection for Enterprise Analysis
• Incident Response
At that time no operating system met all of those requirements. Ubuntu however, scored the highest in a direct comparison.
Only 3 sections from the security assessment had comments: VPN, Disk Encryption and Secure Boot.
The comments made by CESG were that “The built-in VPN has not been independently assured to Foundation Grade.” This means that the software does meet all the technical requirements of security to pass the assessment, but that the software itself has not been independently assessed to make sure that it hasn’t been tampered with during the development process.
Disk encryption is a similar case to the VPN assessment. For Ubuntu 12.04, CESG states:
“LUKS and dm-crypt have not been independently assured to Foundation Grade.”
LUKS and dm-crypt are used on Ubuntu to encrypt the data on the hard disk and to decrypt the data when starting up, by requesting a password from the user. Without the password, the computer cannot start the operating system or access any of the data.
Secure boot is a Microsoft technology invented in cooperation with OEMs to ensure that software cannot be tampered with after the hardware has been shipped from the factory. It has provoked much debate in security circles, as the ability to install any software which you can control is desirable from a security perspective. The German government recently criticised secure boot as preventing installation of specialised secure operating systems after sale of hardware.
Ubuntu’s response, from Ubuntu 12.10 onwards is to adopt Grub2 as the default bootloader, with support for Secure Boot, but with an ability to turn off secure boot to modify the OS, if required.
Since then Ubuntu followed a steady release schedule, each new version introducing new security features and improving on the existing ones.
In 2020 Canonical delivered an update to its Ubuntu 20.04 version, that makes available a wide range of cybersecurity capabilities, including an open source virtual private network (VPN) tunnel dubbed WireGuard that provides better performance than IPsec and OpenVPN tunneling protocols because it runs on the Linux kernel.
Ubuntu 20.04 Long Term Support (LTS) also adds Kernel Self Protection measures, assures control flow integrity and includes stack-clash protection, a Secure Boot utility, the ability to isolate and confine applications built using Snap containers, and support for Fast ID Online (FIDO) multi-factor authentication that eliminates the need for passwords.
This release also adds native support for AMD Secure Encrypted Virtualization with accelerated memory encryption.
These advances will help make IT environments more secure by adding capabilities into the base operating system that are readily accessible. Naturally, as more applications start taking advantage of the security capabilities embedded in Ubuntu 20.04 LTS, the overall state of DevSecOps should improve. In general, DevSecOps is a powerful idea that is still in its infancy and as more security capabilities are embedded into the operating system, the easier it will become for organizations to incorporate cybersecurity functions into the application development and deployment process.
The two primary benefits of embedding more security capabilities into the operating system are, of course, reduced costs and increased performance. The closer security functions run to the kernel, the less overhead that gets generated, which makes more processing power available to applications.
The move to embed more security capabilities into the base Ubuntu operating system also comes at a time when IT organizations are under increased pressure to reduce costs in the wake of the economic downturn brought on by the COVID-19 pandemic.
Less clear right now is the degree to which organizations are choosing to standardize on an operating system because of the degree of cybersecurity enabled. However, with developers exercising more influence over the entire IT stack these days, many of them are acutely aware of any performance trade-offs that historically have been made to ensure application security. As such, many developers have a vested interest in cybersecurity functions that can be programmatically invoked at the kernel level.
Of course, cybersecurity teams are not always aware of what security functions are embedded in the operating system level. That may change, however, as more organizations embrace DevSecOps, which shifts much of the responsibility for security on to the shoulder of developers. That so-called shift to the left provides developers with more incentive to address a wide range of cybersecurity issues much earlier in the application development process.
Longer-term, it remains to be seen how the relationship between cybersecurity teams and developers will evolve. As more cybersecurity capabilities are embedded into operating systems and the IT infrastructure they are deployed on, the overall IT environment will, in time, become much more secure than it is today.
There may never be such a thing as perfect security. However, many of the low-level security issues that routinely plague IT today soon may no longer be as big an issue as they are today.