GCHQ aims to tackle open source security clearance problem

UK security services have begun bridging the gap that has stopped open source software getting security clearance for use in government

UK security services have begun bridging the gap that has stopped open source software getting security clearance for use in government systems.

The initiative has come too late to stop the first big contract wins delivered under the government's flagship G-Cloud procurement vehicle going to a supplier that shunned open source products because they did not have security accreditation.

Open source suppliers meanwhile insist the certification block has not disallowed their software from government systems – but it has allowed proprietary suppliers to raise doubts over open source security. 

CESG, the IT security arm of Government Communications Headquarters (GCHQ), has begun working with an unnamed small UK business which has agreed to sponsor an open source virtual private network (VPN) system through its strenuous security clearances.

The small firm is the first open source supplier to break the impasse that has stopped open source software getting CESG security clearance.

CESG certification comes at a cost

The open source community thrives on collaboration to solve technical problems. But its commercial fragmentation and dominance by small suppliers has created an environment where individual companies have not been willing to risk investing in CESG certification, only for larger companies with better public sector exposure to reap the benefits.

The government's solution was to ask large suppliers to sponsor open source software through the security clearance process. But large suppliers have been slow to put their weight behind open source.

The cost of CESG certification is a prime example of a market failure. Government should put up the funding to correct it

Gerry Gavigan, chairman, Open Source Consortium

Computer Weekly understands CESG has instead begun working with the Department for Business, Innovation and Skills to recruit open source suppliers by convincing them there is a business case in putting up the necessary cash. They are formulating a way to assist the sponsoring firm's entry into the £16bn public sector IT market.

Philip Dawson, CEO of Skyscape, a hosting supplier that secured two large G-Cloud contracts, said it dismissed open source software when building its datacentre platform because of the uncertainty over security status.

Skyscape built its service on software supplied by virtualisation giant VMware, with which it formed a commercial alliance.

"I'm a great advocate of open source technologies – to a point," said Dawson. "Then the point is who takes it on and gets it accredited and invests in it, and who gets the benefit from it? VMware vSphere 4.1 is the only hypervisor that has been accredited by CESG. It was a factor in our decision on who we partnered with. You have to get really into the guts of it to understand how it works to get it accredited. And that's what VMware has invested in doing with CESG."

Computer Weekly understands, however, that VMware has not yet gained a full security certification, called the CESG Commercial Product Assurance (CPA), for its hypervisor software. It has worked extensively with CESG and is striving for certification, but it has got only as far as a classified list of software CESG says can be used by government, but has not passed the stringent tests of a formal certification.

CESG is thought to be working with other hypervisor suppliers, but is not evaluating any open source alternatives. No hypervisors have achieved certification, however, because the agency has been evaluating the security parameters of the technology generically. VMware has helped to do this. Since the formal test procedure has been in development, CESG has approached it as a risk management issue.

Kate Craig-Wood, managing director of Memset, another G-Cloud hosting supplier, said VMware had made a "claim to fame" that it had CESG certification, but it was superfluous.

Memset uses the open source Xen hypervisor. It attained a cross-government CESG accreditation for its service, incorporating the open source hypervisor, even though Xen itself was not certified. Memset's accreditation included "aggressive" penetration tests of the hypervisor to security Impact Level 3 (IL3), the standard for restricted government communications.

Craig-Wood said she had, as technical co-lead of the G-Cloud programme pilots, established the principle that any virtualisation software could be used to put multiple government servers on the same machine, regardless of the software's security certification, as long as the different servers were themselves all the same security level.

"I believe that still stands," she said. "People are hung up on virtualisation. People make a big issue out of VMware versus Xen. But it's not a big issue. You need to have a separate infrastructure stack on IL3 stuff anyway, because it can't be connected to the public internet. It's connected to the Public Sector Network. It's possible to use Xen in that setting. If some people still have an issue we just provision a private cloud."

Managing the risks of open source

A CESG spokeswoman said: "CESG's approach to accrediting G-Cloud services does not rely solely on the use of products which have been formally evaluated. Instead, the approach requires providers to demonstrate how they are managing the risks. It does not preclude the use of open source software."

The open source certification confusion has nevertheless stopped public sector bodies buying open source software, and allowed proprietary software suppliers to convince customers open source is not safe, as Computacenter did in Bristol last year.  

The government's solution last year was to send a delegation to Bristol explaining that its decision on whether to use an open source email system was a matter for its own risk officer. But risk officers have still been uncertain about uncertified open source software.

The government asked large suppliers to sponsor open source software through the security clearance, but they have been reluctant to cooperate, even though they incorporate open source elements in both bespoke and generic systems that must themselves get a risk officer's accreditation under CESG guidance.

Alec Muffett, security consultant to Surevine, a small open source supplier that integrates social media tools, said: "I am aware that some suppliers have been using security as a FUD [fear, uncertainty and doubt] lever against some parts of government – local county and district offices, that sort of thing – to scare them into not going open source. This got so bad that CESG got up on stage last year and called it out as FUD."

Some of the confusion has come from the difference between accreditation and certification. Government risk officers must accredit their organisation's systems. Their assessments will incorporate a risk derived from whether its software components are CESG-certified or not.

CESG is understood to be keen to get open source software packages approved in what it deems the proper manner, with an industry sponsor. The unnamed supplier that has become the first to take up the baton has done so with its own cash – it did not raise community funding.

A foundation-level CPA certification, which covers most government business at IL2 to low-IL3, can cost around £25,000, with most of that paying for the time CESG's laboratory spends testing the software. An augmented CPA, to IL3/4 can cost another £60,000.

Gerry Gavigan, chairman of the Open Source Consortium, said: "If this is about stimulation of the economy, government should be funding it. If the government wanted a vibrant digital community, a vibrant open source software community, it could remove some of the stumbling blocks. The cost of CESG certification is a prime example of a market failure. Government should put up the funding to correct it.

VMware and the Department for Business, Innovation and Skills were unavailable for comment.

Read more on Open source software