Linux and Data Security: The Myths, Challenges and Solutions
Linux has come a long way since its humble beginnings as Finnish student Linus Torvalds’ pet project. With over 25 million lines of code to its name in 2018 and its rise as the OS of choice for servers, public cloud and supercomputers, Linux has earned an unmistakable spot among the top operating systems in the world today. Not only that, but the world’s most popular mobile operating system, Android, that Gartner reported holds 85.9% of the market share, also uses a Linux kernel.
In the workplace, Linux has long been developers’ go-to OS and has fared better in the technical rather than the business environment. However, with most organizations now requiring an IT department and digitalization efforts pushing them to often develop their own tools and applications to serve their particular needs, many company networks now include computers running on Linux.
Add to this its cost effectiveness – it is after all free – and what is considered increased security with zero effort and it is not surprising that many organizations are turning to Linux and its many distributions. But while its status as one of the world’s biggest open source projects is undeniable, its rumored invulnerability is a misleading myth. Let’s look at what data security looks like on Linux and the often-exaggerated claims that accompany it.
1. Because it’s open-source, Linux is more secure
The number of contributors to Linux’s source code is staggering: approximately 15,600 developers from over 1,400 companies have contributed to it since 2005. The assumption is that, with so many developers working on the code, the chance of vulnerabilities and bugs being detected is high. However, because Linux is a community-based project and all developers can contribute to it, it does not mean they are cybersecurity experts or aware of the latest vulnerabilities to look out for.
What this essentially means is that Linux, like all OS, is not foolproof. With its millions of lines of code and numerous distributions, developers are likely to overlook a vulnerability as much as any other programmers working on better known operating systems. This means that dismissing security concerns simply because your employees are running Linux can be a dangerous misstep. It is therefore important that organizations put security measures in place for Linux as well.
2. There are no Linux viruses and malware
Because of its relatively modest desktop market share, many believe Linux is free from the threat of viruses and malware that plague Windows and, to a lesser extent, macOS. However, its popularity as an OS for servers and supercomputers has drawn the attention of cybercriminals looking to do serious damage or deploy cryptocurrency miners on servers.
From the SpeakUp backdoor Trojan used to attack Chinese servers earlier this year to the recurring plague of Mirai, there are enough threats to Linux to call into question the myth of its invulnerability. Companies therefore need to ensure that their endpoints running Linux also have security software such as antivirus solutions and firewalls installed and a clear plan of action in case of a cyberattack.
3. Linux makes data protection a breeze
Due to the reduced risk of cyberattacks and the limited number of malicious agents willing to waste their time breaking into a Linux running computer, data on them is believed to be more secure and therefore easier to protect. While there might be some truth to the idea that data is more secure – although not invulnerable – from external attacks on an endpoint running on Linux, it does not guarantee the security of the data and certainly does not, by itself, ensure compliance with data protection regulations.
This is because, oftentimes, when it comes to data protection, the main problem is not so much the relentless attacks of outsiders, but the negligence of insiders that puts sensitive information at risk. 85% of data loss in fact occurs because of careless employees. Essentially this means that data is vulnerable because of computers’ own authorized users rather than the operating system they are running on.
Everything from accidentally sent emails and forgotten USB drives to information copy pasted onto public forums or uploaded onto insecure third-party cloud services, can happen whether someone is using a Linux, Windows or macOS computer. For this reason, companies must not neglect data loss prevention measures and look for products that support their Linux distribution of choice.
Data security is no longer optional
Nowadays companies are not only advised to protect their customers’ sensitive data, but are increasingly required to do so by law. Everywhere, from the US and Brazil to Japan and Singapore to the EU and its notorious General Data Protection Regulation (GDPR), organizations face fines at every corner if they are found to be negligent in taking the necessary measures to protect sensitive information.
Companies choosing Linux must therefore be aware that, despite the myths that paint Linux as an invulnerable operating system, it is, like all software, subject to vulnerabilities that can be exploited by outsiders and, more worryingly, can easily fall victim to the biggest threat to data security of all: plain human error.