Canonical Adds More Security to Ubuntu OS

Canonical delivered an update to its Ubuntu distribution of Linux that makes available a wide range of cybersecurity capabilities, including an open source virtual private network (VPN) tunnel dubbed WireGuard that provides better performance than IPsec and OpenVPN tunneling protocols because it runs on the Linux kernel.

Ubuntu 20.04 Long Term Support (LTS) also adds Kernel Self Protection measures, assures control flow integrity and includes stack-clash protection, a Secure Boot utility, the ability to isolate and confine applications built using Snap containers, and support for Fast ID Online (FIDO) multi-factor authentication that eliminates the need passwords.

This release also adds native support for AMD Secure Encrypted Virtualization with accelerated memory encryption.

Canonical CEO Mark Shuttleworth said these advances will help make IT environments more secure by adding capabilities into the base operating system that are readily accessible. Naturally, as more applications start taking advantage of the security capabilities embedded in Ubuntu 20.04 LTS, the overall state of DevSecOps should improve. In general, DevSecOps is a powerful idea that is still in its infancy, said Shuttleworth, noting as more security capabilities are embedded into the operating system, the easier it will become for organizations to incorporate cybersecurity functions into the application development and deployment process.

The two primary benefits of embedding more security capabilities into the operating system are, of course, reduced costs and increased performance. The closer security functions run to the kernel, the less overhead that gets generated, which makes more processing power available to applications.

The move to embed more security capabilities into the base Ubuntu operating system also comes at a time when IT organizations are under increased pressure to reduce costs in the wake of the economic downturn brought on by the COVID-19 pandemic.

Less clear right now is the degree to which organizations are choosing to standardize on an operating system because of the degree of cybersecurity enabled. However, with developers exercising more influence over the entire IT stack these days, many of them are acutely aware of any performance trade-offs that historically have been made to ensure application security. As such, many developers have a vested interest in cybersecurity functions that can be programmatically invoked at the kernel level.

Of course, cybersecurity teams are not always aware of what security functions are embedded in the operating system level. That may change, however, as more organizations embrace DevSecOps, which shifts much of the responsibility for security on to the shoulder of developers. That so-called shift to the left provides developers with more incentive to address a wide range of cybersecurity issues much earlier in the application development process.

Longer-term, it remains to be seen how the relationship between cybersecurity teams and developers will evolve. As more cybersecurity capabilities are embedded into operating systems and the IT infrastructure they are deployed on, the overall IT environment will in time become much more secure than it is today.

There may never be such a thing as perfect security. However, many of the low-level security issues that routinely plague IT today soon may no longer be as big an issue as they are today.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 275 posts and counting.See all posts by mike-vizard