Redhat for Security: Myth or Mantra?

September 22, 2016 Security and Compliance, MOVEit

When it comes to which server operating system is better, you know the score: Redhat for security, Windows Server for easier all-around operation.

Yet all tools evolve and assumptions become outdated, particularly the assumption that Linux is immune to security incidents. A Sophos blog post recently pointed out that Redhat — which, along with the NSA, co-developed the Security-Enhanced Linux kernel — has removed the words "virus-free" from its Fedora Linux overview page.

Linux and the Changing Security Landscape

Although Windows dominates the desktop market, Sophos reports that Linux has a 40-percent market share in the server market, which makes Linux operating systems a tempting target for attackers. It's true that Linux malware is becoming more common, but the threat landscape includes much more than malware attacks. Linux systems are just as permeable as Windows Server when it comes to phishing, compromised webpages and vulnerabilities like Heartbleed and Shellshock.

Windows malware can run on Linux servers, and so can cross-platform threats from frameworks like JavaScript, Perl, PHP, Ruby, Python and Adobe Reader. Attackers commonly use Linux servers to harbor their malware; the phishing link your employee clicks, most likely, directs them to a server running Linux.

Related Article: PowerShell on Linux: Not Just Windows Anymore

Even so, many IT pros love Redhat for security reasons. On Linux, security pros can hunt through the code of every program and even the Linux kernel to find back doors. On Windows Server, the security team can see bugs in action, but they can't go into the proprietary code to fix them. Linux software repositories also provide assurance that applications are original and not hacked, although admittedly repos aren't foolproof.

Windows Server Advantages

When it comes to authentication, it's hard to beat Windows Active Directory. Linux alternatives, as Sander Van Vugt points out in TechTarget, don't support the range of devices and applications that Active Directory does.

Even though proponents like Van Vugt argue that OpenStack will become the de facto cloud infrastructure of the future, it's still no match for Azure. Business Insider reports that by 2018, Microsoft is shooting to make $20 billion per year from Azure (AWS, which dominates its rivals, only made $2.57 billion in Q1 2016 according to Wired, which gives you an idea of how bullish Microsoft is on cloud).

Microsoft aggressively markets Windows Server as a cloud operating system, with Azure and Office 365 running on top of Hyper-V and Windows Server. But earlier this year, as reported by Fortune, Microsoft announced that Redhat Enterprise Linux (RHEL) can now run on Microsoft Azure.

Planning for the Future

As Microsoft pivots to cope with the realities of open source and to move its cloud business front and center, it will have to develop more competitive pricing and interoperability. Even so, it's hard to imagine Windows Server truly competing with Redhat for security.

In terms of securing systems and applications, IT always walks a fine line between security and convenience. Windows Server often wins when it comes to convenience in the data center: Most hardware has Windows drivers, and there are very few hardware vendors who don't support Windows. Windows Server licensing now allows data centers to run unlimited VMs using Windows Server, which has cut costs for many data centers.

Still, Linux has a lower OS overhead, and the Linux kernel is easy to fine-tune for efficiency gains. At the end of the day, security comes down to the savviness of users. After all, who in IT is hunting through code for back doors on a daily basis?

Redhat Still Wins for Security

With lower costs, Redhat support and Linux security advantages, RHEL has the edge when it comes to enterprise security — for now. Attackers always find a way, and no one should ever assume Linux magically shields them from every threat.

Jacqueline Lee

Read next The Best Reasons for Moving from Basic FTP to Secure File Transfer