Since the late '90s, Guardian Digital claims to have blazed a trial in open-source security and today counts Sony, the Chicago Stock Exchange and Piedmont Natural Gas among its marquee customers. Dave Wreski, Guardian Digital chief executive and creator of the open-source security website LinuxSecurity.com, answers the questions.
Q. Is Guardian Digital a software-only open-source security system or do you also sell appliances?
A. Both, actually. We focus on offering customised solutions.
That being said, since we started, the company has offered our services and software on a pre-configured device, if the client so chooses, as it matches their desired needs - bandwidth, users, etc.
Q. Explain why Guardian Digital's model is different to the single-purpose appliance, which commonly is referred to as unified threat management.
A. Well, first off, I would like to say that I might disagree with that definition a bit. I think it is safe to say that the term unified threat management, UTM, has been polarised a little. It can be defined as the general ability to configure and maintain multiple layers and applications from the same interface, not necessarily from just one particular appliance. It typically includes a fixed set of applications in a one-size-fits-all format. Sure, unifying this functionality in one appliance can be labeled UTM, but I do not think it is solely defined by this.
To directly answer your question, our model is more adaptable than that of a sole, UTM appliance vendor. In truth, we are a service company first, offering a complete array of solutions, from the platform, to the applications, to our managed services.
This can be leveraged in the form of outsourced hosting, a physical secure device or on a client's dedicated hardware. It depends on the organisation's requirements. We are not constricted by the fact that we just sell a box. There is more to it than that, and our customers appreciate the flexibility this provides.
Q. In general, how would you characterise the attitude of companies toward open-source and Linux-based security and how has this changed in recent years?
A: We knew from the very beginning that open source was a means to an end, since, in a way, it has been associated with an identity.
Since that was, and partially still is, the case, Guardian Digital has always marketed ourselves as a specific solution to a business problem; a solution that happens to come from open source. While our business model includes open source, what differentiates us is how it is implemented and those specific business problems we solve using it.
Initially, we drew mostly those who knew and were comfortable with open source, as many companies were hesitant. What has changed can best be explained as de-programming. Through the last 10 years, open source has had this moniker attached to it; that of some kind of out-lying fringe of the tech-world. This is inaccurate, but it still diluted its appeal early on, and open source has grown despite it. While this image is being erased, it will still take time.
Q. What is the single biggest mistake companies make in implementing an open-source security strategy?
A. Great question. The answer to this is really in two parts.
First, do not look to a company that is selling open source - look for a vendor that is providing a solution for security, through open source.
Open source should not be the selling point.
As it relates to security, the biggest mistake is repackaging a collection of different open source applications from different companies, and expecting them to 'just work' securely when you throw them in the same basket. That is an illusion. True security is a process that requires integrating and engineering all applications with a comprehensive policy that must be maintained. Open source can certainly provide this cohesiveness, but it must be developed intentionally to provide it. Having a basket-full of separate open source applications with a pretty interface just is not enough to combat the sophisticated attacks businesses must deal with.
Q. Does it make sense for a company to have an open-source security platform, even if it has not deployed open-source elsewhere?
A. Of course. Our solutions can integrate completely with any existing infrastructure quickly, the issue is not related to its effect on the great network. The criteria used involve is the solution the most robust security, for the most affordable total cost of ownership. We engineered EnGarde Secure Linux and its applications to be as manageable as possible, using a point-and-click interface, so the learning curve simply does not exist. Our customers come to us because we have the solution to their specific business problem - the fact that it is open source is seen as a benefit, knowing that typically no security or programming expertise is required.
Q. How many customers do you have and where are they mostly located?
A. Since our inception in early 1999, we have attracted over 500 clients in almost every international market. Most are located within the US and Canada, while we have clients in India, New Zealand, England, Kenya and Germany as well.
In addition, our EnGarde Secure Linux Community edition is a full-featured secure platform that is built entirely from open source, like all of Guardian Digital products, and contains many of the capabilities of our enterprise offerings, and is available completely free for download. We have recorded tens of thousands of downloads in recent months, and untold numbers of copies distributed throughout the Internet.
Q. Is there more acceptance of open-source security in Europe than in the US?
A. Absolutely. In the US, proprietary software companies were able to really garner a lot of leverage, especially in the large businesses, and that trickled on down, especially as Linux-based companies got their start in the last 10 years. Europe was not exposed to this nearly as much, and without this semi-forced standard, was more acceptable to other options. Now, Europe has realized that the cost-of-entry is much lower through the use of open source, and it is typically implemented to be more secure and transparent than their proprietary counterparts.
Prior to launching Guardian Digital, Dave Wreski was a senior architect for UPS Worldwide, where he managed the security architecture of the company's global data centres and the company's Internet systems security policy.