IBM z/OS, IBM AIX, Debian and Ubuntu Score Highest Security Ratings

Eight out of 10 — 82% — of the over 600 respondents to ITIC’s 2014-2015 Global Server Hardware and Server OS Reliability survey say security issues negatively impact overall server, operating system and network reliability. Of that figure a 53% majority of those polled say that security vulnerabilities and hacks have a “moderate,” “significant” or “crucial impact on network availability and uptime.

Overall, the latest ITIC survey results showed that organizations are still more reactive than proactive regarding security threats. Some 15% of the over 600 global corporate respondents are extremely lax: some seven percent said that security issues have no impact on their environment while another eight percent indicated that they don’t keep track of whether or not security issues negatively affect the uptime and availability of their networks. In contrast, 24% of survey participants or one-in-four said security has a “significant” or “crucial” negative impact on network reliability and performance.

Still, despite the well documented and high profile hacks into companies like Target, eBay, Google and other big name vendors this year, the survey found that seven-out-of-10 firms – 70% – are generally confident in the security of their hardware, software and applications – until they get hacked.

In response to the question: “Estimate the impact or perceived impact that server OS security has on overall network reliability”:
• 7% of respondents said “No impact, they are separate and distinct”
• 29% of participants said “minimal impact”
• 29% said “moderate impact”
• 12% said “significant impact”
• 12% said “extremely crucial, server OS and security are intertwined”
• 8% indicated they don’t keep track of the security impact on reliability

The latest 2014 statistics indicate that organizations recognize also indicate that the increasing use of Bring Your Own Device (BYOD), remote access and mobility usage heightens corporation’s security risks. The BYOD trend also and places a greater burden on IT departments to track and manage potential vulnerabilities associated with tablet, smart phone and employee-owned desktops and notebooks. This makes the inherent security of server operating systems and business critical servers and server-based applications like databases, even more crucial.

IBM, Ubuntu and Debian are Most Secure Server Operating Systems

When it comes to the security of specific server operating systems users gave the highest security ratings to IBM’s z/OS and AIX v 7.1 and the Linux open source distributions Debian v 7 and Ubuntu v 12.04 in that order.
Not surprisingly, IBM’s z/OS which runs on Big Blue’s System z Enterprise mainframe received the highest security ratings with 51% of survey respondents calling it “excellent” and 39% giving it a “very good” grade. This was the highest security ratings out of 18 different Server Operating System distributions (See Exhibit 2).
Overall, 89% – nearly nine-out-of 10 companies – gave the z/OS operating system the highest marks for security. This is to be expected since mainframe systems are highly engineered for overall bullet-proof reliability/fault tolerance, robust security and performance. And mainframes are almost always managed by very experienced IT managers who are trained to quickly spot and contain the rare instances of a security vulnerability or successful penetration.
IBM’s AIX v 7.1 also scored very well with 68% of survey respondents giving an “excellent” or “very good” rating followed closely by Debian v 7.x which was rated “excellent” or “very good” by 67% of survey participants and Ubuntu v 12.04 which got the highest grades from 65% of those polled.
IBM also owes its positive security ratings to its ongoing high rate of investment in R&D. In early May, Big Blue also announced an integrated security system called the IBM Threat Protection system along with a set of services designed to help organizations protect critical data from advanced attacks. Such security investments inspire user confidence.
The biggest surprise was that both HP and Microsoft’s Windows Server 2012 R2 security ratings tumbled from ITIC’s prior polls. In the current ITIC 2014 reliability survey only 19% of users rated HP’s UX 11i v 3’s security as “excellent,” another 19% characterized it as “very good” and 29% rated it “good.” On the opposite end of the spectrum, 15% of survey participants ranked HP UX 11i v3 security as “poor” or “unsatisfactory.”
Similarly only 19% of users rated Windows Server 2012 R2 as “excellent” although 33% called it “very good.” Still, this is a far cry from the results of ITIC’s 2013 reliability survey when 79% of respondents rated Windows Server 2008 R2 and 2012 as “excellent” or “very good” – with 40% giving it excellent marks. Overall, Windows Server 2012 R2 garnered respectable security grades with 74% of respondents rating it “excellent,” “very good” or “good” compared with only 11% that rated it “poor” or “unsatisfactory.”

So what’s changed for HP and Microsoft?

In HP’s case the culprit appears to be diminished technical service and support and slower responses to customer queries when security does go awry. This is based on anecdotal data ITIC obtained via essay comments and first person interviews. Over the past several years HP has laid off 34,000 workers and it has just announced plans to cut its workforce by another 11,000 to 16,000 people.
The perceived security issues with Windows Server 2012 R2 are different from those of HPUX 11i v3. Microsoft continues to apply the tenets of its 2002 Trustworthy Computing initiative: “secure by design, secure by default and secure in usage” to all of its software. And Microsoft also continues to be vigilant and reliable in delivering patches, fixes and documentation. Unfortunately, the Windows server operating system is also the environment that is the biggest target and garners the most unwanted attention of hackers. Hence, even though Microsoft delivers patches on Patch Tuesday, the second Tuesday of every month, many users grumble about the extra work involved and the fact that Windows always seems to be a top target of malware, viruses and hackers.

Solid Security is Essential to Network Reliability

Solid security is an essential element for every network environment. The server operating system upon which corporate middleware and software e.g., databases, word processing applications, spreadsheets and other mainstream line of business (LOB) applications run is the cornerstone of the entire network computing environment. The adage, “the chain is only as strong as the weakest link,” has never rung truer.

The potential attack vector has gotten larger. All corporations must contend with and confront a growing array of sources that pose potential threat to their business operations. These include everything from organized hacker groups that are purloining personal and corporate data; heightened security risks posed by mobility and remote access as well as the increase in the BYOD usage.

According to the ITIC and KnowBe4 “2014 State of Corporate Security and BYOD Trends Survey” which polled over 300 companies in March 2014, 70% of organizations have a high degree of confidence in overall security – until they get hacked. Those survey findings showed some surprising contradictions in user responses. For example, six out of 10 – 59% — of respondents said their firms claim they have not had any security breaches in the last 18 months (exclusive of viruses and malware).

However the responses related to BYOD and security issues, cast serious doubt onto the aforementioned claims and confidence. For example, 33% or three-in-10 respondents admitted they are “unaware or unable to discern” whether or BYOD security breaches impacted servers, mission critical apps or network operations! And the same one-third – 32% – of corporations has no BYOD-specific security in place or is “unsure” if they do.

And just over one-third or 34% of survey participants acknowledged that they either “have no way of knowing” or “do not require” end users to inform them when there is a security issue with employee-owned BYOD devices. This makes the corporation very vulnerable.

Server and their operating systems literally run the business and incorporate a significant percent of organizations’ sensitive data and intellectual property (IP). If server OS security is flawed, buggy or easily hacked, the entire business and its operations are potentially at risk. Based on ITIC’s first person customer interviews, we determined that the biggest customer complaint was not with the inherent security of a specific server OS platform, but rather in finding fixes and getting technical service and support in a timely manner. In many of these particular instances, the organizations were very large enterprises and a common complaint was that searching for a fix was akin to finding “proverbial needle in a haystack.”

Conclusions and Recommendations

Server OS security is fluid and not static. No server operating system, application or hardware component is immune to penetration. Customer perception can and does change the minute a security flaw is found or malware is unleashed that successfully penetrates or threatens to compromise the security of any platform.
None of the server operating system vendors can rest on their laurels. Corporations bear at least 50% of the responsibility for securing their respective environments. Even the most bulletproof server OS can be compromised and undone by configuration errors and failure to install and turn on OS security features. Organizations are also advised to conduct quarterly threat assessments of their environments. Staying current on the latest patches and fixes is also a must, as are regular updates of anti-virus applications and other security packages. Corporations should also review and update their security policies and procedures annually.
Time is literally money. Even a few minutes of downtime – especially when a hack or a suspected security leak occurs — can result in significant costs and cause internal business operations to grind to a halt. Downtime as a result of a security breach can also undermine company’s relationship with its customers, business suppliers and partners. Reliability or lack thereof can potentially damage a company’s reputation and result in lost business.