Our topic today is a role of Open Source solutions in IT infrastructure and information security. Our interlocutor is Denis Abramenko, deputy General Director, CSC-Information Technology, the one who knows how to develop reliable systems from an open source code, while not forgetting about security. We will talk about outlook, experience of using and the future of Open Source solutions in an interesting way and with humour, i.e. in the best traditions of IT.
Please share with us what are Open Source solutions in IT infrastructure and information security?
Open Source solutions are like a buffet service in the software world: you get an access to all ingredients and you define on your own how to use them. Such software products with source code open for everybody allow both using them as they are and customizing, modifying, and improving them. In IT infrastructure and information security such solutions allow creating customized systems that comply with specific business demand while keeping control over what is happening inside the system. It is especially essential when data and confidential security are concerned.
In this moment of time such type of solutions is one of the leading trends in IT. How long-term is this trend in your opinion as an expert? What future does Open Source solutions has in the Russian market?
If consider Open Source as a fashion, then clearly we should not do this in the context of a one-time trend (like 3D glasses). This trend is gaining momentum and will dominate for a long time, to my mind. In a world where agility and response to change are key, Open Source gives business flexibility and ability to control its IT environment. In the Russian market, these solutions will also continue to develop, especially given the current situation where many companies are looking for alternatives to Western proprietary products. I believe Open Source will become more and more in demand, at least because it allows you to adapt to the specifics of the local market.
Tell a few words about your experience with Open Source.
Our experience can be compared with a Swiss army knife: tools are multifunctional, universal and the usage of them is limited by the owner’s imagination. For example, we are actively using StackStorm, a platform for operations automation, which has become a real “magic wand” for our engineers. We used it to do automation for many processes, integrated various systems and significantly reduced some routine tasks. And now our specialists can focus on more interesting and complex operations and waste no time on “manual labour”.
Budibase also keeps up - it’s a kind of constructor for creating internal tools and Web applications. We used it to arrange the master data system and integrate it with infrastructure and IS systems which allowed us to quickly create and adapt applications to business needs spending minimal time and resources for that.
And HashiCorp Vault, of course, it is a chief guardian of secrets and passwords. It ensures reliable storage of confidential information and allows easily integrate password management with other systems like IDM.
Does CSC have experience in such projects and can it be called a successful experience? If yes, what are the advantages? If no, what are the drawbacks?
Of course it has and I am glad to confirm that these projects are a success. For example, one of our StackStorm implementation projects that I mentioned above allowed us to significantly improve efficiency and reduce the number of errors. The system began running like clockwork, and what is important it became less dependent on the human factor - after all, as they say, where there is a person, there is a “human factor”.
The advantages of such solutions are obvious: flexibility, the ability to adapt to specific tasks, no licensing costs and active support from the community. But, of course, there are also pitfalls. For example, if something goes wrong, the vendor will come to your rescue as is the case with proprietary solutions. You need to be prepared for the fact that all responsibility for solving problems lies with your team. But if you have strong specialists, this is more of a challenge than a problem.
From an information security point of view, what risks exist in such projects and can they even be called safe?
From an information security point of view, the main risk is that the code is open and potentially accessible not only to conscientious developers, but also to intruders. However, this does not mean that such solutions are less secure. On the contrary, open source code allows security vulnerabilities to be quickly discovered and fixed thanks to an active developer community.
The security of Open Source solutions, like any other, depends on the correct approach to their implementation and operation. If you follow updates, apply patches in a timely manner and configure the system correctly, then risks are minimized. And, of course, it is worth remembering that security is not a state, but a process. Even the most reliable system requires constant attention and improvements.
What top recommendations would you give to specialists who are just starting to practice in using Open Source solutions in their projects?
The first and most important recommendation is to study and advance. Open Source resembles a journey into the world of knowledge: the more you know, the further you can go Read documentations, take part in forums, and don’t afraid to ask questions. Open Source community, as a rule, is very friendly and is ready to help.
Second, follow the updates and patches. Everything is changing fast in Open Source world and you need to be prepared to these changes. It is like a race - if you stay behind, you risk missing something important.
Third, don’t be afraid to experiment. Open Source gives freedom of action and you can play with various approaches and solutions to find something which is perfect for your project. Mistakes are a part of the learning process and Open Source provides an opportunity to learn from your mistakes and not from someone else’s money.
What interesting trends in the field of IT and information security in general are now actively gaining momentum?
Now we see growing interest in automation and machine learning in the field of information security. It's like having a personal assistant who never sleeps and is always alert. Automation allows you to respond to incidents faster and even anticipate potential threats.
There is a tendency to implementing Zero Trust architecture, where no one trusts anyone without verification. It’s like going through an ID check every time you come home. It is a little inconvenient, but safe.
And, of course, cloud technologies and containerization continue to gather pace. This requires new approaches to security and data management. Open Source solutions play a key role here providing flexibility and adaptability to new challenges.
In CSC we actively monitor these trends and are ready to use them to solve our clients’ problems. The main thing is not to forget that IT like any other craft requires not only knowledge and skills, but also a creative approach. And a little humour doesn't hurt either.