Locking Down Linux For The Enterprise

Security has always been important for datacenter operators, but the days of putting a ring of protection around the datacenter and then walking away satisfied in the knowledge that the data and applications therein were protected from outside forces are long over. Cloud computing, the Internet of Things (IoT), the edge, containers and the rapid growth in the number of mobile devices have all contributed to the expansion of IT outside of core datacenters, creating a highly distributed environment where the bulk of data is created and applications are access beyond the firewall. Add in the growing numbers and increasing sophistication of cyber-threats and security becomes a much more complex calculation.

Because of this, the growing expectation for years now has been that hardware, component and software makers would embed security into their products to ensure security regardless of whether they were running in the datacenter or somewhere out in the wild. Enterprises will gravitate toward vendors with reputations for strong security and privacy features in their offerings, which can drive growth for those that make the investment. It’s something that Canonical is emphasizing as it looks to extend its open-source Ubuntu Linux operating system deeper into the enterprise and cloud datacenters.

“Today, it’s true that we offer vastly more security coverage covering vastly more open-source packages than any other enterprise Linux company, and this is driven by significant investments that we are making in our security team’s capacity and in the capabilities that they have to find and fix security issues across the entire open source stack,” Canonical founder and chief executive officer Mark Shuttleworth said during a briefing leading up to the release this week of Ubuntu 20.04 LTS, codenamed “Focal Fossa” and the next in a line of commercial-grade Ubuntu Server releases that provide long term support. “Customers over the years have asked us to provide security updates and the number of packages that they’ve asked us to provide security updates for has escalated in a very dramatic fashion. Really, what’s happening is that enterprises want much more open source than just Linux. Additionally, enterprises used to be quite conservative about what they are allowed into the buildings. They would take Linux from a trusted vendor and then applications from trusted vendors. But today we see an incredible acceleration in the widespread use of almost any open source application on the Ubuntu platform. It really is a hockey stick to address that market mix.”

The LTS variants of Ubuntu Server are meant to be stable variants that do not change as quickly as the regular release of the Linux variant. They have five years of core support and eight years for Extended Security Maintenance (ESM) support. Canonical puts out an LTS release every two years in April. At the moment, the releases from 2014, 2016, 2018, and now 2020 – dubbed Ubuntu Server 14.04 LTS, 16.04 LTS, 18.04 LTS, and now 20.04 LTS –  are all being given support, and upgrades are available from LTS to LTS release. General support for Ubuntu Server 10.04 LTS ran out last April, but Extended Security Maintenance support is available until April 2022. The Focal Fossa release will have general support until 2025 and extended security support until 2030. That’s about as far as anyone in IT can see on a good day.

Canonical has a broad array of partners in compute environments, from the datacenter through the public clouds and out to the edge. As seen below, the roster includes a lot of high-profile names, from the three largest public cloud providers to key system OEMS and component makers.

But it also plays in a global server OS market that is dominated by not only Microsoft but also Red Hat (now part of IBM) and its own Red Hat Enterprise Linux (RHEL) OS, which together control about 82 percent of the space. Canonical not only is competing for the remaining 18 percent of the market but also wants to carve off some of the dominant shares of the leaders. It’s an area Shuttleworth and other company executives are keying on.

“The enterprise is our focus,” Shuttleworth tells The Next Platform. “Of course, we’re going from strength to strength in telco, but it’s the general enterprise where we’re now getting recognized as the value/volume/innovation player.” He added that “HPC is not a strong area for us. But where AI/ML is the focus on the supercomputer, we are breaking through.”

During the briefing, Stephan Fabel, head of product and silicon alliances at Canonical, said the company has seen expansion of Ubuntu in such verticals as finance, media, gaming and telecommunications. As an example, Fabel noted that a year ago, telecom giant BT tapped Canonical’s Charmed OpenStack on Ubuntu for a role in its upcoming 5G core, with Canonical providing the open-source virtual infrastructure manager part of BT’s network-functions virtualization (NFV) program and migration to a cloud-based network.

The presentation about Ubuntu 20.04 certainly was focused on security and Canonical did spend a lot of time on features that built on its traditional strength in desktops. But the company also put an emphasis on what the new OS offers datacenter operators and cloud infrastructure providers and the partnership with server OEMs and others that buoy Canonical’s enterprise ambitions.

Ubuntu 20.04 includes native support for AMD’s Security Encrypted Virtualization, a hardware memory encryption technology in the chip maker’s Epyc server processors. According to AMD, the support in the Ubuntu release offers accelerated memory encryption for data-in-use protection and high-performance scaling for Epyc chips of 256 threads or more. With IBM, Ubuntu 20.04 runs on the vendor’s LinuxOne hybrid cloud systems and IBM z mainframes and support’s its IBM Secure Execution for Linux, a trusted execution environment for both IBM System z and its Linux-only LinuxOne variant that is designed to secure sensitive data and run large numbers of workloads in full isolation at scale. Canonical also is extending Ubuntu’s support for Microsoft’s Azure cloud to Windows-based workstations used by developers.

“At the level of the core CPUs, we’ve seen very exciting new capabilities for virtualization, isolation, really driven by the idea that people want the cloud that they trust that they’re buying from, not to be able to mess with or study the workloads that they’re running in the VM tenants,” Shuttleworth said. “We’re supporting AMD’s Secure Encrypted Virtualization. And in the mainframe world, we’re supporting the z15 Security Execution Environment, which is a trusted execution environment and IBM’s secure container offerings as well. We see similar demands on the public cloud, where clouds are creating new security capabilities that end on operating system integration. And we’ve invested in making it easier for customers to operate securely at scale on the cloud, automatically taking advantage of the underlying capabilities like AWS Security Hub and the Azure Monitor.”

Ceph And SDS

Canonical also has been pushing into the growing software-defined storage (SDS) arena behind its support for Ceph, the open-source storage platform. Ceph for several years has been integrated into Ubuntu, but the CEO said that over the past year the company has seen a spike in the number of enterprises asking for Ceph capabilities, which has become a “nice new line of business” for Canonical and another avenue for growth in the enterprise. There are two key drivers behind the growing interest, he said.

“First, a recognition of the price-performance benefits of large-scale commodity hardware for storage purposes,” Shuttleworth said. “Second, improvements in the overall stack that enable people to consume Ceph storage from a variety of different enterprise use cases, whereas previously for us, primarily Ceph was associated just with OpenStack by itself as the main storage of choice for new OpenStack deployments. Ttoday we see Ceph being adopted on its own merits in general-purpose cases.”

How much Ubuntu will grow in the enterprise is unclear, but Shuttleworth is optimistic. He said the platform has become self-sustaining over the past year, moving past the point “where Ubuntu itself and all the supporting systems and infrastructure are dependent on me. If I were to meet my maker tomorrow, Ubuntu continues in the very capable hands of the team in Canonical, and the community.” In addition, he noted that the plan continues for Canonical to go public, though the current Covid-19 pandemic has thrown a lot of unpredictability into the mix. In addition, one of the impacts of the coronavirus crisis has been to accelerate some companies’ migration to the cloud and “our strength is in public cloud, and the public clouds have seen tremendous demand over the last few months,” Shuttleworth said.