Skip to main content
Updated by Charles Bystock on 06/22/2015

open_source_security_riskOpen source components present inherent risks, simply because of the way they are produced and modified. But how does that risk relate to infrastructure outsourcing? Is the situation hopeless, indicating you should forego outsourcing in order to protect your enterprise? Or is it feasible to adopt infrastructure outsourcing despite knowing the risks?

The negatives.

Critics point to the ever-evolving nature of open source components, suggesting that indicates instability and increases the need for frequent patches to repair problems. Critics also worry about security because the approach is so, well, open. Lots of eyes can see the code. Are they prying eyes? More access potentially leaves you more open to incursion.

The counter-arguments.

Open source components benefit from multiple brains working separately and together to enhance results and detect design flaws or other vulnerabilities before they are put into play.

Problems after the fact can be detected faster, facilitating quick group response.

It’s highly likely that your current infrastructure includes open source components. For instance, Linux is an open source project. Systems such as Linux have strong firewalls that track connections, and there are products available to support other solutions within your infrastructure stack such as:

  • Intrusion detection and prevention.
  • IPSec VPNs and SSL VPNs.
  • Anti-virus and anti-phishing.
  • Anti-spam.

Some in the industry say an infrastructure stack constructed only from open source software is just as likely to fend off a malicious attack as a stack composed of closed source components.

Common sense and a healthy dose of skepticism.

Decisions about infrastructure outsourcing require research and weighing the pros and cons as they relate to your company’s needs and goals. That due diligence includes understanding and evaluating the potential security of open source components. Or, more to the point, choosing an outsourcing vendor you can be sure is doing that on your behalf.

That’s really the bottom line – any outsourcing endeavor is only as good as the provider you choose to do business with.

It’s in everyone’s best interest to prevent problems, so infrastructure outsourcing does not increase your risk, it gives you another layer of vigilance. Any top-notch provider is focused on acquiring the latest, most secure hardware and software to support your infrastructure needs, because that’s the baseline of confidence that enables them to sell their services to customers like you.

The issue isn’t outsourcing, it’s due diligence and ongoing vigilance. The right provider is as careful and concerned as you are, but they have an advantage in that they are armed with more extensive resources and opportunities to create an optimum environment to manage your infrastructure. Your due diligence in selecting the right provider and their ongoing vigilance in working to understand and minimize security risks protects you in the best way possible regardless of open or closed sources.

So pick the right vendor. Ask questions about the sources of their infrastructure components. Ask about how they evaluate those components to determine acceptable security levels. Ask what extra steps they take to protect you. If you aren’t satisfied with the answers, move on.

Every enterprise is vulnerable to many types of security threats. If you’re concerned, hit the internet. Check with your colleagues on LinkedIn to learn if they are using open source components that may affect your infrastructure outsourcing, and get their thoughts on security.

Ignoring the multiple benefits of infrastructure outsourcing only because you fear security risks that might come from open source components could be dangerously short-sighted. Pretending those risks don’t exist is equally dangerous, because it could terminally compromise your future agility and strangle your ability to develop new products and get them to market quickly.