[SPONSORED GUEST ARTICLE] In the permanent war against cybersecurity threats to the HPC software supply chain, you can’t fight it alone. You need allies, information exchanges and best practice sharing. You need to be part of a group effort that keeps you current with the ever-changing threat landscape. Cybersecurity means cyber vigilance across many fronts, and it takes a community.
HPC projects are renowned for their inherent complexity, data-intensive nature and vast scale, encompassing diverse environments from on-premises to the cloud to the edge and back again. Due to their intricate nature, these projects often transcend the abilities of a single individual or a solitary user group. Nevertheless, a silver lining exists in the form of the collaborative nature of those involved in HPC-class projects, including researchers, designers and analysts. They are well-versed in working together harmoniously, not only within their organizations but also in close partnership with businesses and research counterparts. This collaborative spirit extends beyond the confines of their organizations and even encompasses their security practices, demonstrating willingness to cooperate with external stakeholders.
But the downside is that collaboration broadens the attack surface, increasing the points of security vulnerability. In addition, HPC projects commonly have heightened security requirements involving sensitive data that must remain secure in storage, in use and in transit.
One of the most popular Linux distributions for the HPC industry is the Rocky Linux operating system, a community-supported, open-source OS that is free of charge and bug-for-bug compatible with Red Hat Enterprise Linux (RHEL). Rocky is backed by a portfolio of security measures from CIQ, whose founder and CEO, Greg Kurtzer, is the creator of Rocky Linux (along with its immediate predecessor, CentOS – see “How the HPC-AI Rocky Linux Server Operating System Rose from the CentOS Ashes”).
CIQ understands that Rocky Linux is an attractive target for attackers due to its large community of users and contributors. So CIQ’s security strategy is to maintain a strong balance between openness and transparency while also delivering rigorous security capabilities and helping to instill in the Rocky community a zero trust security ethic, the built-in assumption that all users, devices and applications be treated as potential threats and that risk assessment be continually monitored.
In the end, a more secure Rocky Linux community of users opens the door to greater collaboration and better results.
“A secure mindset actually opens doors,” said Arthur Tyde, CIQ’s SVP of global business development. “Increased security means you’re increasing the elements of collaboration where you can go outside of your organization because there are mechanisms to help build trust in verification. And as we build more and more of these features into the different components, more people move to a zero trust environment in which you can actually hook things up and let more people work together.”
“You always assume there’s holes somewhere,” said Tyde, “and you close them as fast as you can find them. And that’s a key part of CIQ’s mindset. We help watch Rocky Linux projects take shape with security as a pillar of everything we do.”
CIQ says the Rocky Linux infrastructure was designed from the ground up with security in mind, allowing both casual contributors and large security-focused organizations to safely use the OS. In addition, CIQ has a dedicated security team working to ensure that Rocky Linux remains safe.
Advanced security measures implemented by CIQ include:
Errata and Security Patches
Rocky Linux security updates and vulnerabilities are available on errata.rockylinux.org, a centralized site that posts near-time security patch updates to the operating system. Errata is critical for managing supply chain security; it offers the immediate reporting necessary for transparency to the latest bug fixes, common vulnerabilities and exposures (CVEs), functionality enhancements and more. By making this information available alongside Rocky Linux repositories, users can perform more granular maintenance to their systems. Rocky Linux includes this information in full in the current supported repositories, while also making historical data available through the errata Web UI. The Rocky Enterprise Software Foundation (RESF), founded and owned by Kurtzer, maintains Rocky Linux and provides full API access to this data.
Along with errata, users can join the Rocky Linux mailing list to receive updates about patches, which are available at download.rockylinux.org (to receive notifications about patches, go to lists.resf.org and find the list called, “Rocky Announce”). Finally, users can use DNF to see what updates their systems need. There is a demo starting at 22:34 of this webinar.
“It’s all the good actors that are out there finding these holes in different pieces (of Rocky Linux), ways that the bad actors are trying to gain access, and then getting component owners to fix them,” said Robert Adolph, CIQ’s chief product & revenue officer. “And then with errata, we’re making sure it propagates out on the page and gives all that information for people to track what’s going on and assess their own level of need to update.”
Greg Kurtzer
FIPS 140-3
Rocky Linux is now on the National Institute of Standards and Technology’s (NIST) Implementation Under Test List (IUTL), described by NIST “as a marketing service for vendors that have a viable contract with an accredited laboratory for the testing of a cryptographic module, and the module and required documentation is resident at the laboratory.”
Rocky Linux’s inclusion on the IUTL is significant because of the extensive validation process required for the Federal Information Processing Standard Publication 140-3 (FIPS 140-3), a U.S. government computer security standard used to approve cryptographic modules. FIPS is required in many applications with high security requirements, such as in health care (HIPAA regulations), government, defense (national security) and financial environments. CIQ has arranged and funded the FIPS validation process and will be providing it back to the entire RESF / Rocky community for free.
Transparency
Rocky Linux is built with Peridot, an open-source and completely cloud-native build system for managing and updating Rocky Linux. Peridot enables anyone to build, enhance and reproduce Rocky Linux independently; it also means that the entire Rocky Linux build process and pipelines are transparent and out in the open. This transparency prevents malicious packages from being entered into the operating system. Developed by CIQ, given to the RESF and released as an open source project, it also helps ensure that Rocky Linux will remain freely available and community controlled.
Conclusion
Because Rocky Linux is a community enterprise operating system, security measures are a top priority. As the official founding support and services partner and sponsor of Rocky Linux, CIQ is committed to continued investment in security features and policies, ensuring that all users, from large companies to individuals, trust the operating system they are using.
“All of the security measures CIQ has helped stand up and contribute to the community, we can take it a step further with CIQ’s professional support of Rocky, which helps companies stay on top of things,” Adolph said. “Every time there’s a CVE fix, our customers can be made aware of it, they can make their decisions, but they don’t have to rely solely on themselves to be aware of every loophole that’s out there.”
