Why Governments Depend on Open Source for Secure, Private Email

Olivier Thierry CMO, Zimbra

Increased Need of Security & Privacy

October 22, 2014 2

October 22, 2014 3

We Need to Elevate Security & Privacy

October 22, 2014 4

Source: xkcd.com/538

① Transparency/Auditability

October 22, 2014 5

NO • “skeleton keys”• hidden components• embedded proprietary

software

Heartbleed patch on git.openssl.org

Worldwide Adoption of Open Source Software (OSS) by Public Sector

October 22, 2014 6

October 22, 2014 7

Community Code

Extensions

②  Reduced Cost

October 22, 2014 8

Open Source Project Open Source Community

*Industry standard: ~$10 - $20 / line of code Source: Black Duck Software | Cost, Freedom and Control: The Dividends of Migrating to Open Source

Force Multiplier

Patches

Add-ons

Modules

Products

Support

Security

OS Core

OS Core

③  Product Customization & Flexibility

October 22, 2014 9

The core open source product +

Product extensions into your unique environment

The products you want to use & the solutions you need =

Community Code Extensions

OS Core

④  Advanced Interoperability

October 22, 2014 10

*Source: According to Black Duck’s Future of Open Source Survey, 2014 Quote: U.S. Digital Services Playbook | Play 8 “Choose a modern technology stack”

68% Believe Open APIs will reinforce

OSS growth/adoption*

“digital services teams should consider using open source, cloud based, and commodity solutions across the technology stack”

⑤  Improved Quality

October 22, 2014 11

given enough eyeballs, all bugs are shallow

*Source: According to Black Duck’s Future of Open Source Survey, 2014 Quote: Linus’ Law

8/10 choose open source based on quality*

US Government Adoption of OSS

October 22, 2014 12

US Government’s Embrace of OSS

October 22, 2014 13

“When we collaborate in the open and publish our data publicly

we can improve government together.”

“While the U.S. government has, to date not issued guidance requiring a preference for open source, it has clearly indicated that open source products are to be given at least as much preference as proprietary

products.”

Quote: U.S. Digital Services Playbook | Play 13 “Default to Open”

Quote: Opensource.com

October 22, 2014 14

US Government’s Embrace of OSS (http://gov-oss.org/)

⑥  Community Involvement

October 22, 2014 15

Top 10 US government organizations using open source

+400 repositories

Source: http://www.govcode.org/stats

⑦  Reusability

October 22, 2014 16

“…allow the public to easily provide fixes and contributions, and enable reuse by entrepreneurs, nonprofits, other agencies, & the public.”

= “GitGov” reusable platform for agencies to rapidly build government services

Government’s Need for Security & Compliance

October 22, 2014 17

October 22, 2014 18

DHS & the SWAMP = Quality

“…with hundreds of open source software packages and multiple software assurance tools, we will improve the community’s understanding of and access to state-of-the-art software assurance.”

Source: govtech.com Quote: continuousassurance.org, about us, “outputs”

⑧  Compliance

October 22, 2014 19

Source: PWC, State of Compliance: 2013 Survey

32% rated Data Privacy & Confidentiality

the #1 perceived risk

to compliance

Compliance requires… -> flexibility & customization -> transparency & auditability -> open standards & APIs -> robust security & privacy

Summary of Reasons to Use Open Source

①  Transparency/Auditability

②  Community Involvement

③  Reduced Cost

④  Product Customization & Flexibility

⑤  Advanced Interoperability

⑥  Improved Quality

⑦  Re-Usability

⑧  Compliance

October 22, 2014 20

Open Source Email

October 22, 2014 21

Government & Email Security

Federal Information Processing Standards (FIPS): consistent use of security & communication guidelines through open standards

•  Data Privacy 1.  At-rest & in-motion encryption 2.  End-to-end encryption

•  Identity 1.  Digital signature 2.  2-factor authentication

Open source email leverages open standards to provide compliant cryptographic modules for data encryption

October 22, 2014 22

Tenets for Secure Collaboration

October 22, 2014 23

Ability to integrate 2FA & encryption

Ability to provide control over data & hosting location

Ability to provide transparency on code base

October 22, 2014 24

Over 1,000 government & financial institutions rely on Zimbra to protect the security & privacy of their collaboration data.

October 22, 2014 25

KEEP CALM

AND

STAY OPEN

©2014 Zimbra Systems, Inc. All rights reserved. Zimbra and its symbol are registered trademarks or trademarks of Zimbra, Inc. Other company and product names mentioned herein are property of their respective owners. The contents of this publication are subject to change without notification and are the property of and cannot be reproduced without the written permission of Zimbra. The contents of this publication are not a commitment by Zimbra to provide the features and benefits described.

www.zimbra.com

October 22, 2014 26