Delivering security across the stack, through the free and open model
Free and open software is foundational to today’s technology world. Whether it is broad infrastructure layer technologies like Docker and Kubernetes, data management platforms like MongoDB and PostgreSQL, or highly specialized applications like Blender and Shotcut, free and open software technologies now power innovations across the entire application stack.
In addition to being a free, source-available alternative to commercial closed source offerings, these technologies have also gained recognition for the high pace of innovation and feature momentum they deliver to customers. This is especially visible in the security domain, as the rich landscape of usage patterns, broad community of evaluators and reviewers, and open development model result in a faster pace of innovation — both in terms of security specific capabilities and in terms of discovering and resolving security issues — than typically possible in traditional models.
The security capabilities delivered with Elastic Stack, downloaded over a billion times worldwide and counting, are a real world illustration of the security momentum possible with our free and open model.
Innovation momentum emerges as a key value proposition of free and open
A big component of the free and open source movement in its early days focused on maintaining source visibility and access to software. This emerged as a response and an alternative to restrictive practices around closed source software by the large software technology giants at the time.
This freedom also unlocked an unprecedented level of broad collaboration and community engagement, which resulted in a new iterative form of development: delivering features and capabilities, uncovering issues and corner cases, and driving product innovation and improvement at a faster rate. Some observers highlight the implicit similarities between open source development models and the more recent agile methodology. What all this has translated into, is faster product innovation momentum, and this has since emerged as an equally important value proposition of free and open technologies.
Security is a domain where the value of this momentum is especially valuable and visible. Open source software enables faster discovery and resolution of security issues thanks to the broad landscape within which it is used and the open development model.. The expanding landscape of use cases that use open source software also results in a wide set of security demands, ranging across scale, constraints, and vertical specific needs, forcing the collaborative process to innovate to meet all these needs.
Elastic’s expanding free and open security capabilities
Prior to 2018, Elastic’s security capabilities were embedded within the X-Pack add-on. While X-Pack was closed source, it continued to benefit from the broader community, as they surfaced and communicated a broad set of needs and scenarios where additional security and control fidelity was required. With the opening of X-Pack in 2018, and with all core security features being made free in 2019, Elastic security capabilities now follow the same free and open model as the rest of the Elastic portfolio. Customers can now use and build on open security features including role based access control (RBAC), audit logging, encrypted communications, IP filtering, and several other security capabilities.
Elastic’s early introduction of attribute based access control (ABAC), to complement its existing RBAC mechanism, is an example that highlights this feature expansion momentum. RBAC allows customers to assign users of an application to roles, each with a set of privileges with regards to different interactions with the application. While RBAC is easy to get started, it results in a rigid access control mechanism that can become unwieldy for very large or highly dynamic access control setting requirements. And these types of requirements have become increasingly common in recent years, for SaaS delivery platforms with 100s to 1000s of users, creative collaboration platforms across large sets of varying users, and growing global collaboration.
ABAC offers a mechanism to set access control and privileges based on intrinsic attributes of the resource, the user, and the environment, without relying on a preassigned role or a predefined set of privileges for a particular role. This allows an administrator to set policies for access control that are more directly mapped to the real world access control criteria, enabling a high fidelity of control, lower risk of human error, and lower overhead for operating the overall access framework at scale. While ABAC is not for every access control use case, it greatly simplifies dynamic use cases with the large user counts and unlocks several previously blocked use cases.
Elastic was one of the earliest providers in the cloud ecosystem to support ABAC — earlier even than several cloud hyperscalers. The need for something richer than RBAC was actually surfaced and prioritized in the community, and documented by Elastic engineers and field teams extensively as they worked with the broad set of stakeholders.
Elastic’s close engagement into the underlying open source Lucene project allowed the Elastic team to identify an opportunity to use specific capability released in Lucene 7.1 to implement ABAC in Elasticsearch, delivering the desired customer experience, and release ABAC in December 2017. ABAC is available as part of Elastic’s free and open security capabilities today, and some real world examples of customer needs simplified through ABAC are discussed in a blog published at the time.
The security enabled by the community in the free and open model goes beyond just security-specific features. For Elastic, our strong community also plays the role of auditor, evaluator, and quality assurance, with more scale, breadth, and coverage than typical closed source development models. Elastic maintains an open and transparent framework for security issues, attribution, and vulnerability tracking, and strong momentum around security updates responding to these, allowing us to build and deliver a secure search experience to customers.
Our free and open security capabilities continue to expand, with capabilities like Kibana Spaces, Elastic Common Schema, detection engine, and prebuilt detection rules. A more detailed discussion of free and open Elastic Security capabilities, and the free and open SIEM available with Elastic Security, is available at elastic.co.
The Stack as a multiplier — a continuously evolving data platform
Our core free and open benefits above are further complemented by Elastic’s unified architecture, delivering enterprise Search, observability and security solutions on a common stack. While these are three distinct domains, and may have different target end users and priorities, they are all fundamentally data and insight problems that Elastic addresses with its search platform. The underlying platform, the Elastic Stack, continually evolves to address inputs across each of these solution areas.
Inputs from all three solution areas act as a multiplier for the pace of evolution to each individual Elastic solution offering, allowing innovation, security improvements, and evolution faster than possible with typical point solutions. And all of this work is done in the open, ensuring visibility, transparency, and confidence in the platform for customers.
Free and open is a philosophy and a model
What constitutes “free and open”? This discussion has seen growing interest in the industry in recent years, particularly in the context of the increasingly cloud-giant dominated technology market and the business challenges cloud can present for open source based ventures. The Elastic License and the SSPL license have not been approved by the Open Source Initiative (OSI), and to avoid confusion, we no longer use the term open source to refer to our products.
Instead of open source, we use free and open to describe our products. Elastic products can be used for free, the source code is available, and the products are built in a collaborative model in the open on GitHub. We remain committed to the core principles of openness: transparency, collaboration, and community. And these principles continue to resonate with our customers.
The report What if source-available software licenses are open enough for most enterprise needs? (451 Research, S&P Global Market Intelligence) highlights the following, in the context of non OSI approved source available licenses. “Our recent survey indicates that these licenses address the most important enterprise considerations in relation to source code access. As such, there is an argument to be made that these licenses are ‘open enough’ to meet the requirements of many enterprises and do fill a gap in the software licensing landscape.” This is consistent with what we hear from customers and partners in the community. Elastic will continue to build and deliver capabilities under the free and open model, innovating to meet the security needs of our customers in an open and transparent manner.
Try Elastic today
You can find out more about our free and open security capabilities at Elastic.co, or start using Elastic today at no cost through a free Elastic Cloud trial.
Additional References
- Open Source Software: A History (David Bretthauer, University of Connecticut, 2001)
- https://www.ime.usp.br/~gold/publications/pdf/Corb...
- https://www.zdnet.com/article/open-source-security...
- https://devops.com/is-open-source-more-secure-than...
- https://techcrunch.com/2019/01/12/how-open-source-...
- https://www.infoq.com/news/2019/02/iam-tags-attrib...
- https://www.elastic.co/blog/attribute-based-access...
- https://www.elastic.co/campaigns/security-only-fro...
- https://www.okta.com/identity-101/role-based-acces...
- http://www.front2backdev.com/2017/08/02/label-base...
- https://www.elastic.co/campaigns/security-only-fro...
- “What if source-available software licenses are open enough for most enterprise needs?” (451 Research, S&P Global Market Intelligence)