[reidacdc]

We have a related issue in US civilian Federal agencies, where the IT security posture has been moving for some time to a formal compliance scheme. The idea is that to manage things at scale, it's desirable to have certified solutions, and mandate a very broad set of controls.

This makes general-purpose Linux systems a hard sell -- Ubuntu and RHEL have e.g. FIPS-validated encryption stacks, but they're generally older releases (currently Ubuntu 20.04 is certified and 22.04 certification is pending), and of course limiting your choice of distro is unwelcome for computational researchers. For data at rest, there are certified self-encrypting hard drives, but they are very hard to source, in part because the FIPS 140-2 suite is also very old, and the newer FIPS 140-3 suite is not yet certified.

There are probably ways around this, the diversity and flexibility of Linux cuts both ways, so you can maybe do a FOSS VM infrastructure on top of a certified hypervisor, and get the best of both worlds that way, but it's a lot of work.

And unlike in the aviation-safety world, it's not clear that the certified solution is technically better. It has pluses and minuses, but the biggest plus is administrative, not technical -- it's easy to check.

[c0l0]

All I have to say from personal experience (some of it gained working for a big bank) is that if you want and seek compliance, you will get neither security, nor saftey - but you will get compliance. :)

Whoever tells you otherwise has got a bridge to sell, as well as some compliance- and "security"-facilitating "solutions" on top.

[svleest]

In order to fly, current regulations in most countries require the aircraft is flight certified by the named regulatory authority. In the US for civilian aircraft, the regulatory agency is the Federal Aviation Administration (FAA). So compliance to their stated standards is not really optional. It is also true that compliance does not necessarily mean security or safety has been completely achieved. That is, even if one "checks all the boxes" does not guarantee 100% safety. So we also depend on professionals who go beyond simply doing the minimum but who truly care about the safety of the flying public.

[horsawlarway]

This has been my exact experience (some of it gained working adjacent to a big bank).

At a certain level, folks dropped any real pretense that the compliance regulations in industry were for anything other than shifting liability around and ensuring you can check the right checkbox when doing sales or getting audited.

Actual security varied widely, and had zero relation to the compliance checklists.

[dlor]

We're trying to fix this problem at Chainguard. We have our own Linux distro that packages modern versions of software (like minutes or hours after it's released), as well as older versions.

We're also working on FIPS 140-2 and 3, and support pretty much every compliance framework we can find.