Red Hat's unique open source ethos, and the culture of transparency and collaboration it fosters, might have given the Raleigh, N.C.-based software company an edge over Microsoft in satisfying partners as those companies patched their customers' operating systems against the Meltdown and Spectre vulnerabilities.
The industry's two leading enterprise operating system developers have very different approaches to selling and supporting software. But when the security crisis called for quick updates of Red Hat Enterprise Linux and Microsoft Windows, both vendors demonstrated their enterprise-grade mettle, according to partners.
In the CRN survey, however, Red Hat received higher marks from its partner community in its effort to release and coordinate patching.
CRN conducted an online poll of 190 members of the CRN Channel Intelligence Council, a panel of solution providers representing the broad channel ecosystem in North America. In the survey, solution providers ranked the vendor responses to the Spectre and Meltdown vulnerability issue on a scale of 1 to 5, with 5 being the top mark, or "excellent."
In that survey, which included 101 Red Hat and 175 Microsoft partners, Red Hat received an average rating of 3.72, compared to 3.66 for Microsoft.
Joe Dickman, senior vice president at Vizuri, a Red Hat partner based in Virginia, said in the absence of truly good fixes to the microprocessor vulnerabilities, what partners wanted most was communication and transparency.
"When Spectre and Meltdown were announced, Red Hat was very proactive within the partner community," Dickman said. "They always came back with explanations. I think it put more people at ease about their vulnerabilities, or perceived vulnerabilities."
Partners, and their customers, above all else didn't want to feel in the dark.
"You would rather know your exposure and vulnerabilities than to have to assume where your risk lies," Dickman said. "You feel less vulnerable when you know your options. The worst vulnerability I have is one of uncertainty. I'd rather know my options and at least have a plan to mitigate my risks rather than be misinformed or uninformed."
Red Hat Enterprise Linux is an open source product. Anyone who wants can go look at the source code of the kernel and patches added to it. That, of course, is not the case for a proprietary operating system like Windows.
"It’s the culture they built and the ethos around open source," Dickman said. "The community and collaboration. Patches aren't coming solely from Red Hat. They're being contributed by many others who are looking at this. The collective thing is greater in the open source community than in one that has a closed source proprietary nature."
A global systems integrator that works with both technologies, however, saw Microsoft's efforts as just as prompt and transparent.
Both companies distinguished themselves to some smaller vendors less experienced in handling situations requiring rapid implementation of security updates, said Chris Moyer, vice president for security at Virginia-headquartered DXC Technology.
Microsoft and Red Hat certainly have different mantras and core cultures, and partners to some extent need to adapt their engagement styles to each vendor. But as DXC scrambled to secure a large Windows and RHEL install base, both vendors were quick to make patches available and support efforts to apply them across complex systems.
"We reached out early to both and said we want to understand what you're going to do, when you're going to release, how we're going to get ready to put these things into play," Moyer told CRN. "We took some of those things and tested them and made sure we had constant feedback."
Implementing a broad array of patches, as required by Meltdown and Spectre, was hardly pain or risk free. What DXC wanted was timely access to information and attention to its feedback, and it got that from both vendors, he said.
"If I try something out and get a weird result, I need that relationship and specific connection points," he said. "They both have that kind of mechanism and are both very inclusive."
The level of cooperation between vendor and solution provider had to be particularly close because of the many configurations of hardware and software that could affect results across complex environments, as well as factors like the sequence of applying patches. And there wasn't much room for error because the patching required reboots, which meant scheduling downtime.
All technology companies were frustrated by a rushed process in putting out Meltdown and Spectre updates, Moyer told CRN.
"The whole industry thought they had more time. But all realized they were in a race, so everybody was pushing patches out pretty quickly, which means our test cycles had to ramp up," Moyer said.
Because Microsoft and Red Hat both have so much experience releasing patches, their partners fared better than those of many other vendors, he said.
"Early access is the biggest thing these guys do well. They're open about it. These guys get more market share, and definitely with us, because they understand enterprise needs," Moyer said. "This is one of those events in our industry that we're glad we have the kind of partnerships we have with these guys."
Ric Opal, senior director at Oak Brook, Ill.-based SWC Technology, said Microsoft contacted his company immediately with an email detailing in highly prescriptive fashion how to close the Spectre vulnerability through Windows.
Microsoft has been extremely quick to provide information and transparent in its efforts throughout the process, Opal said. The open source ethos has largely permeated the software giant since CEO Satya Nadella took over.
At the same time, "the partner has to own part of this," Opal said.
"You have to be in tune as a partner for all the guidance and capabilities Microsoft is delivering you. There's an enormity of data. You as a partner have to recognize this is important," he said.
Problems typically arise not because patches aren't available, but because they're not ingested and applied properly.
Where technology vendors can make an important contribution is helping their partners and customers transform governance processes and procedures around patching. Microsoft has done that programmatically through its One Commercial Partner structure, Opal said.
"I consider the communications I have seen to be exceptionally transparent," Opal said. But "some partners might be not plugged into all those coms, even if they're publicly available."
Microsoft declined to comment on CRN's poll.
Red Hat's Christopher Robinson, program manager in the product security unit, said in regard to the survey that the company is pleased its partners "recognize the maturity and consistency of our vulnerability management process."
"While the scope of Spectre/Meltdown was different, at their core, these were security flaws much like any of the over 2,000 we deal with each year to support our portfolio," Robinson said.
Red Hat recognizes security flaws can generate intense media and customer attention. That's why it developed a Customer Security Awareness program that implements a methodology for providing information to subscribers and the larger community on issues that arise, and the remediations available, Robinson said.
On the technical front, Jon Masters, a Red Hat processor expert, said his company's investments in a "multi-architecture future" have imbued it with deep knowledge of processor design.
"We work with so many other vendors that we have a very good handle on how different designs behave," Masters told CRN. "Our connections allow us to help other vendors coordinate mitigations."