Open Source Software Up the Stack

Dennis Byron

Liveblogging the Open Source "riddle" seminar

Vote 0 Votes

I guess it should not have surprised me but it was difficult to log onto this seminar, about the Open Source Software (OSS) "security riddle" in the U.S. government, from a Windows PC.

The riddle, on which the title of the seminar is based, refers to the fact that a Federal Open Source Alliance (FOSA) survey, done in the second half of 2007, found that a third of respondents in the U.S. government thought OSS was very secure but another third was very concerned about its security (including some users that had already implemented OSS).

All of this information is great stuff for any user, U.S. government or not. And I believe it is available as a recording (Warning: probably an .ogg file) at the FOSA website.

Intel representative Nigel Ballard opened the seminar noting that Intel is one of the top five contributors to Linux. FOSA's original study found over 50% of U.S. federal government agencies are already using OSS. More than half of the respondents say it is or will be beneficial. The major benefit "in the beltway" is the ability to access advanced and multi-tiered security, according to 33% of the respondents. But another third said security was a challenge. This is what they call "the riddle." the title of the seminar

Nigel said everyone should use/write open source code to improve interoperability, one of the challenges U.S. Federal government users say they face.

A case study
A real-live OSS user, Casey Coleman, the CIO of the U.S. General Services Administration (GSA), said the GSA had been using OSS for about 7 years, "organically and at low risk." She said they implmented Linux, Apache, and a KM product at first but since 2005 have begun to use mission critical applications (but not transaction systems; I asked which type of mission-critical applications, if not transaction systems but received no response).

Ms. Coleman provided a great top 10 list of benefits/issues for enterprise IT users to consider

10. TCO-OSS does not mean free (as we have disussed here on this blog many times)
9. Avoiding product lock-in--this is the open choice benefit we have also discussed here often
8. Multiple support models--all the typical support is available and the good news is that vendors are competing on the quality of the service (rather than functionality I guess; so if you need "functionality foobar" and you get it closed or open, try open and let the suppliers compete on service)
7. Procurement--evaluation can be done much more easily without a typical Federal red tape (this same sort of red tape probably applies in many enterprises)
6. Agiliy-allignment with missione (e.g, the GSA now gets support for Linux but not for its KM tool, saving it money)
5. Transparency--OSS is standards based (I don't believe that is totally true but worth considering your enterprise's position on standards)
4. Collaboration--OSS users are not at mercy of the proprietary-code's vendor for improvements; and the user participates in or has insight into the process
3. Control over investments--
2. Open Source Moving up the stack--thanks for the plug; that's the name of my blog
1. Security

Security is a recurring theme of the seminar; it's "the riddle." As mentioned above, a third of survey respondents find OSS secure but a third of respondents are concerned with security issues (even U.S. govvernment OSS implementers cite security as a concern). The good news is that the Intel community, presumably with a major security concern, is a big user of OSS.

Information on Open Source Security
Red Hatter Chris Runge spoke to the fact that there has been an evolution of security biases, such that "in many places, Linux is the preferred platform of choice." For example, NSA came out to the OSS community with security-enhanced Linux for others to use. This is now built into Red Hat Enterprise Linux (RHEL) 5 (and presumalby other Lini, both the webinar was sponsored by Red Hat).

Independent of OSS, he poitned out that there were a lot of government mandates on standards that are hard to work with. Red Hat is working on things like the National Vulnerability database.

The Chicken-Egg Problem
Erik Lillestolen of HP wrapped up describing the chicken-egg situation. Should an agency solve the security problem first and then move to OSS or move to OSS first and solve the security problems with it. The answer is, like investing, it all depends on the agency's tolerance of risk. The same applies to any enterprise vis a vis any feature.

Erik also brought up the license differences in OSS. He suggested the agency have some kind of governance policty as well to control the introductuion of OSS into the environemnt. Also good advice for everyone.

Recommendations include identifiying internal or consulting experts. Erik said this is important because many things are different than what users would be accusomted to in proprietary code (I have not found this to be the case in my research so I am not sure what he is referring to; I asked in the Q&A part of the program but my question was not answered). Other recommendations were to manage alerts (keep good track of updates, patches, etc.) and start small (walk before you run).

Q and A session
Some of the questions and answers included:
Q. Who verifies the OSS? The agency using the OSS is responsible for security validation. I am a little rusty on U.S. "federal EDP rules" but I believe the point is that the vendor of proprietary code is responsible for certifying security.
Q. Different types of OSS? The hosts explained the differences between pure open source (e.g., off Sourceforge) vs. OSS from a company such as Red Hat.
Q. The US Census Bureau recntly had to back away from using hand held devices for the upcoming census. Were any open source components involved in the failed effort? The host were not aware of anything with respect to the handheld devices. Our involvement there has been at the datacenter level.

For more information on the FOSA, see my blog post on November 2, 2007.

Dennis Byron’s blog on open source software: A longtime market research analyst follows what “the movement? means to business integration—in applications, infrastructure, as services, as architecture and as functionality.

Monthly Archives