Open source has become risky business for companies that fail to
manage software being downloaded by users. Finding help to keep
things from getting out of control, however, is another challenge
entirely.
There are risks (including legal ones) associated with using
multiple
open source products within an organization,
but those risks are often ignored by both vendors and users. One
of the problems is there has been very little incentive on the
part of the vendors to develop products, said Michael Goulde,
senior analyst at Cambridge, Mass.-based Forrester Research
Inc.
 | | | | | We were just getting free
software off the Internet, and that raises some concerns.
Bill Crowell
former CIOOregon Department of Human
Services |
| | | | | |
| |
|
"Penetration is spreading, but it is not displacing," Goulde said.
"It's a small minority of what's actually in use, so the market
opportunity isn't there. It hasn't hit yet."
But that doesn't mean there aren't products out there. Raven
Zachary, research director at The 451 Group, a New York-based
research firm, said some vendors that offer open source support or
maintain certified repositories of open source technology see an
opportunity in creating tools that enable enterprises to manage
open source like a portfolio.
He pointed to OpenLogic Inc. and its OpenLogic Enterprise
product, and SourceLabs Inc. and its new Open Source
Management System (OSMS). In addition to red flagging problematic
open source products, these vendors also put in place basic
governance and workflows that helps companies track what's being
used and how it's used.
Got to have it
Bill Crowell, the former CIO of the Oregon Department of Human
Services, said governance of open source technology is "absolutely
critical."
Crowell said one of his peers, a CIO of a transportation agency,
did an inventory of open source technology in his organization. He
found 5,000 instances of open source in use -- and that was based
on a scan of 10-15 known pieces of open source technology
identified by researchers as having arrived in enterprises.
Looking back on his time with the Oregon Department of Human
Services, Crowell said it was critical to do an inventory of usage
by various departments, to have a "better idea of what was being
used where and why, and whether or not open source was something
that had, quite frankly, become significant."
Another major objective was to look at both the procurement and
legal issues of
acquiring open source technology because, in effect, the
department wasn't procuring anything. "We were just getting free
software off the Internet, and that raises some concerns," he
said.
Kim Weins, vice president of marketing at Broomfield,
Colo.-based OpenLogic, described several risks associated with
using open source without proper controls.
"There are two ways to get sued over open source," Weins said.
She said some organizations that adopt open source at the
grass-roots level integrate intellectual property with open source
components without getting permission from the owner of the
intellectual property. Those copyright owners can sue the developer
who misuses this technology, and they can sue the users of such
technology.
Weins said the licenses for open source technology are also easy
to violate without proper governance.
"There are unique aspects of open source licenses that carry
with it some rather unique requirements," Goulde said.
She said there is also a downtime risk with open source.
Organizations need to know how to deal with open source technology
when it fails. The final risk is with compliance. With workflow in
place to enforce open source polices, organizations can ensure that
they have the proper controls in place to satisfy any applicable
regulatory requirements.
"It's about ensuring that people are using open source components
in a way that is complying with IT policy," Goulde said. "Ensuring
that software is stored appropriately, protected appropriately, and
access rights are made appropriate."
Alex Fletcher, lead technology analyst at Silver Spring,
Md.-based open source research firm Entiva Group Inc., said
creating a trusted library of open source software and components
is a daunting task. He said open source is so diverse that
confining an organization to a certified library can be
constricting.
But Fletcher said he doesn't think a product will be enough to
tame the beast. "I just think it's going to be very difficult to
accomplish it with software and software alone. Policies and
practices have to go with the software ... a mix of software and
best practices."
Goulde added "The paradox is a lot of companies are getting into
open source to reduce their costs. They're not excited to spend
money to manage it."
Ultimately, he said, vendors of commercial software management
tools will integrate the management of open source technologies
into their products, perhaps by acquiring companies in the open
source space. He said there is no reason to manage commercial
software and open source software separately.
"At the end of the day it's all still software written in
standard programming language," Goulde said. "It makes sense not to
have two separate silos to manage these assets. They are just
different asset categories that should be managed by the same
tool."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer