By Roger Mitan
We may all have heard of the buzzwords in the industry, such as cloud, security, software, coding, etc. Learning some of the basics of these terms will help in the ongoing battle to right-size your environment for your needs. To add to these right-sizing tools, I would like to revisit open-source software and its position in the enterprise.
Enterprise software such as operating systems, virtualization, storage, monitoring, email, firewalls, and cloud orchestration, to name a few, can quickly become an IT budget breaker. Also, renewals and software assurance piled on top of this adds even more to this expense. Many enterprises, always being budget conscious, will at one time or another find themselves looking to open source or what is also referred to as free software to help trim these budgets down to size.
Open-source software has published source code available for anybody to review, edit, contribute to or even build their own products from. It is also generally available free of charge and free to distribute as long as certain criteria are met. These criteria are specified in the type of license the software falls under such as the Apache License 2.0 and the GNU General Public License (GPL), which are just two examples of the many licenses available. All types of software such as cloud orchestration, operating systems, web servers, anti-virus, email, storage and many more have flavors that come in the open-source variety. Determining which, if any, of these software packages has a place in your enterprise can be a complex task. To help simplify this task I have provided evaluation criteria I use when making these determinations.
I generally evaluate open-source software using the following five factors:
- Criticality – How critical is the function this software will perform? If this software is unavailable for an extended period of time due to a lack of a good support base, for an example, what impact will this have on my environment? Is this software used for unit conversions in which its lack of usability won’t have much of an impact? Or is it a storage solution that will bring the entire infrastructure to a halt should it fail?
- Cost – How much does this software cost compared to a commercial version? When I mention cost, I am not just referring to the purchase cost but also the cost of supporting the software. Some open-source software, such as operating systems, will require some internal or third-party expertise to maintain. However, the commercial versions of operating systems will also require the same expertise, although you do have commercial support to fall back on. Other software, such as the OpenStack Cloud Orchestrator software, requires a decent-sized staff of developers and engineers to maintain as compared to its commercial counterparts such as Microsoft’s Hyper-V or VMware’s VCloud, which are simpler to setup and maintain.
- Stability and Rate of Change – I combined these because oftentimes the level of the stability of a software package is directly related to how often updates are published. An example is the OpenStack Cloud Orchestrator. This solution is made up of many packages, all with their own stability and change rates. Oftentimes upgrading one of these packages will require upgrading others as well or the entire system will be broken. This leads to an environment that is difficult to maintain. On the flip side, Microsoft’s Hyper-V software is maintained via Windows updates and Windows versions and the combination of packages that are updated are self-contained in these updates.
- Support Models – Is external support needed? What support is available for the software? Many open source products have support packages available from third parties. Other than the cost of this support, which was already considered in step 2, how good is this support? What are the SLA’s? What expertise in the product does this company have? Are they contributors to the project?
- Security – How secure is the software? Is it from a reputable source? Has a source code review been performed specifically to evaluate security?
The four factors I have listed are somewhat subjective and the weight of these factors in the decision-making process vary depending on the industry and the software being evaluated. With that in mind I have provided an example of the practical application of this evaluation method.
Operating System – CentOS (Community ENTerprise Operating System). This is an Open Source Linux operating system originally forked from RedHat Linux.
- Criticality – This is the underlying OS for mission critical software, therefore criticality is high.
- Cost – As this as on OS I will need expertise either in house or via a third party as I would with any OS. In my environment, the total cost is lower as there are no licensing fees and I already have Linux engineers on staff.
- Stability and Rate of Change – This OS has been around for some time and has a large proliferation in enterprise environments across the globe. From this I know this software to be highly stable. The changes are deployed as specific release numbers and are easily updated via YUM (Yellowdog Updater, Modified). Also, due to the large install base, these updates have a chance to be vetted for issues before I apply them in my environment.
- Support Models – Is external support needed? For my environment this is not needed as I have several Linux engineers on staff who are well versed in this product.
- Security – Again, due to the large install base, this software has been both vetted from a community standpoint and due to the large install base has a large attack profile which has helped to uncover some large vulnerabilities which have been since patched. Also, due to the popularity, there are many resources available on hardening the security profile of the OS depending on its application. Based on this information, I would consider this as secure, if not more secure than its commercial counterparts.
Conclusion – This is software that, although used in a highly critical application, passes all of the other factors I have evaluated against and therefore will be implemented in my environment.
Obviously this is only one example and an admittedly easy one to evaluate, but it does show the application of these five factors. Open-source software can provide huge cost savings with the same stability and supportability as commercial alternatives. These savings can quickly transform a budget into something much more palatable. However, it is important to closely evaluate the software criticality, cost, stability, rate of change, support models and security to determine if it is the right fit for your enterprise. Putting a bad piece of software with little to no support into a mission critical application can have disastrous consequences. As always, remember, having a trusted partner to help with this evaluation can be a huge asset and help to speed up this evaluation process while benefitting from that partner’s experience and expertise with this software.
Roger Mitan is the director of engineering with BlueBridge Networks, a downtown Cleveland-headquartered data-center and cloud computing business. He can be reached at (216) 621-2583, email@example.com, and bluebridgenetworks.com.