The Myths of Open Source

It isn't all about cheap: Companies keep finding good reasons to take advantage of open-source software.

At first glance, the company Employease seems unremarkable. But look a little closer. Employease, which provides employee benefits administration services to more than 1000 organizations across America, has an IT architecture chiefly built around open-source software, which makes it a rare bird - not that it was planned that way when the company was founded in 1996.

"It's been quite a surprise to me. The open-source model just seems intuitively wrong," says John Alberg, the company's co-founder, CIO, CTO and vice president of engineering. But the facts speak for themselves.

The company's 25 production application servers run on Red Hat Linux, having been switched from Windows NT in July 2000. Web pages once delivered by Netscape are now served by Apache, supplemented by Tomcat, an open-source Java servlet engine. Send an e-mail to Employease and it's processed by Sendmail, an open-source mail server, while the company's software developers use XEmacs, an open-source development tool.

But that's not all. Although the company's main applications use Informix for database management, Alberg happily confesses that he can see a time when the proprietary software will be displaced by MySQL, an open-source relational database system already used by the company for less critical applications. Snort, an open-source intrusion detection tool, is also under active consideration, says Alberg.

Companies such as Employease herald a sea change in corporate attitudes toward open-source software. Once seen as flaky, cheap and the work of amateur developers, open source has emerged blinking into the daylight. With unrestricted access to the source code to run or modify at will, and support coming from an ad hoc collection of software developers and fellow users, the open-source model is very different from proprietary software. But it is nevertheless proving attractive enough for a host of CIOs to make the switch. So who's using open source? Why are they using it? And are the benefits worth the risks? The answers are surprising - and dispel some of the myths surrounding open source.

MYTH 1

One of open source's most touted benefits is its price. Download the software, install it - and don't pay a cent. That's the theory. But to a surprising number of open-source user companies, the price tag - or lack of one - is irrelevant. "It's not about being cheap," insists Employease's Alberg. "It's about doing our jobs effectively - and we're willing to pay quite a bit for that. We want stable software that does what it says it will do."

What Alberg finds fascinating about moving to open source is the performance improvement that resulted. The move to Linux, for example, dramatically cut the rate of server failure experienced by the company. Typically, under NT, one of the company's servers would fail each working day. Now, he says, "we get at most two failures a month - and often don't get any in a month".

Linux also runs Alberg's applications faster than NT, a fact that has meant that despite more than doubling its business since 2000, the company hasn't needed to buy more servers. "Linux increased our capacity by between 50 percent and 75 percent," says Alberg.

Even so, Alberg is careful to make clear that his commitment to open source isn't the blind buying behaviour of a zealot. He wouldn't, for example, go open source if it were more expensive than proprietary code. "Solaris is a strong commercial operating system. We'd choose it over open source if we found it to be less expensive," he says. "[While] cost is a huge driver for our decision-making process, we cannot risk choosing an inferior solution to save money. We couldn't even consider open source if it weren't at par with - or in some cases better than - commercial alternatives."

Ask many users of open source and a similar story emerges. "Cost savings weren't really a factor in our decision to go open source," says John Novak, CIO of 330-plus hotel chain La Quinta, which is moving its online booking system - previously on BEA's WebLogic - to a combination of Apache, JBoss and Tomcat. "What got us into it was that it was simply the best technology open to us."

Page Break

MYTH 2

Open-source software has been described as "free, as in a free puppy". And yes, the absence of software licensing fees needs to be offset along with the costs of training, support and maintenance. On the other hand, proponents of open source also cite reduced costs of "vendor churn", where vendors require users to migrate to a new version or pay for extra support. Most users we spoke to for this story reported a net savings with open source - often a substantial one.

At Sabre Holdings - the company behind Travelocity, the Sabre Travel Network and the Sabre travel reservation system - a major migration to open source is under way, prompted by Sabre's prediction that the move will yield savings of tens of millions of dollars during the next five years.

The company runs two distinct groups of computers, explains CTO Craig Murphy. Where reliability is paramount, Sabre Holdings uses pricing - or "data of record" - applications, which run on high-spec, fault-tolerant Hewlett-Packard NonStop systems. But shopping applications - where customers and travel agents hunt for the best deals - run on a server farm of lower-cost machines. Each shopping computer has its own open-source MySQL database, explains Murphy, synchronized by an application from GoldenGate with the rules, fares and availability information held on the fault-tolerant "data of record" system. The shopping systems were on HP-UX, but by the beginning of this month, all of those servers will have switched over to an open-source operating system - Red Hat Enterprise Linux AS.

The big attraction of open source is that there's a zero marginal cost of scale because open source doesn't require additional licences as an installation grows, he says. As a result, the cost per transaction plummets as you add more systems. Exact comparisons are tricky, says Murphy, "but where we can make like-for-like comparisons, we're expecting at least an 80 percent reduction in running cost."

MYTH 3

According to Gary Hein, an analyst with technology consultancy Burton Group, technical support is a potential open-source user's primary concern. "Who do you call when things go wrong? You can't wring a vendor's neck when there's no vendor," he says.

In practice, the situation is complex. As Hein points out, most open-source projects have a large corps of developers, Internet mailing lists, archives and support databases - all available at no cost. That's the good news. The not-so-good news is that there's no single source of information. "A simple question may result in multiple, conflicting answers with no authoritative source," he says.

Even so, says Klaus Weidner, a senior consultant with technology consultancy Atsec, multiple sources of support can be better than being tied to one vendor - especially when that vendor provides bad support or refuses to continue supporting software of a certain vintage.

In practice, existing users of open-source software appear perfectly happy with open-source support arrangements. "The breadth of resources available for open-source applications is so great worldwide that we can get support, communicate with a developer or download a patch no matter the time of day," says Thomas Jinneman, IT director of RightNow Technologies, an ASP that hosts customer service products for more than 1000 companies worldwide, including British Airways, Cisco Systems and Nikon.

The company's hosting environment runs on Linux, Apache and Tomcat, and 97 percent of its customers use MySQL, says Jinneman. Indeed, he adds, "we've had more trouble getting support for some of our purchased commercial applications than we've had with open-source applications".

Some open-source applications also have support offered by the original developers. JBoss, for example, is backed by JBoss Group, which includes the 10 core developers who wrote the application. Depending on the contract, explains JBoss Group president Marc Fleury, users can obtain 24x7 professional support with as little as a two-hour response time. The group also offers training.

A similar model also underpins Sourcefire, whose founders created Snort, the popular open-source intrusion detection tool. Downloaded off the Internet, Snort is command-line-driven, explains Sourcefire CTO Martin Roesch. Enterprise users can set it up themselves - but more and more are contracting Sourcefire to do it instead so that the company can handle security management details.

"What I like is that you get all the advantages of open source in terms of people working on it, as well as the advantages of a commercial enterprise behind it in terms of longevity and liability," says Kirk Drake, vice president of technology for the National Institutes of Health Federal Credit Union.

Page Break

MYTH 4

A variety of open-source licences exist, and helping CIOs understand their implications is good business for lawyers - very good business. "[CIOs'] concerns chiefly revolve around the implications of using code to which they can't verify their right to use," says Jeff Norman, a partner in the intellectual property practice of law firm Kirkland & Ellis. "Just because you've got a piece of paper saying that you own the Brooklyn Bridge, it doesn't mean that you actually own it."

For some users, third-party indemnification is an option. On November 17, 2003, for example, JBoss Group announced it will indemnify and defend JBoss customers from legal action alleging JBoss copyright or patent infringement. Other vendors of open-source software - including HP, Red Hat and Novell - also offer indemnifications of varying types.

And while conceding that the situation isn't perfect, Sabre's Murphy says that he's heard all the legal arguments he needs. "It's a concern, sure, but we've basically got to do this. There may be friction and challenges - but I don't see any showstoppers" (see "Open Source Under Attack", left).

MYTH 5

Mission-critical apps don't come any more crucial than those in banking, where transaction systems simply have to work, period. Experimenting with open source, with its attendant risks in terms of potential infringement, security and maintenance, might be regarded as anathema. "Banks tend to be conservative institutions - first followers, if you like, rather than leaders," says Clive Whincup, CIO of Italian bank Banca Popolare di Milano, who freely admits that the bank's venture into open source was the result of "some fairly lateral thinking".

But walk into Banca Popolare's smart new branch on the Via Savona in Milan's Zona Solari district, and the service these days is much faster than customers have previously experienced. The reason? Unwilling to throw out the bank's legacy banking applications, totalling some 90 million lines of Cobol, but unable to keep them running under IBM's vintage OS/2 Presentation Manager operating system, Whincup has used a proprietary legacy integration tool from Jacada to connect the Cobol to IBM's WebSphere - running in a Linux partition on the bank's mainframe.

The result: Formerly disjointed applications now run slickly in a Web browser, yielding faster transaction times, less time spent training tellers - and many more opportunities for cross-selling the bank's services.

Billed by insiders as one of Europe's largest Linux projects, the Zona Solari branch is piloting the new system, says Whincup. Once testing is complete, full rollout will begin in May. One decision to be made before then: whether to leave the branch desktops running Windows XP, as in the Zona Solari pilot, or move them to Linux as well. "Both of the next two branches to pilot the system will be using Linux [on the desktop]," Whincup says.

MYTH 6

At Baylis Distribution, a transport and distribution company, IT director Chris Helps came across the MySQL database four years ago when the company was looking to create a data warehouse. Around the same time, the company began experimenting with Linux, he says, for small-scale, non critical applications. The move to mission criticality came last year after the vendor of the company's propriety logistics management system, Chess Logistics, brought out a new version that ran on Linux - a version that promised to improve performance by a factor of between 10 and 15 times. Helps happily signed up, and he hasn't regretted the decision.

But his experience of running Red Hat Linux in a true production environment, with users logging on to the main Linux server from what he describes as "thin clients with a cut down Linux operating system", prompted him to re-evaluate the company's desktop policy. In the end, the company opted to replace Microsoft on desktops with Linux and open-source personal productivity tools for activities such as word-processing and spreadsheets.

"We've not done a formal evaluation of the savings, but a broad-brush calculation is that it costs $US1820 per seat to install a PC with all the Microsoft tools a user needs. With Linux, and open-source tools, it's only around half that," Helps says. What's more, usability improved. "People can log in from any PC in the group and have all the same services and facilities available to them as if they were sitting at their own desks." Better still, IT support is simplified. "We haven't got the complications of users establishing a unique personalized environment on their desktops: We've got better control, better upgradeability and better traceability."

Nor is Helps alone. Other IT shops - as big and diverse as Siemens Business Services and the Chinese government - are also convinced that Linux is ready for the desktop. Siemens, for example, says it has performed extensive testing with "real-world, non technical workers", finally declaring that Linux has now matured as a desktop system. The tests confounded the company's expectations. "We [at first] didn't see Linux on the desktop as a major market, but we were wrong," says a spokesman for the 35,000-employee organization that serves more than 40 countries.

Page Break

THE BOTTOM LINE

Is open source right for every organization? In the end, argues Andy Mulholland, chief technology officer for Cap Gemini Ernst & Young, it's a question of attitude. "The arguments for and against open-source software often get very trivialized," he says. "It's not a technology issue; it's a business issue to do with externalization."

Companies with an external focus, he says, which are used to working collaboratively with other organizations, and perhaps are already using collaborative technologies, stand to gain much more from open source than companies with an internal focus, which see the technology in terms of cost savings.

"The lesson of the Web is that standardization is better than differentiation," Mulholland claims. "Is there a virtue in doing things differently? Is there a virtue in doing things the same way as everybody else?" As the past decade has shown, standardization with a proprietary flavour - think Microsoft - has its drawbacks: bloatware, security loopholes, eye-popping licence fees and an unsettling reliance upon a single vendor. In offices around the globe, an era of open-source standardization, determined to condemn such drawbacks to history, may be dawning.

SIDEBAR: What Users Want from Linux

Enhanced system management capabilities, better security, support for third-party drivers and more unity among the various distributions top user wish lists when it comes to Linux. They would also like to see more of their peers embrace the open-source operating system as it evolves into a platform capable of supporting even the most-critical layers in the data centre.

What follows is a wish list compiled from discussions with more than a dozen IT professionals and Linux aficionados:

1. MONITORING TOOLS With Linux being deployed in more areas of the data centre, users are looking for better ways to manage Linux systems - and easier ways to find those tools.

2. RELIABILITY New versions of the Linux kernel have improved the operating system's reliability, but users say they could always use a more-hardened platform. Disaster-recovery options should be expanded, they say.

3. SECURITY Security continues to be a big issue as backers position Linux as a Unix or Windows alternative in business networks. Efforts to steel the operating system, including the National Security Agency-backed Security-Enhanced Linux (SELinux) project, need to be embraced by vendors.

4. SIMPLICITY Linux has the reputation of being overly complicated, and Linux users would like to see that image softened.

5. HARDWARE SUPPORT Users are asking for better support for things such as third-party drivers, printer management and graphic interfaces.

6. COHESIVENESS Users don't want to see Linux go the way of Unix, where vendors created their own proprietary versions that made it difficult to port applications to one from another. A more-cohesive approach would result in a better operating system, they say.

7. APPLICATIONS Some users running Linux have found limitations when it comes to software deployment and would like to see a broader range of applications supported, both on the server and desktop.

8. SKILLED DEVELOPERS Linux is becoming more widely deployed in corporate data centres, but users say that training for Linux programmers is lagging.

9. GUI Network execs would like to see an easier-to-use and better-performing GUI.

10. CONSOLIDATION Instead of having basic tools spread around the operating system, users would like to see them all in one easy-to-find location.

SIDEBAR: Open Source Under Attack

SCO Group's May 2003 letter to 1500 large-company Linux users grabbed headlines. The letter warned the users that SCO might seek legal action against them as part of its ongoing fight with IBM over allegedly stolen Unix code that may or may not be in Linux. And SCO's more recent assertion that the General Public License (GPL), under which much open source is published, may violate the US Constitution has caused a few eyeballs to roll and roiled some tempers. But beyond that, the brouhaha's impact may be limited. A number of open-source vendors have already moved to indemnify customers.

Lawyers, too, seem unconcerned about the risks that the SCO assaults pose to the typical CIO - especially since IBM, a major open-source vendor, has signalled its intention to rebut the charge vigorously. "If IBM's involved, we've got some assurance that these issues are going to get resolved," says Karen Copenhaver, a partner in the patent and intellectual property practice of law firm Testa, Hurwitz & Thibeault.

Others are also sceptical. "It's essentially a dispute between IBM and SCO, and it won't affect the majority of Linux users," says Jeff Norman, a partner in the intellectual property practice of law firm Kirkland & Ellis. "Even if SCO wins, I find it highly unlikely that SCO has a claim on Linux users."

As for the Constitutional claim? "[SCO CEO Darl McBride's] argument that the GPL violates the US Constitution is just plain silly and has generally been dismissed as such," says Copenhaver. "It is certainly one of the more bizarre allegations that he has made."