The New Open Sourcing

Open source has many allures: no licence costs, a wide range of support venues and the ability to work directly with code for customization or quick repairs. But it can create IT headaches, too: The mantra of open source has been "release early and often", which means IT managers using a disparate group of open-source apps face frequent updates and patches, and must craft rules about how and when to apply them.

Most enterprises soon find that with the do-it-yourself approach, maintenance and integration costs equal - and sometimes exceed - the maintenance cost of commercial software, due to the in-house resources needed to track, test, and apply patches and updates. The other option, using professional services firms to do that work, costs at least as much.

But a new, potentially less expensive approach is emerging - a certified, preintegrated suite of open-source components from one vendor, which stays updated and integrated via periodic suite releases.

This option could make open-source adoption easier, for example, for smaller enterprises that don't have the staff or services dollars to support the traditional open-source integration and maintenance approaches but want to use proven open-source technologies like Linux, EnterpriseDB, Postfix, Tomcat and Apache more broadly.

"By creating a standard set of services, providers create cost savings and improved quality," says Julie Giera, a vice president at Forrester Research.

For instance, hardware-and-consulting vendor Unisys recently announced its Open and Secure Integrated Solutions (Oasis) suite - a group of open-source tools optimized for large enterprise customers, with a service-level agreement (SLA) that remains in effect as long as the customer doesn't modify the software. The established trio of automated open-source support vendors - OpenLogic, SourceLabs and SpikeSource - now offer preintegrated suites, or stacks, of open-source components in addition to their previous offerings (management tools that track and patch open-source software across an enterprise). And Red Hat sells a release of the JBoss application server with other middleware components integrated.

However, the preintegrated approach will not suit every IT department. Many CIOs lack enthusiasm for it, due to issues like vendor lock-in and lack of flexibility - and you should weigh these factors as you consider the fit for your organization.

Page Break

Who Wants Preintegrated Suites?

Theoretically, the preintegrated approach should appeal to enterprises of all types and sizes. But in reality, preintegrated suites make the most sense if your open-source software is very stable, used in an "install and forget" approach, with just occasional upgrades as you refresh your technology platforms. In other words, with preintegration you choose ease over flexibility.

Also, the preintegrated approach appeals more to smaller enterprises than large ones, simply because smaller enterprises have fewer IT resources. "When it fits their IT needs, the suite approach makes sense for small and medium businesses," says Terry Retter, a director at the PricewaterhouseCoopers Technology Centre, an advisory group.

California construction firm Rudolph and Sletten is a case in point. "I'm in a mid-market company, so I don't have the resources to deal with a do-it-yourself stack," says CIO Sam Lamonica. That's why he relies on his operating system and application vendors to provide and maintain integrated suites. For example, Lamonica uses the IT GroundWorks management suite, which includes Nagios, Linux and JBoss. In this case, a commercial vendor includes open-source components as part of its product. That's fine with Lamonica, since the vendor worries about integration. Plus he suspects it keeps the price down.

CIOs like Lamonica at smaller enterprises tend to like the idea of preintegration when it's applied to specific vertical application areas, such as CRM or Web management, but dislike the idea of preintegrated middleware suites into which they must then integrate other applications.

At larger enterprises with more resources, CIOs might be more apt to pick multiple open-source integration and maintenance approaches - balancing the needs for vendor and application flexibility against the costs of maintaining that flexibility. At insurer AIG, for example, "all of our decisions are value-driven", says Jon Stumpf, senior vice president of engineering at the insurer's IT subsidiary, AIG Technologies. Sometimes, the preintegrated approach will have the best value, but sometimes it will not, he notes.

Large companies with heterogeneous platforms prefer the flexibility of a horizontal infrastructure on which they run various applications and data systems, and are willing to pay for the in-house or outside resources needed to integrate and maintain them, says Stumpf. CIOs at such large enterprises may see value in preintegrated horizontal suites, if they provide more value than other options and don't hinder needed flexibility, he says.

The University of Pennsylvania follows a similar "what fits best" approach, says Robin Beck, the university's vice president for information systems and computing. "I'd want a [preintegrated] stack where it makes sense," she says. Beck is perfectly happy that companies like IBM and Oracle include the open-source Apache Web server in many of their products, taking on the responsibility for ensuring that Apache remains integrated with their software.

One other possible appeal of the precertified suite approach: You might want to choose a suite that's been customized by the vendor when you don't have the resources or inclination to customize it yourself. That's why analysts think this concept makes sense for smaller companies. In the future, they envision vendors providing customized suites for a swatch of users - the same customization could work for all independent insurance agencies, for example, or nonchain booksellers. (Right now, such users have to use standard open-source components without specific tweaks for their business processes, pay consultants to do customization work, or buy a commercial product designed for that specific industry.)

Page Break

Lock-In and Support Concerns

Despite the promised benefits of preintegrated stacks, some CIOs have strong reservations about adopting them: Besides the lack of application flexibility, fears include vendor lock-in and inadequate support.

After all, one reason people choose open source is to take advantage of a dynamic community that quickly adopts innovation. A preintegrated suite that changes on the vendor's schedule can eliminate that dynamism.

As AIG's Stumpf notes, "If the suite is 'take it or leave it', unless it exactly matches my assessment of what I need, I'll pass on it. If the stack is rigid, it's no different than going all-IBM or all-Microsoft," he says.

Plus, many open-source components tend to be run with other components in de facto suites, which the open-source community tests and maintains, Beck says. That lessens the need for vendor-managed suites, at least for common combinations of open-source software, she says.

"It will be hard for an integrator to provide a value above and beyond what the open-source community will do," says David Rasch, CTO of IntelliContact, which provides e-mail marketing, RSS feed and blog management software to small businesses.

Even where de facto suites don't exist, Rasch doubts that third parties can put together a broad enough range of preintegrated suites to meet different customers' needs. "The amount of what people want integrated varies widely," he says.

But concerns run deeper than application choices. "For me, an offering like Unisys's Oasis is backsliding," says Rasch, because customers aren't supposed to update or modify it, in order to retain their service-level agreement.

(Customers who do such modifications would likely need additional Unisys professional services, says Ali Shadman, Unisys vice president and general manager for open-source solutions, systems and technology unit.)

To address the need for flexibility, a CIO could treat the suite as a starting point, an initially integrated collection of applications that you may choose to maintain internally or hire external resources to maintain. But this approach does have some level of vendor dependence, says Raven Zachary, senior analyst and head of the open-source practice at research firm The 451 Group.

The likely need for services spending is not lost on Hewlett-Packard, OpenLogic, SourceLabs, SpikeSource and Unisys, as well as others, Zachary says. "They see that the stack is not the business, but IT consulting is," he says.

This slippery slope into dependence on consulting services particularly scares smaller firms with limited IT budgets.

"We hear horror stories about being locked into a vendor and having their technologies forced on you," says Jason Miller, bioinformatics department software manager at the Institute for Genomic Research. "A 300-person company can manage its IT itself," he says, noting that he brings in consultants only when he has a time crunch.

But these fears of vendor lock-in and consulting run amok are not limited to small companies: "I don't want the open-source environment to become a mirror image of the proprietary environment," says the University of Pennsylvania's Beck.

A final worry: Will having a single support entity actually simplify IT efforts? IntelliContact's Rasch understands the one vendor support argument but doubts most providers' ability to live up to the accountability he needs.

And Rudolph and Sletten's Lamonica is sceptical that enough providers would support companies of his size in the first place. "There aren't many third-party providers who are willing to or capable of providing open-source solutions to us," he says, noting most services firms aimed at the mid-market are certified by Microsoft or Cisco Systems "and don't want to rock that boat".

Page Break

Better Options Coming Soon?

CIOs considering precertified suites right now face a big contradiction: Although preintegrated suites make the most sense for smaller enterprises willing to trade off flexibility for lower maintenance costs, vendors so far have aimed the offerings at the big guys. That mismatch could keep these suites off the table for many CIOs, for now.

For example, Unisys targets its Oasis offerings to large enterprise customers such as Fortune 500 financial services companies. One reason: It costs too much to sell to smaller companies given what they're likely to spend, says Unisys's Shadman.

And although OpenLogic offers several preconfigured stacks, it concentrates on large companies, notes Kim Wein, vice president of marketing.

After surveying customers, Hewlett-Packard says it found little customer demand for preintegrated suites, so it offers "blueprints", standardized do-it-yourself guides for integrating the open-source components it provides, as well as full-blown custom integration services. HP makes its consulting services available to smaller companies through resellers. But the cost of the software support is the same as for a large company, notes Jeffrey Wade, worldwide marketing manager for HP's open-source and Linux organization.

Looking ahead, analysts expect additional open-source suites aimed at the mid-market to emerge, bringing in more appropriate choices for CIOs.

Application and operating system vendors will ultimately drive open-source suites, rather than consulting firms or middleware-oriented vendors like SpikeSource and OpenLogic, the 451 Group's Zachary predicts. Companies like Red Hat and MySQL have years of experience supporting their open-source offerings, which interact with many other tools, so they'd be natural suite providers, says Judith Hurwitz, president of the Hurwitz & Associates consultancy.

It makes sense for application vendors - such as database, CRM and accounting app makers - to incorporate open source into their wares, delivering preintegrated suites on CD or even preinstalled on a server, Zachary says. After all, he says, long before open source, vendors have done that in the mid-market with proprietary software for everything from managing dentists' offices to handling auto parts retailers' accounting.

Meanwhile, CIOs should define their needs before evaluating today's suites. Large enterprises can ask if the new open-source suites fill key application needs at less cost than the do-it-yourself or externally customized approaches. Encourage vendors to meet those key needs: By shaping the demand, CIOs have a better shot at getting truly useful integrated suites, AIG's Stumpf says.

SIDEBAR: Open-Source Suites

Red Hat: Offers the JBoss Enterprise Middleware Suite, with the JBoss application server, plus tools for portal management, business process rules management, caching, distributed transaction management, messaging and development.

SourceLabs: Offers the SASH stack for Java middleware, comprising Spring Framework for business logic and component integration, Apache Axis for Web services, Apache Struts for Web application development, and Hibernate for object-relational mapping and data abstraction.

SpikeSource: Offers three preintegrated middleware stacks: the LAMP Stack (composed of Linux, Apache, MySQL and a choice of Perl or PHP) for Web sites with dynamic database-driven content, the Tomcat-based Servlet Stack for dynamic Web sites written using Java-based Web technologies, and the JBoss-based J2EE Stack for Web applications using Java Servlets and Enterprise JavaBeans.

Unisys: Offers three Open and Secure Integrated Solutions (Oasis) suites - one for application servers and two for open-source databases - using technologies such as the JBoss application server, and the MySQL or PostgreSQL databases. In the application server, Unisys includes its own Java virtual machine, designed for high-transaction scalable environments, and its own application-level security software.