CIOs struggle with open source governance, cite lack of tools

By Shamus McGillicuddy, News Writer 08 May 2007 | SearchSMB.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

There are risks (including legal ones) associated with using multiple open source products within an organization, but those risks are often ignored by both vendors and users. One of the problems is there has been very little incentive on the part of the vendors to develop products, said Michael Goulde, senior analyst at Cambridge, Mass.-based Forrester Research Inc.

We were just getting free software off the Internet, and that raises some concerns. Bill Crowell former CIO, Oregon Department of Human Services

"Penetration is spreading, but it is not displacing," Goulde said. "It's a small minority of what's actually in use, so the market opportunity isn't there. It hasn't hit yet."

But that doesn't mean there aren't products out there. Raven Zachary, research director at The 451 Group, a New York-based research firm, said some vendors that offer open source support or maintain certified repositories of open source technology see an opportunity in creating tools that enable enterprises to manage open source like a portfolio.

He pointed to OpenLogic Inc. and its OpenLogic Enterprise product, and SourceLabs Inc. and its new Open Source Management System (OSMS). In addition to red flagging problematic open source products, these vendors also put in place basic governance and workflows that helps companies track what's being used and how it's used.

Got to have it

Bill Crowell, the former CIO of the Oregon Department of Human Services, said governance of open source technology is "absolutely critical."

Crowell said one of his peers, a CIO of a transportation agency, did an inventory of open source technology in his organization. He found 5,000 instances of open source in use -- and that was based on a scan of 10-15 known pieces of open source technology identified by researchers as having arrived in enterprises.

Looking back on his time with the Oregon Department of Human Services, Crowell said it was critical to do an inventory of usage by various departments, to have a "better idea of what was being used where and why, and whether or not open source was something that had, quite frankly, become significant."

Another major objective was to look at both the procurement and legal issues of acquiring open source technology because, in effect, the department wasn't procuring anything. "We were just getting free software off the Internet, and that raises some concerns," he said.

Kim Weins, vice president of marketing at Broomfield, Colo.-based OpenLogic, described several risks associated with using open source without proper controls.

"There are two ways to get sued over open source," Weins said. She said some organizations that adopt open source at the grass-roots level integrate intellectual property with open source components without getting permission from the owner of the intellectual property. Those copyright owners can sue the developer who misuses this technology, and they can sue the users of such technology.

Weins said the licenses for open source technology are also easy to violate without proper governance.

"There are unique aspects of open source licenses that carry with it some rather unique requirements," Goulde said.

She said there is also a downtime risk with open source. Organizations need to know how to deal with open source technology when it fails. The final risk is with compliance. With workflow in place to enforce open source polices, organizations can ensure that they have the proper controls in place to satisfy any applicable regulatory requirements.

More on open source, CIOs CIOs take a top-down approach to open source Open source lures cost-conscious CIOs Vendors-turned-open source rally round midmarket

"It's about ensuring that people are using open source components in a way that is complying with IT policy," Goulde said. "Ensuring that software is stored appropriately, protected appropriately, and access rights are made appropriate."

Alex Fletcher, lead technology analyst at Silver Spring, Md.-based open source research firm Entiva Group Inc., said creating a trusted library of open source software and components is a daunting task. He said open source is so diverse that confining an organization to a certified library can be constricting.

But Fletcher said he doesn't think a product will be enough to tame the beast. "I just think it's going to be very difficult to accomplish it with software and software alone. Policies and practices have to go with the software ... a mix of software and best practices."

Goulde added "The paradox is a lot of companies are getting into open source to reduce their costs. They're not excited to spend money to manage it."

Ultimately, he said, vendors of commercial software management tools will integrate the management of open source technologies into their products, perhaps by acquiring companies in the open source space. He said there is no reason to manage commercial software and open source software separately.

"At the end of the day it's all still software written in standard programming language," Goulde said. "It makes sense not to have two separate silos to manage these assets. They are just different asset categories that should be managed by the same tool."

Tags: IT spending and budgeting for the midmarket,  Systems management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT spending and budgeting for the midmarket Saving money on software vendor maintenance contracts: A CIO series How to cut application maintenance fees without undue risk or hardship Need for speed driving midmarket adoption of IT outsourcing services CIOs taking risk of cutting vendor maintenance contracts to save money Open source solutions vs. SaaS applications: Weigh the options Your IT security budget: How to get more bang for the buck Tips to save you money during software vendor negotiations IT security spending a bright spot in '09, with more growth predicted Tips for cutting costs on telecom spending SaaS, cloud computing lead to cuts in application hosting pricing Systems management for the midmarket Windows 7 review: A closer look at this operating system for business What will net neutrality mean for SMBs? Midmarket data center management guides: Tips and best practices Microsoft among ERP vendors increasing built-in vertical functionality How to create and measure success of a SharePoint governance program 10 must-have steps for an effective SMB information security program FAQ: Business process management defined Management tools for virtualized servers: A look at the options Virtual server management vs. physical servers: What's the difference? ERP implementations: In search of ERP best practices

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary