Open Source Readiness: Is Your Company at Risk?

Open Source software is being adopted across all areas of the enterprise and service provider IT stacks. However, most decision makers are unaware of this adoption and its impact on their organization.

Open Source software has many different entry points into an organization and can appear in unexpected places. Developers download open source development tools, languages, and platforms in order to create flexible and robust software packages. Teams can also choose to use an Open Source framework for their projects without manager approvals. Embedded devices are also increasingly using open source for key features and firmware. Many commercial products are including or linking to Open Source libraries. IBM, Sun, and others include Open Source in their products, with little knowledge by the user base. These Open Source licenses do not come without strings, and even linking into an Open Source library can have serious consequences.

Chances are that you are as exposed (if not more) to Open Source business risks as some of the above major stalwarts who are supposed to be “pros” with software licensing and related issues. And if you are one of those companies that have to legally certify systems, data integrity and recovery such as those in the financial sector, then your business risks are even greater.

The yang of the Open Source yin

Open Source, other than being recognized for its lower cost, allows the users to customize the “environment” far beyond than that possible/allowed by the closed source counterparts. Indeed with this flexibility of Open Source, companies often fill specific niche needs that would otherwise be unaddressed by “closed source” applications. This strength can however, quickly become a weakness as organizations tend to move into overly complex customizations that result in an explosion of maintenance and development costs wiping out one of the key benefits of Open Source.

Not only that, many Open Source licenses come with a responsibility to share any modifications of the code if it is redistributed outside an organization. GPL (General Public License), the most widely used free software license, is often called a “viral” license because it “infects” code that interacts with it, forcing several of the GPL rules, such as redistribution, to take effect. Several examples of these affecting major enterprises already exist.

A Cisco third party developer used an Open Source GPL library in the firmware of a Linksys router without management approval. As a result, when Cisco released the router to the public, they had an obligation under the GPL to release the entire source code that included proprietary Cisco information and trade secrets.Cisco was sued as they were clearly in violation of the copyright clauses in the GPL and was forced by the courts to release all source code to the public, putting the company at a financial, legal, and competitive disadvantage.

In December of 2009, a suit was filed against Westinghouse, Samsung, Best Buy and other defendants claiming violation of the GPL in embedded code sold in consumer devices. This suit has again been brought forward by the Software Freedom Law Center and is ongoing.

While the above examples pertain to “manufacturers” and distributors of software, and as such may not apply to those who use them. However there is another hidden danger of Open Source: indemnification.

Many commercial software solutions offer protection to their customers if their software is found to be infringing on copyright or other issues. No such protection is provided with the vast majority of Open Source software, despite the fact that many professional software and services companies routinely use and include Open Source software in their solutions. System integrators and custom development projects often use and rely on Open Source without their customers’ explicit approval. Other commercial offerings include Open Source, without providing any IP protection. IT managers are most likely buying, installing, and using Open Source without even knowing it.

In 2004 the now defunct SCO group filed a copyright infringement claim against AutoZone and DaimlerChrysler for their use of Linux, claiming that their use violated SCO’s intellectual property in Unix. These lawsuits were stayed pending the outcome of another lawsuit deciding who actually owned the Unix IP; Novell or SCO. Eventually the courts found that SCO did not own the Unix copyrights and as such the AutoZone and DaimlerChrysler cases were dismissed. It is important to note that the cases were dismissed based on ownership of the IP. No ruling was made on whether AutoZone or DaimlerChrysler were actually liable for any infringement.

There are other risks that also need to be considered when weighing the use of Open Source in IT environments. There is no agreement, implicit or otherwise, that development will continue for any particular piece of Open Source software. As part of ongoing regulation, CIOs are increasingly required to certify operational readiness and plans for Business Continuity. However, if CIOs are unaware of the degree of penetration of Open Source in their environments or whether there is adequate support available to fix them, how can they truthfully certify these continuity plans?

Ready to mitigate the yang? Not so fast… things could change significantly in the next 3-5 years!

Open Source use has traditionally been strong in the infrastructure and application domains. While the era of Open Source infrastructure could be attributable to Linux, Java and MySQL, the era of Open Source applications will go to Android, RSS and Wiki.

However that is going to change. Open Source will get even more embeded in the infrastructure domain thereby becoming increasingly transparent to and distant from the end user. Java, PHP and other Open Source languages and development platforms are enabling the “closed source” applications to be seamlessly run on top of Open Source infrastructures. Open Source will continue to be “visible” in the applications domain, especially with the thrust of the Android tsunami behind it. And it will soon penetrate the communications domain in the coming future. The Open Source fulcrum will shift from infrastructure+applications to applications+communications.

Two key forces are driving this tectonic shift – Cloud Computing and Google.

As Cloud computing and manged services become the norm, Open Source in the infrastructure will move away from the standard IT environment. To be precise, Open Source will still be prevalent in the Data Centers for the service providers; but the management, administration, risk and benefits of such software will be abstracted away from the operating environment of a typical IT department. This does not mean that Open Source is going to completely disappear from the IT departments. It will continue to reside in enterprise applications that are not suitable for Cloud deployments.

Google’s acquisition of Android and its phenomenal success as a platform for different access devices such as smartphones, tablets, netbooks, etc. will make Open Source pervasive in the applications and devices domain. Android based devices are creating a new “entry point” for Open Source into the IT environments of companies that is far bigger and faster than any of the Open Source predecessors such as Linux or Java.

And Google ain’t stopping with the devices. It will most likely use its beachhead in Open Source devices to enter into Open Source communications. Imagine a Android phone, using Google Voice, communicating over a open wireless broadband using TV white space – Open Source from end to end. With the FCC approving the use of TV whitespace for communication channels, this scenario is more likely than you might think in the near future. And it is approaching at a pace faster than most organizations are planning for.

Open Source Readiness - Where are you?

Open Software is not going to be the same as we know it today. Open Source software usage has been increasing year over year by over 20%. Increased use of Open Source in applications, devices, and even telecommunications will continue and accelerate. Companies that do not understand and prepare for Open Source are not only missing out on opportunity, but also are exposing their organizations to unacceptable levels of legal, financial, and business risks.

Authors:
David Brown, Partner & NA Head of A.T. Kearney’s Communications & High-Tech Practice
Sid Dayal, Principal
Andrew Williams, Associate

For more information on Open Source Readiness, please contact sid.dayal@atkearney.com