Enterprise-level features, flexibility and cost have always been key factors for organizations that choose open source over proprietary technology. For IT managers in the government sector, however, these benefits often take a back seat to another software characteristic: IT security. Is open source secure enough for the government's IT infrastructure?
Gartner analyst John Pescatore says that many open source solutions are actually more secure than closed source solutions and thus may even be a better fit in the government sector.
"There is a myth out there that because the bad guys see the code, there are more vulnerabilities," Pescatore said. "But the truth is that the better predictor of robust code is whether security was a top priority during the development cycle or just an afterthought." In his opinion, the security argument against open source is a dead issue.
Open source security was a big concern for Dennis Wells, the policy and planning manager for the office of information services for the state of Oregon. Wells was searching for a customer relationship management (CRM) solution for the Department of Human Services (DHS). After relying on spreadsheets for years, Oregon DHS decided that it needed a better system to track the more than one million residents who use the state's services each year. The task of researching CRM solutions fell to Wells. In addition to meeting the department's specific needs, the solution would also have to satisfy
"I wasn't really concerned with open source versus closed source. I decided to just look at all the alternatives," he said.
Wells eventually settled on a solution from SugarCRM, an open source application that provided him with a customizable solution that Oregon DHS could tweak to fit its needs. The fact that the code was open was never a security concern. Wells was satisfied that SugarCRM proved that its software was just as robust and as stable as any other solution he evaluated. He was more concerned with being able to customize the CRM application to fit the department's existing business process. After getting approval from IT department for security and business process requirements, Wells downloaded and installed the open source solution for free in less than ten minutes.
According to Pescatore, Wells's appraisal of open source security was not unique among government IT managers. With security no longer a concern, purchasing decisions can be based on functionality and price, just like closed source solutions.
Protecting intellectual property
Alan Kraft, vice president of the federal group for Novell, agrees. He thinks that intellectual property concerns have supplanted security as the battleground between open source and proprietary vendors.
"When it comes to the government sector we need to be aware of what is in the best interest of the public," Kraft said. "The fact is that open source, and the community that supports it, may be better suited in government."
Kraft points to an ongoing public battle between the Commonwealth of Massachusetts and Microsoft. The state is trying to pass legislation that would have the state adopt an open source document policy by January 2007 in order to better protect the accessibility of its digital documents. The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its platforms, thousands of the state's archived documents could be rendered useless. In a world gone crazy over compliance and the preservation of digital documents, losing these files would be disastrous.
Novell plans to approach the federal government later this year with a proposal to create a document standard that would always be supported by the open source community. In the meantime, Novell will continue to make its open source software as robust or more robust than closed source for government agencies through certifications like Common Criteria. Novell's Linux platform recently earned EAL 4+, the highest level of any Linux flavor, and the same level as the latest version of Windows Server. Sun's open source operating system, Solaris, has also achieved an EAL 4+ certification.
The federal government uses other security testing benchmarks through the National Information Assurance Partnership (NIAP), an organization under the National Security Agency (NSA). NIAP aims to maintain security standards in IT systems used in the federal government sector. But according to Pescatore, few smaller vendors can afford the expensive testing cycle. Typically, these vendors either need to team up with a larger vendor like IBM or Novell or completely forego testing, instead targeting state and local government customers.
According to Chris Ratcliffe, director of Solaris marketing, Sun specifically targets federal government customers for its Trusted Extension add-on to Solaris 10. The extension product leverages the flexibility of open source with customizable security features, providing new data labeling and access management functionality.
"Trusted Solaris is predominantly deployed in the government sector because it is the only operating system that meets these strict security levels and has the customized protection levels," Ratcliffe said.
Security benefits of open source
Many developers cite transparency as the main reason open source software can be more robust than proprietary systems. If customers and developers can look at the code, they are more likely to find a bug and create a patch. In a closed source model, customers must rely on the vendors to identify, diagnose and issue a patch, which can be a lengthy process.
"Bugs are getting fixed in record time because of open source, so there is now an architecture argument in favor of open source security," said Kraft. More quickly deployed patches mean a shorter period in which a government agency is vulnerable to attack.
Government agencies using open source also benefit from a broad user community in the commercial space that is committed to maintaining security. These user communities are always testing the software, developing fixes and sharing patches. OpenSolaris.org, a community of developers using the open Solaris platform, has 11,000 members, only 1,000 of which are Sun employees. When a security flaw is made known, you can bet that thousands of users have an interest in finding a quick solution. Government agencies using the same software platform can take advantage of these resources rather than developing their own patches or relying on vendors. Once a patch is developed, usually the open source vendor agrees to support it and incorporate it into subsequent releases.