Open Source (OS) is big business.
Originally seen as the rebel of the IT industry, today not only does it command the attention of individual developers and small communities of programmers, but also that of large, global companies, organisations which now realise that it makes business sense to embrace this approach. In a bid to benefit from the growth of OS adoption, Accenture, Intel, and Microsoft are just a few of the big table players who have opened their doors to it. It has evolved to such an extent that today it sees vendors collaborate and develop joint technologies and launch or run initiatives around it. The Soda Foundation for example, that aims to foster an ecosystem of open source data management and storage software for data autonomy, counts industry innovators such as Fujitsu, IBM, NTT, Scality, Seagate, and Vodaphone, among its members. We spoke to a number of industry experts and asked them: have Open Source technologies paved the way for faster products and services development? What advice would you give an organisation looking to adopt Open Source storage? Are cyber threats an issue for organisations relying on Open Source storage software? Here is what they told us.
For end users, Open Source can be an effective path to cost savings. Of course, it’s easy to try out some free or exceptionally low-cost OS software away from the production environment. But when it comes to deploying it at the front line, it’s another story. That’s why any organisation looking to adopt Open Source technologies should go through an exhaustive check list before taking the plunge. “It really comes down to examining the potential for success that the Open Source platform has for your organisation,” says Andrew Moloney, Chief Marketing Officer at SoftIron.
“We see a lot of companies adopting Open Source technologies and then finding out that there wasn’t the sort-of “enterprise-ready” support structure to deliver what they needed at the production level. In those cases, they have to find the support out in the wild, which can be a real challenge. Doing some due diligence is critical to both the short, and especially long-term success of an Open Source implementation.”
This is a widely held view among vendors, given that OS software often lacks the level of refinement and finishing in terms of usability as compared to commercial systems. Paul Speciale, Chief Marketing Officer at Scality, explains: “we do see organisations using Open Source storage software for dev/test, and pilot projects. Many of those same projects later elect to use commercially supported software in production, for a combination of reasons related to ease-of-use, features/capabilities, and quality of support. Also, from those customers who have elected to use open source in production, the cost of the enterprise support offering from those vendors often equals the cost of commercial licence subscriptions, so any perceived cost advantages are quickly negated.” The OS model, however, still has an extraordinarily strong appeal: according to the survey paper “The State of the Software Supply Chain: Open Source Edition 2021” by VMware, 95% of companies use OS software in production.
Open Source will give an IT organisation benefits with regards to cost and speed for example, but it may fall down when it comes to scope and/or quality. An OS project could be realised quickly, but it may also fail just as quickly.
Matt Starr, Chief Technology Officer at Spectra Logic, expands on this point: “Open Source projects are great in a university setting where innovative science projects are encouraged. However, usage of Open Source storage by mainstream enterprises can pose massive issues. For example, when the system goes down, the corporate CIO does not want to hear that there is no support for the solution because it was ‘designed’ over the weekend.”
Today, a large number of businesses rely on Open Source software to enhance the delivery of their services, and yet are unaware of this. The OS model enables solutions to be developed faster, it tends to show up bugs quicker, and allows organisations to tap into talent pools outside their business boundaries. On the other hand, it is critical for OS users to keep on top of any issues related to the product in question, as soon as these become known, and to have the ability to take the necessary steps to minimise or eliminate the resulting impact.
Rakesh Jain, a representative of the Soda Foundation governing board, and of IBM Research, reinforces these points: “Given that Open Source software doesn’t come with any warranty and official support, the organisations have to spend some extra effort in ensuring that its quality is up to the mark to their expectations. I would recommend that the organisations adopting an Open Source storage software become actively involved in that project’s community, become a member of the end-user community if the project offers one, and employ a full DevSecOps approach while adopting the software so that any issues can be identified early in the cycle and can be addressed by the community as well.”
So are there must-haves at the top of the planning list when considering the OS path? “Implementing enterprise-grade data protection, and strong security would be at the top of the list,” Krista Macomber, senior analyst at the Evaluator Group tells us.
In today’s market, where everyone is looking to remain competitive, and maintain or gain market share, business agility is paramount. Whether an organisation can rapidly adapt to changes in business and customer demands, can spell its success or doom. Open Source allows businesses to not waste time reinventing the wheel, but to focus on a specific aspect of the technology they need to develop, building on what an exceptionally large, global pool of technical talent, has already created. This leads to much shorter times to market. Many vendors have been tapping into the OS talent pool for this and more reasons: “SoftIron has built its business from the outset with Open Source at its heart. Our approach enables us to produce the best outcomes for our customers without locking them into our solution,” SoftIron’s Moloney tells us. “When we eliminate vendor lock-in for our customers, it forces us to do whatever is necessary to cater to their needs or risk losing them to someone else. You will see us continually make investments into the communities we are a part of, including contributing code, participating in the ongoing maintenance of these communities, and engaging with them to solve modern challenges.”
For similar reasons, Speciale explains why Scality has been keen on Open Source from the start: “Since Scality was founded in 2009, we’ve been very involved in open communities and development; when object storage was in its infancy, Scality was one of the first adopters of S3 with an Open Source project. In 2017, our dedicated engineers built and released Zenko, an open software code-base for managing data across AWS, Google Cloud, and Azure to avoid cloud vendor lock in. Zenko was accepted as a SODA Foundation EcoProject and Linux developers can use it with the support of industry-standards organisations such as SODA and the Linux Foundation. We have also used OS technology extensively in our storage solutions; for example, we leverage Kafka, Redis, Docker, Kubernetes, MongoDB, and of course our own OS Zenko technology for multi-cloud enablement.”
However, Open Source has its flaws. Just like proprietary technologies, OS solutions are a target for cyber criminals. And while organisations are allocating increasing proportions of their IT budgets to security, the number of threats is also on the rise – fast. According to researchers at Cybersecurity Ventures, global ransomware damage costs are set to exceed $265 billion by 2031. SoftIron’s Moloney tells us “Reports of attacks on the software supply chain, whether it be open source or not, have become much more common in recent years; but there’s a level of transparency inherent in open source that can at least assist in revealing attacks that might otherwise be obfuscated.” A 2022 end user survey carried out by cyber protection specialist Acronis, shows that 69% of EMEA organisations allocate between four and 15% of their IT budgets to IT security, with this budget rising to over 25% for 20% of organisations in South Africa and 18% in the UAE. Despite the OS model is open to security risk from code vulnerabilities, Spectra Logic’s Starr believes Open Source solutions may have a security advantage against vendors’ own “In many cases, Open Source is faster to patch against a new-found variant due to community collaboration.” They key is to ensure any Open Source technologies in a datacentre are constantly patched to counteract known issues.
“Open Source storage software enables businesses to meet their storage needs more affordably than proprietary software,” according to Veniamin Simonov, Director of Product Management at NAKIVO. “However, it comes with a catch, namely global availability, that allows anyone to modify, examine, and share the software, making it a central attraction point for cybercriminals. OS software code gets updated frequently by developers around the world; unfortunately, not every developer is well-intentioned, and this global accessibility makes creating a breach less challenging. Since open source software lacks service and support packages, mitigating the impact of such incidents on business operations can be very challenging. Hedging bets would not be the best action when the stakes include critical data, considering the global ransomware threat,” he adds.
It is not just vendors who are banging the security drum. Evaluator Group’s Macomber also encourages OS users to be aware of cyber threats and take all necessary measures to thwart these “Cyber criminals do not discriminate. Additionally, Open Source software has some unique security vulnerabilities that hackers will exploit, and oftentimes organisations have lax practices when it comes to tracking and updating known vulnerabilities of the various OS components that they use.”
Another independent expert who strongly encourages users to protect themselves from these threats is Jain, from the SODA Foundation and IBM. He says: “[Open Source] vulnerabilities are public knowledge and need to be addressed on a higher priority basis. However, one can plan for it by deploying the storage software such that there are multiple layers of protection; for example, have a setup such that it is not easy for adversaries to reach the storage software to be able to exploit it. Simply put, do not expect to not have any cyber security issues, but plan in advance on how to address them on short notice.”
When it comes to the integration of OS solutions, interoperability can be challenging. One of the Soda Foundation goals is to have certified suppliers via standard specification for products, compliance, and certification, and a compliance lab for seamless interoperability. What would the benefits of such a programme be for vendors and for end users? Scality is one of the founding members of the foundation and Speciale, its CMO, shares his thoughts on the advantages of having a common framework: “Standardisation is a powerful way to simplify data management and promote data autonomy and mobility for end users. That is the reason Scality is one of the founding members of the SODA Foundation.”
SoftIron’s Moloney is a supporter of the idea of vendor certification but sees its limitations: “For all of the advantages of Open Source, its flexibility comes at the expense of complexity. So any attempt to abstract some of that complexity away through testing and certification to help broader adoption can only be a good thing for the community as a whole. That said, while this type of testing and certification can be useful in assuring some basic levels of compatibility between what can quickly become a huge number of Open Source projects, in our experience the real challenges tend to happen as you integrate into the customer environments, which often encompass integrations beyond those within the scope of any of these types of projects, especially with more proprietary projects which almost inevitably exist.” Spectra Logic’s Starr takes it one step further: “I do not think certified suppliers should be considered, mostly because of the number of certifications out there. For example, certifications like this do nothing to allow a storage device to connect to a secure government network. Those certifications are completely different, and the same goes for many corporations.”
Having a standardised framework for developers to align to, could indeed further speed up the creation and adoption of OS solutions, building on the existing pace of technology development and innovation inherently linked to the Open Source model. This is arguably one of the attractions of OS, as Jain explains “Open Source technologies have had considerable impact on faster development, both of Open Source projects and tools, as well as proprietary software.” He adds: “This is because the processes and methods used in the Open Source world are time tested and matured, and now used in proprietary software product and services development.”
Scott Sinclair, senior analyst at ESG Global agrees: “Open Source technologies have made it easier for new start-ups to enter the space, which fuels more innovation.”
The Open Source world also encourages innovation in the commercial side. “The combined efforts of the OS Community respond to the needs of that space and gradually build out a solution that supports all the valuable features and capabilities. That process continues until all significant needs are met, and restarts as needs change over time,” according to Curtis Anderson, software architect at Panasas. “Successful Open Source projects allow significant innovation, but they also disrupt any existing commercial solutions unless those are responsive to customer needs. If they are not, the Open Source alternatives will grow much faster and the commercial solution will be forced to change and innovate. Having an Open Source project in a market niche breaks up enclaves dominated by solutions that are not responsive to customer needs.”
“Open Source technologies such as Linux, Kubernetes, and Samba, provide IT vendors with a huge base of intellectual property they can build upon, totally free,” explains Aron Brand, CTO at CTERA. “By publishing portions of our code on Open Source, we were able to access a deep reservoir of technological knowledge and expertise, and benefit from highly professional peer review and feedback. If your company has the technical chops for Open Source, this can be a great way to leverage the knowledge of the community and reduce your maintenance burden,” he adds.
The experts we spoke to have varying views on whether the OS approach has accelerated technology development and whether Open Source generally is good news. Data storage industry expert and chair of the Storage Networking Industry Association (SNIA) EMEA Alex McDonald does not mince his words: “I like Open Source projects for their initial impact and vision, but they can lead to longer-term poor maintenance processes and responsiveness, and a lack of development direction as they mature. Faster doesn’t mean better either.” McDonald’s comment finds further validation in the reality that once a piece of code is shared with the Open Source community, a developer may take that and build something new with it but, depending on the path that software takes, it may or may not become a very reliable and stable technology.
Moloney is singing from a similar song sheet when he says: “there’s a double-edged sword here: quickly deploying Open Source technologies on generic hardware can produce some very mediocre results without the skilled intervention of (a team of) talented engineers.”
Starr brings up an interesting point, highlighting that in order to cast our vote, we should look at the entire process, from initial development to deployment in production environments “[Open Source technologies have paved the way for faster products and services development], but you still need to test OS software. So the development efforts are faster, but the testing remains the same.”
Tim Klein, president and CEO at ATTO has seen the Open Source industry develop over the past forty years, and believes there are pros and cons to the effect this approach has on a solution’s time to market “I have mixed feelings on Open Source technologies. Open Source can easily make some developments and collaboration quicker, but sometimes innovation can get stifled because IP can be too free flowing, resulting in hold-backs on truly wonderful ideas because of IP concerns.”
This is a very valid point: the moment an individual developer, or a company looking to profit from their technology, moves their code into the OS community to benefit from a much larger talent pool and a quicker time to availability, they need to have a solid business plan to monetise said product, one that making the code available to other developers will not jeopardise. This could indeed slow down the development of, or even stop, some innovative technologies, possibly to the disadvantage of thousands of organisations that would benefit from them. However, many vendors have come round to the idea that embracing Open Source may make more financial sense for them than fighting it (looking at you, Microsoft). This is in part due to the fact that vendors that get involved in OS projects will find recruiting talent easier, and that most large customers today are relying on Open Source software to varying degrees, be it commercial or community versions.
So where now? The benefits of the OS approach are significant and range from reduced costs to increased flexibility and shorter times to market. However, reliance on the general developer community to bring the code closer to completion, or even just to spot and address issues, can be a risky strategy. Vendors needs to ensure they put all the necessary policies in place to confidently bring a technology to market that their customers can adopt and trust. What about end users? In order to benefit from the advantages of the many Open Source technologies available today, they would be wise to pick solutions that have some form of commercial support to avoid encountering problems that may have a direct, and possibly significant, impact on their productivity and, ultimately, bottom line down the road.
Featured image: ©HappyAprilBoy