President and COO of Sun Federal Bill Vass' Weblog

Wednesday Jun 17, 2009

Reason No. 6 to Move to Open Source, Injecting Specific Requirements

Some people may wonder when I am going to run out of reasons to move to Open Source. I feel like I have the opposite problem. I find it difficult to limit the number of reasons I highlight to move to open source.

I remember back in the 80’s and 90’s everything software-related was focused on “best of breed”. Best of breed was a term that made companies and organization feel special. It made them feel like a solution was tailored to fit their specific problem. Best of breed appealed to egos but mostly it was a term created by a marketer trying to sell product.

Soon, best of breed went the way of other boom technology terms such as robust. However, perhaps in times like today when retro is in, best of breed may make a comeback as the #6 reason to move to open source is the ability engage with a community to get specific requirements into a product.

Governments do not need to settle for the packaged solutions that a vendor is selling them. They can take existing open source solutions, join the community process, and add the features that are right for them, not what a vendor “thinks” is right for them. This is happening all over the government in the Intelligence agencies with examples like FMAC and SE Linux in places like NASA with the World Wind Java 3D project DISA's Government Forge.mil project and many, many, more.

Open source code creates a vehicle for a community of developers (including government organizations and the SIs) to contribute creating applications that meet the government’s requirements. Much like the community development process undertaken by the Nationwide Health Information Network (NHIN), open source put thousands of developers available to develop a truly customized solution made by the masses. NHIN The Office of the National Coordinator developed a pilot 'Reference Implementation' solution based on Sun's open source middleware software that enables multiple federal agencies and private sector organizations to securely link their existing systems to NHIN-CONNECT, allowing for the beginnings of a true interoperable electronic health care record information exchange. The pilot was developed with no need for long procurement cycles or massive costs since the entire software backbone is 100% open source.

I am toying with the idea of posting two more blogs on reason 7 and 8 to move to open source...stay tuned

Posted at 07:54PM Jun 17, 2009 by BVass in General | Permalink

Wednesday May 20, 2009

The No. 4 Reason to Move to Open Source is the Reduced Cost

Generally speaking you get 90% of the functionality for 10% of the cost. However, in many cases you get more functionality for a lower cost. For example, many of the open source products "grew up" in the Web 2.0 world, so they were made from day one with security and MASSIVE scale as part of their design requirements.

Very few proprietary products were build out of the box to support deployments the size of Google, Yahoo, Facebook, and eBay. All of these deployments are built on open source for many of the reasons I have been talking about in my blog, because open source provides better security, huge scale, all at a much lower deployment cost. If enterprise and web scale is what you need, open source is the way to go.

Alternately, it is very important to understand the licenses and support agreements and how you are going to use them. There are some examples where the open source licensing and support can be more than a proprietary equivalent. I have found these examples to be rare, but they do exist (for example if you look at the GSA schedule, RedHat on the same server will actually cost you more than Windows). It's important to know the cost of acquisition is zero, but open source is not free in a production environment, because CIOs running mission critical environments need support and indemnification.

Open source enterprise products are ready to support your mission critical applications, in the operating system area there's Solaris, Linux, in the middleware area there's Glassfish, JBoss, in the database area there's MySQL, PostgreSQL and even in the desktop area...which has been lagging behind in open source, but is starting to gain some ground with over 220 Million OpenOffice users. Government organizations can realize significant savings in support costs by moving to open source products.

Bottom line, you are saving money on the licensing cost, support cost, deployment cost, and manpower to deploy it. It's just all goodness from a cost perspective. Lately I have seen numerous government reports estimating many, many billions of dollars that could be saved by moving to open source.

Posted at 11:10AM May 20, 2009 by BVass in General | Permalink

Saturday May 16, 2009

The No. 3 Reason to Move to Open Source is to Prevent Vendor Lock In

First of all, for any software or hardware platforms, you want to make sure the product you select implements open standards interfaces, so that you are not locked into using only one product. This gives you the flexibility to move from one product to another if you run into security, scaling, support, or cost issues.

However, if the product is open source, because you can see how the interfaces are implemented, it makes reverse engineering them a much more simple process. Being able to see the source code also aids with interoperability, because it removes any ambiguity on how the interfaces are implemented.

The other big advantage to selecting open source is that you can get support from multiple vendors. For example, with Solaris you can get support from HP, IBM, DELL, Sun, INTEL, Fujitsu and AMD (also true for Linux). So anyone can provide support because all of the Solaris code is in the public domain. This also gives you, what I like to call "investment protection." If a company provides you with an open source product, and then goes out of business tomorrow, the code is still in the public domain, so you can easily get another company to pick up your support requirements.

This also saves money because there is competition in providing the support. For a proprietary product, only the company that owns the code can support it. With open source, since you are not locked in, you can compete the support from multiple vendors.

That's a HUGE deal, because in the government sometimes the cycles are so long that a selected vendor could go out of business or completely change its product direction during the life cycle of your project, and that could force a very expensive change and/or extended time line. Also, vendors can often only provide support for one version of their product for about 10 years, and many government projects live longer than that, so by selecting open source products, it gives the government many other support options, for example a Systems Integrator could pick up support for an open source product version that has been EOLed by a vendor.

The selection of an open source product keeps you from being locked into a vendor and provides "investment protection" throughout the entire life of your project and beyond the life of the vendor and that's really, really important in this wild unruly world of mergers and acquisitions, changing economies and those kinds of crazy things

Posted at 09:07PM May 16, 2009 by BVass in General | Permalink

Thursday Apr 16, 2009

The No. 1 Reason to Move to Open Source is to IMPROVE Security

If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it's obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care about security.

We have a saying in the world of Cyber Security: Security through obscurity, isn't. However, to many, it may not be so obvious, so let me walk you through some of the reasons that commercial open source software tends to be more secure, then I will give you some data at the end to back it up.

First of all, you need to look at the supply chain issues. The reality is today, that ALL software is written globally. You need to deal with the fact that Microsoft, Oracle and IBM software is written in India, China, and Russia. In fact, the majority of all software, open or not, is written all over the world. By making the code open source, nothing can be hidden in the code. If the Trojan Horse was made of glass, would the Trojans have rolled it into their city? NO. Open governments are more secure for their citizens, and open source software is more secure for anyone running it. Public scrutiny is a beautiful thing. Just look at free press in this country and open government. We want and need security, peace and tranquility for our citizens. The founders of this country based our government on openness. Open Source enables security. It's pretty obvious when you think about it.

I'm not the only one saying that, of course. One recent examination is in the light of large scale computer intrusions detected coming from a PRC based hacker group. This week the New York Times and CNET ran a story by John Markoff titled "Vast
Spy System Loots Computers in 103 Countries" which details these
attacks. In a related technical report issued by the University of
Cambridge "The snooping dragon: social-malwar surveillance of the
Tibetan movement" on these widespread series of attacks, researchers point out many ways these threats could have been mitigated, including strong endorsement of open source SE Linux and Trusted Open Solaris.

Let me give you another analogy...

I usually like to use car analogies, but lately I've been using this suitcase analogy to make my point about open source and security. Imagine you enter the security line at the airport and there is a proprietary vendor in front of you with his locked suitcase telling the TSA official not to worry, and to trust him, stating he has checked everything in his suitcase and it is safe. How would this make you feel? Pretty vulnerable...right? Wouldn't it be better if the person in front of you is a true open source advocate and welcomes the TSA official to check anything he wants...because he has nothing to hide?

Who are you going to feel safe about getting on the plane with? It's a no-brainer...so why would you trust a vendor to put stuff on your server with life critical or mission critical systems, where no one can see what is on the server except for that one company, or that one group of people. I have sometimes heard some proprietary vendors say about open source code "but everyone can see how the security works." They are making the point for me! That is why open source code has to be made stronger on open source than on proprietary software products.

Proprietary (closed source software) developers say “trust us.” Commercial open source software developers say “see our security...everything we do to build security in: our documentation, models, architecture, review processes, programming language selection, coding standards, source code, verification analysis methods, instrumentation, tools, techniques, automation, certification, ongoing deployment risk management results, remediation, ...” You get the picture. For commercial open source software the security advantages are more than just the ability to view the source code, it's the entire open technology development life cycle that begins with security fundamentals and security goals very early in the process.

The newly announced Building Security In Maturity Model is a great way to openly see how experts can analyze the effectiveness of a software security group and it should be apparent that having commercial open source software developers allow their data collected and security initiatives assessed in public view will increase their resulting security if properly vetted. Think about it, all physical security is open source. You can go to any lock and see how it works at the patent office or on line, but that exposure only makes it more secure. I often hear from the proprietary vendors that they have "the right" people reviewing their code. That proprietary vendor guy in my suitcase analogy probably had "the right" people back at the office check his suitcase (in China), so the TSA official should just allow the suitcase to go through security without checking it...right? Wrong. With Open Source EVERYONE is looking at and in the suitcase...Even the intelligence agencies.

The Intelligence agencies are part of the Open community that look at code. Keep in mind there are millions and millions of lines of code out there. In Microsoft it's like 30 million lines of code, Oracle I would guesstimate at 15 million lines of code. Solaris has 20 million lines of code . (See page 19). Then you add Linux in at around 12 million lines of code and MYSQL... it compounds quickly. There is no way that a few hundred experts can really review all of the code out there. It truly takes a village.

To make the point even more, when Sun open sourced Solaris - Solaris previously had the highest rating in security that the government offers in enterprise operating systems and still does today. Plus it is certified by the federal government, reviewed by all the best experts in Sun (there are a lot of smart of people at Sun) the intelligence agencies and lot of other smart people out there in the community. When we released the code, within one month we had 28 new vulnerabilities identified by the 160,000 people that are in the Solaris community, and we were able to fix them before some one used them to do something bad.

Same thing happened when we opened sourced Java. Java has had almost no security issues in its entire history. There were three or four issues that came up that we were able to fix before someone could use them for wrong doing. As soon as you move to Open Source there is a lot more that the community will pick up, and you are going to fix it before it can be used for an infiltration rather than after.

So that's why the national security agencies and others made this big initiative to move to open source, because, the public scrutiny increases the quality of the code just like it does with physical security. You know when you use the RSA algorithm, which you use every time you buy something online. The algorithm was done in the public, it was done in Open Source, it was criticized, it was changed, it was criticized again, and it was changed before it was put into production because we have got lots of people looking at it, lots of people criticizing it for security.

Then there was the clipper chip. So the clipper chip was done by the Clinton administration, you may or may not remember it, and the whole idea of the clipper chip was, we won't tell you how it works but you should trust it is secure.

The clipper chip was compromised within 48 hours of its release. Why, because it had a secret in its code inside the lock, the inside was made of paper (they used a 16-bit checksum). It was not open sourced, so it was immediately compromised. Had it been open source, everyone would have seen the weak checksum, and it would have been corrected before it was deployed. The RSA algorithm to my knowledge has never been compromised today other than (brute force).

Remember, security through obscurity, isn't. How many times do we have to see that truth repeated? If you look at common criteria certifications, the two enterprise operating systems with the strongest protection profile and the strongest certification are both Open Source. Open Source drives more security.

Eventually, the trend toward higher assurance levels will hopefully benefit from new open source projects such as Open Proofs and related open source tools such as Why with the associated formal methods open source software components. Again, Open Source drives more security.

If you take a look at the National Vulnerability Database, you can see almost every open source product has had less vulnerabilities exposed and less vulnerabilities exploited against it than the equivalent proprietary products. The NVD is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Security’s National Cyber Security Division.

Here is some risk data provided by the Airius Risk Report® developed from Homeland Security's NVD. Here you can see that all the proprietary software products have a MUCH higher security risk than their open source equivalents.

Here they are side by side, and you can see in each case, the open source product is statistically more secure. So the Data does back up the logic. And it's not like the open source products are not widely deployed either...There are over 6 billion Java deployments, 14 million Open Solaris, 120 million Open Office, and 115 million MySQL deployments.

Clearly security is the number one reason to move to open source...Check back soon for the number 2 reason to move to open source.

Airius Risk Report:12/31/07, Copyright Airius Internet Solutions, LLC 2009

Posted at 11:23AM Apr 16, 2009 by BVass in General | Comments[1] | Permalink

Tuesday Mar 17, 2009

Why Move to Open Source?

I know I said I would create six specific blogs focused on the six reasons to move to Open Source...but while I finish writing my blog on Reason No. 1 - improved security and privacy over proprietary software...I wanted to share a recent on-demand webcast I did with World Wide Technology that answers the question: Why move to Open Source? It details the benefits of Open Source and showcases Open Source products like MySQL, Apache, OpenOffice, Open Solaris and more. Let me know what you think...And Happy St. Patrick's Day.

Posted at 09:24PM Mar 17, 2009 by BVass in General | Permalink

Wednesday Feb 25, 2009

Did You Hear the Gov. Could Save BILLIONS Using Open Source Software?

This study is worth checking out and sharing with EVERYONE in the Federal Government:

Study: Federal Gov't Can Save Billions in IT Spending (PC World)
Meritalk predicting the gov't could save nearly $4 billion using open source software

From where I sit, the conclusion is obvious, open source is the way to achieve Open Government and save tax payers money, at a time when controlling wasteful spending could not be more important.

Also, the folks in the UK are really getting on board with Open Source, it's wonderful to see. Take a look at this story - Today, the UK government launched a new strategy for use of open source and open standards in Great Britain.

In summary, it:
*mandates use of open standards,
*mandates use of open source where it is not cheaper to use proprietary software,
*requires revision of procurement policies to make open source the equal of other options,
*encourages re-use of developed code - for example, by open sourcing government solutions.

We could learn a bit in the Federal Government from our friends on the other side of the pond!

Posted at 02:51PM Feb 25, 2009 by BVass in General | Permalink

Wednesday Jan 21, 2009

Sun's Open Source Curing Health Care Woes

Once the Inaugural celebrations are finished, the new Obama Administration promises to hit the ground running on a variety of critical programs. Near the top of the list is eHealth reform with more than $20 billion proposed in President Obama’s massive stimulus package.

The key to any eHealth reform program (no matter the price tag) is to facilitate information sharing across multiple agencies and to eliminate the information silos that exist today, allow the government to reduce costs and errors and to better serve our veterans, senior citizens and disabled.

Many have called me an open source evangelist (see Joab Jackson, Government Computer News). But once again, an open source pilot, which has been built and tested without a dollar of government expenditure spent on software, has done what proprietary solutions have not. Open source has enabled the secure and interoperable exchange of health care information across more than 20 organizations.

So, here is the background: If the Nationwide Health Information Network (NHIN) is the information highway for health data exchange, CONNECT is the universal on-ramp for federal agencies. CONNECT is a software solution that lets federal agencies securely link their existing systems to the NHIN. More than 20 organizations collaborated to build CONNECT through the Federal Health Architecture (FHA), and as a result, agencies are heading down the road toward interoperability.

Using Sun's entire Open Source middleware stack as its foundation, including our SOA and IdM technology, the FHA built the CONNECT gateway software from open-source code. Talk about an Open Source poster child! The solution was jointly developed by federal agencies yet it will be deployed individually at the agency level. The decision to build the solution in open source provided the usual benefits (I know you have heard these from me before):

· Cost reductions for each agency and taxpayer savings

· IT consistency and compatibility across multiple agencies

· Decreased deployment times

· Security

The CONNECT initiative sped from concept to reality in 2008. In March 2008, FHA awarded a contract to develop the CONNECT solution. The solution was built with federal agency participation, and in September of 2008, three agencies were already demonstrating the ability to share information with the private sector through the NHIN. The number of participating agencies grew to six for the December 2008 demonstrations, and the plan is to have those six federal agencies participate in the NHIN by the end of 2009.

Once completed, the CONNECT software will be available to any stakeholders in the health information exchange community for download. The goal is for CONNECT to be a platform on which government and industry can innovate. This will allow the industry to build and sell better interoperable solutions to the healthcare sector.

We are happy to say that CONNECT Gateway will be made available to the public in March of 2009. Three primary elements make up the CONNECT Gateway:

· The Core Services Gateway provides the ability to locate patients at other health organizations within the NHIN, request and receive documents associated with the patient, and record these transactions for subsequent auditing by patients and others.
· The Enterprise Service Components, which provide default implementations of many critical enterprise components required to support electronic health information exchange, including a Master Patient Index (MPI), XDS.b Document Registry and Repository, Authorization Policy Engine, Consumer Preferences Manager, HIPAA-compliant Audit Log and others. Organizatons are able to use existing applications within the NHIN CONNECT Gateway and free to adopt the components or substitute their own implementations.
· The Software Development Kit (SDK) enables agencies to develop adapter components that integrate their existing electronic health information systems with the NHIN Core Services Gateway.

CONNECT has identified a number of opportunities for federal agencies to utilize the Gateway to address their mission needs in 2009 and beyond. These citizen-centric initiatives will provide a roadmap for 2009 development. Expected FHA activities include helping agencies deliver solutions that lower cost and improve access to and quality of care:

· Collect patient status assessments as they move among various care settings to track effectiveness of treatment
· Populate patient personal health records with information from federal and commercial systems
· Support health services in combating fraud and waste
· Improve coordination of benefits with other payer organizations
· Enhance onsite care for patients during disasters and other public health emergencies
· Support data collection for analysis of potential adverse events associated with drugs and medical equipment
· Help establish local networks among community health clinics that provide care to underserved populations
· Provides anounymous bulk test data for pandemic and bio terrorism analysts

If you haven’t noticed, open source has consistently been a major focus of nearly every new proposed IT program. Perhaps the CHANGE we will see will be the opening of our IT infrastructure.

Posted at 11:16AM Jan 21, 2009 by BVass in General | Comments[1] | Permalink

Friday Nov 21, 2008

Sun Microsystems Federal Adds Yet Another Industry Vet to Board of Directors…

For the past year-and-a-half, the Sun Federal board of directors has been a major priority for me. I want to provide our company with a vast array of resources that will allow us to better understand and serve our government customers. It has been very important to select board members who offer a wide range of experiences in the both the private and public sectors.

It is my pleasure to add another high-powered acquisition to our board of directors – Mr. Arthur L. Money. It would be much easier for me to tell you what Art hasn’t done, as his list of accomplishments is nearly unparalleled in the government IT community. Art brings more than 45 years of public and private IT leadership to our board. He has a distinguished 20+ year career at TRW and currently is the president of ALM Consulting. Plus, Art has held several Senate appointed positions including serving as Assistant Secretary of Defense for Command, Control, Communications and Intelligence as well as the Chief Information Officer of the DoD.

I am really looking forward to having Art as an active member of the Sun Federal board. When I worked in the CIO office in the Pentagon, he was a great leader, that moved the DoD and Intelligences IT environments forward. We worked closely to set up the CIO council, complete the Y2K program, improve software quality, secure the Pentagon's networks, and he was always supportive of other progressive initiatives. In addition, Anthony Robbins worked with Art at SGI, since he was on the board there when Anthony was head of their Federal business unit. One of the reasons I believe that Anthony and I both tend to view the Federal market and customers in similar ways is due to how we were influenced by great leaders like Art. We have no doubt that Art will be an active member of our board, helping to ensure that Sun’s roster of open software and hardware solutions maximize the return on investment for our government clients.

Posted at 09:43AM Nov 21, 2008 by BVass in General | Permalink

Friday Oct 10, 2008

DoD Continues to Welcome Open Source

The DoD continues to be open about open source. The Defense Department’s Office of the Chief Information Officer is getting ready to put specifics behind the department’s move to widespread use and approval of open source software.

The days of the DoD placing open source and shareware and freeware in the same bucket, thankfully, appear to be over.

Those of you that follow Sun closely surely know about our open source pedigree. After all, the free and open source Solaris Operating System has the largest installed-base of any other commercial UNIX or Linux distribution. We have always believed that the benefits of open source are vast and, most importantly, measurable. Below is a great list of facts and figures about open source Solaris:

1. The free and open source Solaris Operating System has the largest installed-base of any other commercial UNIX or Linux distribution.
2. Solaris 10 has over 7,400 supported applications. There are more applications available on Solaris than any other open operating system. Even if you count just applications for x86 systems, that's 4,300 -- four times the number of apps as Red Hat 5.
3. Solaris is supported on 1,082 SPARC and x86 systems.
4. Systems vendors like Dell, IBM and Fujitsu Siemens chose to resell Solaris because of strong customer demand.
5. There have been more than 11.5 million Solaris downloads to date.
6. Solaris 10 downloads have consistently averaged in the multiple thousands per week for more than a year.
7. OpenSolaris has more than 160,000 registered community vendors. Behind Sun itself, Intel is now the second largest contributor to the OpenSolaris community.
8. Gartner rated Solaris a Strong Positive (the highest possible rating) in its recent Sun Vendor Rating.
9. Solaris 10 has set and re-set dozens of performance and price/performance world records on a wide range of benchmarks, covering a variety of workloads on x86 and SPARC systems of all sizes.
10. Publicly referenceable Solaris customers include BT, eBay and Qualcomm.
11. Solaris 10 has set more than 200 world records in price and price performance (149 UltraSPARC, 58 x64/x86). Check here for the details and stats: http://www.sun.com/solaris/benchmarks.

These challenging economic times, coupled with the need for multi-leveled security architectures, has created a perfect storm for open source implementations. The DoD’s upcoming memorandum is just one of my many actions that will increase the ability for open source to benefit both government IT administrators and American tax payers.

Posted at 02:44PM Oct 10, 2008 by BVass in General | Comments[2] | Permalink

Tuesday Sep 23, 2008

The Open Source Coming Out Party…

Thus far, September has become a true coming out party for open source software in the U.S. Federal Government. The benefits we have been touting for years, including lower cost to entry, lower barriers to exit and the ability to better customize, have caught the attention of the U.S. House of Representatives.

Just recently, the House released The National Defense Authorization Act for Fiscal Year 2009 (H.R. 5658) which includes language that calls for all DoD agencies to consider open source software when procuring manned or unmanned aerial vehicles. Including such language is a milestone for the open source movement and just the beginning!

Joab Jackson of Government Computer News wrote this in his blog, “The Defense Department has traditionally been somewhat wary of OSS, at least for official duties. So some feel the language could pave the way for greater acceptance within the Defense community.”

And that's not all. This week, come by and visit the 24th meeting of the American Health Information Community where you can see other open source projects in action. Sun Fed will show how electronic patient records can be shared across four key government agencies seamlessly and securely…all because of open source.

Also, the Navy and the OSJTF have been pushing their Modular Open Systems Approach, that not only includes open source software, but also open systems hardware.

More and more we are seeing the federal government move towards open source due to its increased security, reduced procurement times, large scalability (hey if eBay, Yahoo, Google, Army, and Navy can run on it, that is true scale), reduced cost to the tax payers, and escape from vendor lock in.

Open source will just continue to grow as the world moves to open storage (low cost hardware with open source storage management software that makes it perform as well as high cost proprietary storage devices), open network (low cost hardware with open source VoIP, routing, and switching software that make it perform as well as high cost proprietary network devices) and open source virtualization (xVM and Xen cloud computing with out the cost of proprietary virtualization and management software). All of these will bring open source into the enterprise as part of a solution, so it will be there even if people don't know they are deploying it.

So it's good to see the federal government start to recognize that open source is already thriving in their environments (including downloads of Open Solaris, MySQL, Glassfish and Open Office), and they are already seeing the benefits of it. Like the growth of the Internet in the 90's within the federal government, it's much better to embrace it and understand its value than ignore its growth.

Posted at 12:24PM Sep 23, 2008 by BVass in General | Comments[2] | Permalink

Main | Next page »