[osol-mktg] Cool clip: SearchOpenSource: Solid OpenSolaris mention!

Laura Ramsey Laura.Ramsey at sun.com
Wed Apr 19 10:35:55 PDT 2006 

Nice story here w/ good connections between open source dynamic and 
government opportunity...OpenSolaris community success mentioned toward 
end. (with minor grammatical errors referring to OpenSolaris as "open 
solaris platform". 

Cheers!
LKR


Open source security in government
SearchOpenSource.com
Andrew Bardin Williams
April 19, 2006
http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1180306,00.html 


Enterprise-level features, flexibility and cost have always been key
factors for organizations that choose open source over proprietary
technology. For IT managers in the government sector, however, these
benefits often take a back seat to another software characteristic: IT
security. Is open source secure enough for the government's IT
infrastructure?

Gartner analyst John Pescatore says that many open source solutions are
actually more secure than closed source solutions and thus may even be a
better fit in the government sector.

"There is a myth out there that because the bad guys see the code, there
are more vulnerabilities," Pescatore said. "But the truth is that the
better predictor of robust code is whether security was a top priority
during the development cycle or just an afterthought." In his opinion, the
security argument against open source is a dead issue.

Open source security was a big concern for Dennis Wells, the policy and
planning manager for the office of information services for the state of
Oregon. Wells was searching for a customer relationship management (CRM)
solution for the Department of Human Services (DHS). After relying on
spreadsheets for years, Oregon DHS decided that it needed a better system
to track the more than one million residents who use the state's services
each year. The task of researching CRM solutions fell to Wells. In addition
to meeting the department's specific needs, the solution would also have to
satisfy the state's strict security requirements.

"I wasn't really concerned with open source versus closed source. I decided
to just look at all the alternatives," he said.

Wells eventually settled on a solution from SugarCRM, an open source
application that provided him with a customizable solution that Oregon DHS
could tweak to fit its needs. The fact that the code was open was never a
security concern. Wells was satisfied that SugarCRM proved that its
software was just as robust and as stable as any other solution he
evaluated. He was more concerned with being able to customize the CRM
application to fit the department's existing business process. After
getting approval from IT department for security and business process
requirements, Wells downloaded and installed the open source solution for
free in less than ten minutes.

According to Pescatore, Wells's appraisal of open source security was not
unique among government IT managers. With security no longer a concern,
purchasing decisions can be based on functionality and price, just like
closed source solutions.

Protecting intellectual property
Alan Kraft, vice president of the federal group for Novell, agrees. He
thinks that intellectual property concerns have supplanted security as the
battleground between open source and proprietary vendors.

"When it comes to the government sector we need to be aware of what is in
the best interest of the public," Kraft said. "The fact is that open
source, and the community that supports it, may be better suited in
government."

Kraft points to an ongoing public battle between the Commonwealth of
Massachusetts and Microsoft. The state is trying to pass legislation that
would have the state adopt an open source document policy by January 2007
in order to better protect the accessibility of its digital documents. The
state is arguing that if Microsoft or another closed source software vendor
ceased to support older versions of its platforms, thousands of the state's
archived documents could be rendered useless. In a world gone crazy over
compliance and the preservation of digital documents, losing these files
would be disastrous.

Novell plans to approach the federal government later this year with a
proposal to create a document standard that would always be supported by
the open source community. In the meantime, Novell will continue to make
its open source software as robust or more robust than closed source for
government agencies through certifications like Common Criteria. Novell's
Linux platform recently earned EAL 4+, the highest level of any Linux
flavor, and the same level as the latest version of Windows Server. Sun's
open source operating system, Solaris, has also achieved an EAL 4+
certification.

The federal government uses other security testing benchmarks through the
National Information Assurance Partnership (NIAP), an organization under
the National Security Agency (NSA). NIAP aims to maintain security
standards in IT systems used in the federal government sector. But
according to Pescatore, few smaller vendors can afford the expensive
testing cycle. Typically, these vendors either need to team up with a
larger vendor like IBM or Novell or completely forego testing, instead
targeting state and local government customers.

According to Chris Ratcliffe, director of Solaris marketing, Sun
specifically targets federal government customers for its Trusted Extension
add-on to Solaris 10. The extension product leverages the flexibility of
open source with customizable security features, providing new data
labeling and access management functionality.

"Trusted Solaris is predominantly deployed in the government sector because
it is the only operating system that meets these strict security levels and
has the customized protection levels," Ratcliffe said.

Security benefits of open source
Many developers cite transparency as the main reason open source software
can be more robust than proprietary systems. If customers and developers
can look at the code, they are more likely to find a bug and create a
patch. In a closed source model, customers must rely on the vendors to
identify, diagnose and issue a patch, which can be a lengthy process.

"Bugs are getting fixed in record time because of open source, so there is
now an architecture argument in favor of open source security," said Kraft.
More quickly deployed patches mean a shorter period in which a government
agency is vulnerable to attack.

Government agencies using open source also benefit from a broad user
community in the commercial space that is committed to maintaining
security. These user communities are always testing the software,
developing fixes and sharing patches. OpenSolaris.org, a community of
developers using the open Solaris platform, has 11,000 members, only 1,000
of which are Sun employees. When a security flaw is made known, you can bet
that thousands of users have an interest in finding a quick solution.
Government agencies using the same software platform can take advantage of
these resources rather than developing their own patches or relying on
vendors. Once a patch is developed, usually the open source vendor agrees
to support it and incorporate it into subsequent releases.

-- 

_______________________________________________
opensolaris-mktg mailing list
opensolaris-mktg at opensolaris.org

More information about the opensolaris-mktg mailing list