ten elements of open source governance
TRANSCRIPT
Ten Key Elements of Open SourceGovernance in the Enterprise
Webinar on June 17, 2009
Presented by Greg Olson, Senior Partner at Olliance Groupand Kim Weins, Senior Vice President of Marketing at OpenLogic
© Copyright OpenLogic 2009
Ten Elements of Enterprise OSS Governance
1. Open source strategy 2. Open source policy3. Executive sponsorship 4. Buy-in from stakeholders 5. Funding6. Take inventory7. Provisioning8. Requests and approvals9. Auditing10. Reporting
2
© Copyright OpenLogic 2009
Poll Question #1
One a scale of 1-5, how open is your
company towards the use of open source
software (check one)?
1 - No usage of open source allowed - 0%
2 - Open source used only if no other solution exists - 29%
3 - Open source allowed when it is superior to other solutions - 12%
4 - Open source and proprietary solutions have equal footing - 41%
5 - Use of open source preferred when available - 18%
June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies
© Copyright OpenLogic 2009
90%Custom
Development
CommercialSoftwarePackage
CommercialSoftwarePackage
90%Integration
OSS OSS -C o mm e r c ia l OSS
OSS OSSOSS OSS OSS
OSS OSSOSS OSS OSS OSSNegotiate dProcurement
Download
OSS-C o mm e r c ia l
Compelling benefitsFaster path to deployed implementationsLower development and maintenance costs
But… adds complexity to software projectsMany more sources, licenses, compatibility issuesSelf-service updating
The Open Source Revolution
4
© Copyright OpenLogic 2009
Open Source Strategy
Defines why the organization uses OSS and what it hopes to achieveExpressed primarily in high-level business terms (not technical or legal)Key values of developing one:
Develop management consensus on goals and objectivesLine of business managementSoftware developmentLegal
A clear basis for developing the (more detailed) policyA clear statement of rationale to guide future staff in future decisions
5
© Copyright OpenLogic 2009
Open Source Policy
Specifies the rules for how the organization uses OSSTypical elements
Legal PolicyWhat licenses are acceptable for what classes of application?
Acquisition PolicyWhat are criteria for OSS introduction? How documented?Who approves and how managed?
Usage PolicyWhere may what kind of OSS be used in what classes of applications?Where may OSS be modified?
Support Policy What are support requirements for what classes of applications?
Management PolicyHow will OSS be tracked and managed?
Partner Policy How to insure 3rd party suppliers to adhere to the policy, too?
Contribution and Publishing PolicyWhat contributions will be published?How may employees participate in communities?How will this be managed?
6
© Copyright OpenLogic 2009
Executive Sponsorship
Provides the support necessary to get through major challenges
ControversyTrade-offs between benefit and risk
Changes to long-established procurement policies
Changes to long-established development processes
Strongly held beliefs
Budgetary issuesSome additional systems and/or services will be needed
Benefits are typically harder to measure than the costs
Driving the effortChange that crosses several management disciplines tends to bog down
An executive driver is key to completing this evolution
7
© Copyright OpenLogic 2009
Buy-In From Stakeholders
Ensures that those involved in the use open source will adhere to the processes
A policy not consistently followed is worse than no policy –a placebo hiding real risk to the business
Best ways to ensure buy-inExecutive leadership, especially in software developmentMake sure all stakeholders understand the OSS StrategyInvolve the stakeholders in the policy and process development phasesMake sure the process yields quick approvals for mainstream activitiesInvolve the stakeholders in periodic reviews of Policy and Process
8
© Copyright OpenLogic 2009
Poll Question #2
What techniques do you use to track opensource usage in your company (check allthat apply)?
1 - No formal inventory at all - 19%2 - Self-reporting per project - 33%3 - Self-reporting on a global scale - 8%4 - Manual audits of self-reported inventories - 22%5 - Automated code scanning tools - 17%
June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies
© Copyright OpenLogic 2009
Funding
Provides resources for any necessary consulting, software, or hardware solutions
The software may be free, but managing it well requires some investment
Consulting help to develop Strategy, Policy, Process
Code base assessment
Software scanning tools
OSS approval, tracking and management tools
Support and/or indemnification
10
© Copyright OpenLogic 2009
Open Source Inventory
Why?Get an understanding of what OSS you are using on servers and desktops or what OSS is in your applications
When?Baseline: At the beginning of creating or implementing OSS policy and processes
Ongoing: On a regular basis --- quarterly, annually
What?Don’t try to start with every machine everywhere
Start with a representative sample to get a sense of scope of the issue and work thru processes & procedures
Expand over time11
© Copyright OpenLogic 2009
Open Source Inventory
How?Option 1: Self reporting via spreadsheets or surveys
Hard to do, manual
Inaccurate because people don’t know what they are using
Option 2: Scanning systems or applicationsOSS Discovery is a free open source option
Scan servers, desktops or applications
Integrate to sw distribution, asset management or inventory tools
No source code required
Scans find 2-10x what self-reporting does
Start with a group or area, then expand
12
© Copyright OpenLogic 2009
Try the OLEX Library (olex.openlogic.com)Check out Wazi for comparisons
Other sources for researchOhloh – Community data
Osalt – Open source alternatives
Ostatic – media site
Project home pages
13
OSS Provisioning: Research
© Copyright OpenLogic 2009
OpenLogic Certification42-point certification process
ExamineCommunity
Adoption
Legal
Support
Meet minimum bar for enterprise consideration
Your own certificationKey evaluation points – just like for proprietary software
Enterprise Architect recomendations
14
OSS Provisioning: Certification
© Copyright OpenLogic 2009
OLEX (olex.openlogic.com)Trusted source
Certified software
Vetted bits
General repositoriesSoureforge.net, Google Code, java.net, freshmeat, etc
Make sure you have it from an official source
Watch out for unvetted mirrors
Watch out for unvetted Maven repositories
Internal repositoryMaintain internal repository (OLEX EE, your own system, etc)
15
OSS Provisioning: Sourcing
© Copyright OpenLogic 2009
What?Using technology to enforce open source policies
CapabilitiesAllow/prevent downloads per your policy
Track downloads
Require declaration of use at time of download
Require approvals before download
16
Operationalizing Open Source Policies
© Copyright OpenLogic 2009
Why?When the answer to “can I use this OSS?” is “It depends”
When?Prior to download
Prior to use in development, in production or in release
Who is involved?Requestor
Set of approvers (Managers, Legal, EA, OSRB)Sequential or parallel
17
OSS Requests and Approvals
© Copyright OpenLogic 2009
How?Option 1: Manual processes
Email, spreadsheet
Quickly overwhelmed in all but smallest companies
Option 2: OLEX EEProcess automation
Automated workflow for approval
Auto approval and Auto denial rules
Comment tracking
Customized forms and workflows and notifications
Option 3: Homegrown systemBuild and maintain yourself
18
OSS Requests and Approvals
© Copyright OpenLogic 2009
Why?Ensure compliance with policies
Ensure compliance with open source licenses
Protect internal IP (in cases of distribution)
When to audit?At key phases in application lifecycle
Development/Build
Test
Staging
Push to production
On pre-determined audit schedules
Random spot checks
19
OSS Auditing
© Copyright OpenLogic 2009
What to audit for?OSS Projects used
OSS Licenses used
Optional: OSS plagiarism (if distributing software)
How?Compare information from
Policies
Declarations of usage
Requests
Scans
Identify violations
Remediate
20
OSS Auditing
© Copyright OpenLogic 2009
OSS Reporting
OSS Inventories and changes over time
OSS Downloads and Declarations
Request and Approval Status
Policy Compliance and Violations
Application “Bill of Materials” and Bill of Licenses
21
© Copyright OpenLogic 2009 22
OLEX Enterprise Edition:A Complete SaaS Governance Platform
Inventory
PoliciesApprovals
Track & Audit
OpenLogicCertifiedLibrary
© Copyright OpenLogic 2009
Contact Information
For more information, please visit:
www.openlogic.com
www.olliancegroup.com
Or contact us by email at:
23