How do open source enterprises handle security?
Security may be one of the biggest challenges facing the open source enterprise.
When I say enterprise, of course, I mean enterprise -- hundreds of servers, thousands of desktops, and truly heterogenous environments.
Because of Microsoft's desktop dominance it has made important early moves. (And let's not get into how much more secure Linux is than Windows. Patches even in the Linux world are no longer questions of if but when and how.)
Virtualization, an important facility for security because it lets you test patches without buying extra machines, is being moved into Microsoft's operating system, starting with Virtual Server 2005 and then moving on to Longhorn. EMC's VMWare may be a more powerful product (and it's out now) but it, too is closed source, and the only desktop version requires Windows.
Microsoft's quick response to demands for better patch management resulted in Software Update Services (SUS), which gives enterprises back control of the patch process by putting patches on a server that can be tested and staged as an enterprise sees fit. Even if there were an equivalent open source product, it might not scale, and which license would it be under -- CDDL, BSD, GPL, or something else entirely? Most of Microsoft's enterprise customers won't care to find out, and will be quite glad they don't have to.
The big story out of Microsoft for five years now is that it has been evolving into what IBM was, an all-embracing enterprise-level solution provider, in other words Big Iron. There is no better case study for that proposition than the area of security.
IBM understands all this. That's why it bought Corio. That's why it has a virtualization engine for its servers. But if we're depending on IBM for enterprise level capabilities, have we really gained that much in moving from Windows?
While open source too can run Big Iron, it's tough for most developers to create truly scaled solutions quickly, in the absence of a business model. And when it comes to security, that can be fatal.
So here's a question for you open source shops out there, the bigger the better. How are you handling things like scanning, patching, and management of vulnerabilities? How do the open source tools in these areas match up against what Windows is delivering, and Microsoft is promising?
Inquiring enterprises want to know.