Ten Key Elements of Open Source Governance in the Enterprise Webinar on June 17, 2009 Presented by Greg Olson, Senior Partner at Olliance Group and Kim Weins, Senior Vice President of Marketing at OpenLogic

Ten Elements of Enterprise OSS Governance Open source strategy Open source policy Executive sponsorship Buy-in from stakeholders Funding Take inventory Provisioning Requests and approvals Auditing Reporting

Open source strategy

Open source policy

Executive sponsorship

Buy-in from stakeholders

Funding

Take inventory

Provisioning

Requests and approvals

Auditing

Reporting

Poll Question #1 One a scale of 1-5, how open is your company towards the use of open source software (check one)? 1 - No usage of open source allowed - 0% 2 - Open source used only if no other solution exists - 29% 3 - Open source allowed when it is superior to other solutions - 12% 4 - Open source and proprietary solutions have equal footing - 41% 5 - Use of open source preferred when available - 18% June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies

One a scale of 1-5, how open is your

company towards the use of open source

software (check one)?

1 - No usage of open source allowed - 0%

2 - Open source used only if no other solution exists - 29%

3 - Open source allowed when it is superior to other solutions - 12%

4 - Open source and proprietary solutions have equal footing - 41%

5 - Use of open source preferred when available - 18%

Compelling benefits Faster path to deployed implementations Lower development and maintenance costs But… adds complexity to software projects Many more sources, licenses, compatibility issues Self-service updating The Open Source Revolution 90% Custom Development Commercial Software Package Commercial Software Package 90% Integration OSS OSS Com- mercial OSS OSS OSS OSS OSS OSS OSS OSS OSS OSS OSS OSS Negotiated Procurement Download OSS Com- mercial

Compelling benefits

Faster path to deployed implementations

Lower development and maintenance costs

But… adds complexity to software projects

Many more sources, licenses, compatibility issues

Self-service updating

Open Source Strategy Defines why the organization uses OSS and what it hopes to achieve Expressed primarily in high-level business terms (not technical or legal) Key values of developing one: Develop management consensus on goals and objectives Line of business management Software development Legal A clear basis for developing the (more detailed) policy A clear statement of rationale to guide future staff in future decisions

Defines why the organization uses OSS and what it hopes to achieve

Expressed primarily in high-level business terms (not technical or legal)

Key values of developing one:

Develop management consensus on goals and objectives

Line of business management

Software development

Legal

A clear basis for developing the (more detailed) policy

A clear statement of rationale to guide future staff in future decisions

Open Source Policy Specifies the rules for how the organization uses OSS Typical elements Legal Policy What licenses are acceptable for what classes of application? Acquisition Policy What are criteria for OSS introduction? How documented? Who approves and how managed? Usage Policy Where may what kind of OSS be used in what classes of applications? Where may OSS be modified? Support Policy What are support requirements for what classes of applications? Management Policy How will OSS be tracked and managed? Partner Policy How to insure 3 rd party suppliers to adhere to the policy, too? Contribution and Publishing Policy What contributions will be published? How may employees participate in communities? How will this be managed?

Specifies the rules for how the organization uses OSS

Typical elements

Legal Policy

What licenses are acceptable for what classes of application?

Acquisition Policy

What are criteria for OSS introduction? How documented?

Who approves and how managed?

Usage Policy

Where may what kind of OSS be used in what classes of applications?

Where may OSS be modified?

Support Policy

What are support requirements for what classes of applications?

Management Policy

How will OSS be tracked and managed?

Partner Policy

How to insure 3 rd party suppliers to adhere to the policy, too?

Contribution and Publishing Policy

What contributions will be published?

How may employees participate in communities?

How will this be managed?

Executive Sponsorship Provides the support necessary to get through major challenges Controversy Trade-offs between benefit and risk Changes to long-established procurement policies Changes to long-established development processes Strongly held beliefs Budgetary issues Some additional systems and/or services will be needed Benefits are typically harder to measure than the costs Driving the effort Change that crosses several management disciplines tends to bog down An executive driver is key to completing this evolution

Provides the support necessary to get through major challenges

Controversy

Trade-offs between benefit and risk

Changes to long-established procurement policies

Changes to long-established development processes

Strongly held beliefs

Budgetary issues

Some additional systems and/or services will be needed

Benefits are typically harder to measure than the costs

Driving the effort

Change that crosses several management disciplines tends to bog down

An executive driver is key to completing this evolution

Buy-In From Stakeholders Ensures that those involved in the use open source will adhere to the processes A policy not consistently followed is worse than no policy – a placebo hiding real risk to the business Best ways to ensure buy-in Executive leadership, especially in software development Make sure all stakeholders understand the OSS Strategy Involve the stakeholders in the policy and process development phases Make sure the process yields quick approvals for mainstream activities Involve the stakeholders in periodic reviews of Policy and Process

Ensures that those involved in the use open source will adhere to the processes

A policy not consistently followed is worse than no policy – a placebo hiding real risk to the business

Best ways to ensure buy-in

Executive leadership, especially in software development

Make sure all stakeholders understand the OSS Strategy

Involve the stakeholders in the policy and process development phases

Make sure the process yields quick approvals for mainstream activities

Involve the stakeholders in periodic reviews of Policy and Process

Poll Question #2 What techniques do you use to track open source usage in your company (check all that apply)? 1 - No formal inventory at all - 19% 2 - Self-reporting per project - 33% 3 - Self-reporting on a global scale - 8% 4 - Manual audits of self-reported inventories - 22% 5 - Automated code scanning tools - 17% June 17, 2009 Webinar. Poll of 33 attendees, more than half of them from Fortune 500 Companies

What techniques do you use to track open

source usage in your company (check all

that apply)?

1 - No formal inventory at all - 19%

2 - Self-reporting per project - 33%

3 - Self-reporting on a global scale - 8%

4 - Manual audits of self-reported inventories - 22%

5 - Automated code scanning tools - 17%

Funding Provides resources for any necessary consulting, software, or hardware solutions The software may be free, but managing it well requires some investment Consulting help to develop Strategy, Policy, Process Code base assessment Software scanning tools OSS approval, tracking and management tools Support and/or indemnification

Provides resources for any necessary consulting, software, or hardware solutions

The software may be free, but managing it well requires some investment

Consulting help to develop Strategy, Policy, Process

Code base assessment

Software scanning tools

OSS approval, tracking and management tools

Support and/or indemnification

Open Source Inventory Why? Get an understanding of what OSS you are using on servers and desktops or what OSS is in your applications When? Baseline: At the beginning of creating or implementing OSS policy and processes Ongoing: On a regular basis --- quarterly, annually What? Don’t try to start with every machine everywhere Start with a representative sample to get a sense of scope of the issue and work thru processes & procedures Expand over time

Why?

Get an understanding of what OSS you are using on servers and desktops or what OSS is in your applications

When?

Baseline: At the beginning of creating or implementing OSS policy and processes

Ongoing: On a regular basis --- quarterly, annually

What?

Don’t try to start with every machine everywhere

Start with a representative sample to get a sense of scope of the issue and work thru processes & procedures

Expand over time

Open Source Inventory How? Option 1: Self reporting via spreadsheets or surveys Hard to do, manual Inaccurate because people don’t know what they are using Option 2: Scanning systems or applications OSS Discovery is a free open source option Scan servers, desktops or applications Integrate to sw distribution, asset management or inventory tools No source code required Scans find 2-10x what self-reporting does Start with a group or area, then expand

How?

Option 1: Self reporting via spreadsheets or surveys

Hard to do, manual

Inaccurate because people don’t know what they are using

Option 2: Scanning systems or applications

OSS Discovery is a free open source option

Scan servers, desktops or applications

Integrate to sw distribution, asset management or inventory tools

No source code required

Scans find 2-10x what self-reporting does

Start with a group or area, then expand

Try the OLEX Library (olex.openlogic.com) Check out Wazi for comparisons Other sources for research Ohloh – Community data Osalt – Open source alternatives Ostatic – media site Project home pages OSS Provisioning: Research

Try the OLEX Library (olex.openlogic.com)

Check out Wazi for comparisons

Other sources for research

Ohloh – Community data

Osalt – Open source alternatives

Ostatic – media site

Project home pages

OpenLogic Certification 42-point certification process Examine Community Adoption Legal Support Meet minimum bar for enterprise consideration Your own certification Key evaluation points – just like for proprietary software Enterprise Architect recomendations OSS Provisioning: Certification

OpenLogic Certification

42-point certification process

Examine

Community

Adoption

Legal

Support

Meet minimum bar for enterprise consideration

Your own certification

Key evaluation points – just like for proprietary software

Enterprise Architect recomendations

OLEX (olex.openlogic.com) Trusted source Certified software Vetted bits General repositories Soureforge.net, Google Code, java.net, freshmeat, etc Make sure you have it from an official source Watch out for unvetted mirrors Watch out for unvetted Maven repositories Internal repository Maintain internal repository (OLEX EE, your own system, etc) OSS Provisioning: Sourcing

OLEX (olex.openlogic.com)

Trusted source

Certified software

Vetted bits

General repositories

Soureforge.net, Google Code, java.net, freshmeat, etc

Make sure you have it from an official source

Watch out for unvetted mirrors

Watch out for unvetted Maven repositories

Internal repository

Maintain internal repository (OLEX EE, your own system, etc)

What? Using technology to enforce open source policies Capabilities Allow/prevent downloads per your policy Track downloads Require declaration of use at time of download Require approvals before download Operationalizing Open Source Policies

What?

Using technology to enforce open source policies

Capabilities

Allow/prevent downloads per your policy

Track downloads

Require declaration of use at time of download

Require approvals before download

Why? When the answer to “can I use this OSS?” is “It depends” When? Prior to download Prior to use in development, in production or in release Who is involved? Requestor Set of approvers (Managers, Legal, EA, OSRB) Sequential or parallel OSS Requests and Approvals

Why?

When the answer to “can I use this OSS?” is “It depends”

When?

Prior to download

Prior to use in development, in production or in release

Who is involved?

Requestor

Set of approvers (Managers, Legal, EA, OSRB)

Sequential or parallel

How? Option 1: Manual processes Email, spreadsheet Quickly overwhelmed in all but smallest companies Option 2: OLEX EE Process automation Automated workflow for approval Auto approval and Auto denial rules Comment tracking Customized forms and workflows and notifications Option 3: Homegrown system Build and maintain yourself OSS Requests and Approvals

How?

Option 1: Manual processes

Email, spreadsheet

Quickly overwhelmed in all but smallest companies

Option 2: OLEX EE

Process automation

Automated workflow for approval

Auto approval and Auto denial rules

Comment tracking

Customized forms and workflows and notifications

Option 3: Homegrown system

Build and maintain yourself

Why? Ensure compliance with policies Ensure compliance with open source licenses Protect internal IP (in cases of distribution) When to audit? At key phases in application lifecycle Development/Build Test Staging Push to production On pre-determined audit schedules Random spot checks OSS Auditing

Why?

Ensure compliance with policies

Ensure compliance with open source licenses

Protect internal IP (in cases of distribution)

When to audit?

At key phases in application lifecycle

Development/Build

Test

Staging

Push to production

On pre-determined audit schedules

Random spot checks

What to audit for? OSS Projects used OSS Licenses used Optional: OSS plagiarism (if distributing software) How? Compare information from Policies Declarations of usage Requests Scans Identify violations Remediate OSS Auditing

What to audit for?

OSS Projects used

OSS Licenses used

Optional: OSS plagiarism (if distributing software)

How?

Compare information from

Policies

Declarations of usage

Requests

Scans

Identify violations

Remediate

OSS Reporting OSS Inventories and changes over time OSS Downloads and Declarations Request and Approval Status Policy Compliance and Violations Application “Bill of Materials” and Bill of Licenses

OSS Inventories and changes over time

OSS Downloads and Declarations

Request and Approval Status

Policy Compliance and Violations

Application “Bill of Materials” and Bill of Licenses

OLEX Enterprise Edition: A Complete SaaS Governance Platform Inventory Policies Approvals Track & Audit OpenLogic Certified Library

Policies

Contact Information For more information, please visit: www.openlogic.com www.olliancegroup.com Or contact us by email at: [email_address] [email_address]

For more information, please visit:

www.openlogic.com

www.olliancegroup.com

Or contact us by email at:

[email_address]

[email_address]