Open-source software is here to stay. Gartner estimates by 2008,open-source software (OSS) applications will compete directly withclosed-source products in every software infrastructure market. By2010, predicts Gartner, IT organizations in Global 2000 companieswill consider open-source products in 80 percent of theirinfrastructure-focused software investments and 25 percent of theirbusiness software investments. Linux is an established force, andApache continues to hold the majority in the Web server market.

Don't use OSS, you say? Don't be so sure. Raven Zachary, senioranalyst and practice head of the open-source discipline at researchfirm The 451 Group, indicates most insurers are using open sourcesomewhere, whether IT management knows about it or not. “It's easyfor IT to download [OSS] and use it without knowledge of the CIO orlegal team,” he says.

The business benefits of OSS are enticing. “You can try beforeyou buy, you can implement small, and you're not pressured intolong-term enterprise agreements early on,” explains Mark Driver, avice president and research director at Gartner who focuses on opensource. “You truly can ease your way incrementally into open sourceand can leverage it practically for free if you have your own staffto support it.”

“Some of the benefits we've seen around open source, certainlyfrom a cost perspective, have been huge,” asserts Tom Gosnell, CIOof CUNA Mutual Group, who reports the insurer has been using bothLinux and Apache in selected server applications for severalyears.

But there are business risks to OSS, as well. We'll explore therisks that potentially arise from OSS and the ways to manage thoserisks.

RISK: If I use open source, I'll have to make my ownapplications part of the OSS community as a result.

Analysts agree insurers, which are end users of technology,don't have to worry about releasing their proprietary code if theyuse OSS within their architecture or internal applications.

“If they don't distribute their software, they do not need todistribute source code,” says Karen Hiser, director of complianceservices at risk consultancy Open Source Risk Management(OSRM).

The scenario may change if an insurer does distribute itssoftware based on the licensing details of any OSS codeincorporated into that software. There are two basic types ofopen-source licenses: restricted and unrestricted. Unrestrictedlicenses do not limit the distribution of “derivative works,” orapplications an insurer may create using open-source code.Restricted licenses do, and the most common of these is GNU'sgeneral public license (GPL).

Sometimes called “copyleft” (vs. copyright) licenses,restrictive licenses require distributed software that usesopen-source code be given back to the OSS community that holds thelicense. These sometimes also are called “viral licenses” for theirability to “infect” systems otherwise protected by an insurer'sproprietary intellectual property (IP) rights.

“One of the greater concerns [to the protection of IP] is theGPL license,” notes Zachary. “So some end users are scared ofletting any GPL code in.”

For instance, consider a rating application incorporating someopen-source component an insurer makes available to agents. Theinsurer might assume, since it isn't selling the software, its IPis protected. That is a potentially dangerous assumption, cautionsMark Radcliffe, partner and co-chair of the technology and sourcingpractice group at law firm DLA Piper Rudnick Gray Cary.

“The agent could redistribute [the system] without cost, and acompetitor could end up giving the software to the competitor'sagents in both source code and object code form,” he says.

If an insurer extends an application to an agent but doesn'tdistribute the code, for example, making a rating system onlinerather than as a client-side installation, Radcliffe adds, thecompany has no obligation to distribute source code. Hiser agreesbut warns the scenario hasn't been settled by case law.

“I could make the argument it is [distribution] because those[agents] have access to the application. It's not a whole lotdifferent than giving those people the executables to run on theirmachines,” she says. “Also, the newest version of the GPL [version3] is likely to include clauses that allow copyright holders totreat optionally hosting as distribution, which may introduce newissues in the future.”

RISK: If there's a legal problem with the OSS we use, we're theones who will get sued.

In March 2003, the SCO Group sued IBM claiming IBM had includedSCO's proprietary code in a distribution of Linux. Shortlythereafter, it mailed warning letters to Fortune 1000 companies andthen sued Linux end users AutoZone and DaimlerChrysler, arguing thecompanies either violated licensing agreements or were liable asusers of Linux that violated copyright.

Although the DaimlerChrysler suit itself and many of the claimsin the IBM suit have been dismissed, the legal actions made it alltoo clear the cost of a lawsuit, whether successful or not, is arisk. As always, the deeper the pocket, the more attractive thetarget, and insurers do have notoriously deep pockets.

“The legal risks are serious,” Driver maintains. While he admitsthe SCO suits are “extreme examples,” he anticipates seeing moresuits against both companies and open-source projects. “These'patent trolls' wait for a big enough bucket, then they'll sue,” hesays.

Of course, there are risks to using commercial software, too:Nothing is to stop a disgruntled competing vendor from suing adeep-pocket end user. “We've seen more IP lawsuits [betweensoftware vendors] in the proprietary software than in theopen-source world,” Zachary says. Since open source is, bydefinition, viewable by the public, he adds, it's actually easierto identify and remedy, or even prevent, IP infringement.

Still, in order for people to sue you for your use of opensource, they first need to know you're using it. “There is no'master list' of open-source customers. Oftentimes the softwaresimply is on the server for download, and there are no statisticskept,” Zachary notes.

However, an important difference in the risk managementassessment is while commercial software companies frequently offerend users either standard or negotiated warranties againstcopyright infringement, many OSS licenses do not. Also, KennethBrown, president and director of technology research of the Alexisde Tocqueville Institution (ADTI) and author of a 2005 ADTI reporton the topic of open source, argues OSS code may not be vetted forIP violations to the extent commercial code is.

“Show me the diligence in the open-source community comparedwith a multibillion-dollar company with 100 lawyers. There's no waythey could be the same. The open-source community has not had tosettle anything yet,” he says.

RISK: Although upfront costs are lower with OSS, I'll get killedwith long-term support costs.

“The back-end costs for open source can, if you don't managethem, get out of control,” Gosnell claims.

That's because companies often must support OSS within theirorganization, learning new skill sets as they go, or hireconsultants. And the fluid nature of some open-source projects is acause of concern for long-term viability. “Open source that'simmature and driven by a community of developers can go in adifferent direction,” Gosnell says. “You have to be sure you're notjumping in too early.”

Reducing support costs is a key goal in Pacific Life's decisionto move away from open-source technologies in some areas. Eightyears ago, the company began using the Apache Web server to supportits human resource system from Lawson.

“When Lawson first introduced Web-based self-serviceapplications, we had three primary choices at the time: Apache,[Microsoft] ISS, or [IBM] WebSphere,” reports Scott Johnson,assistant vice president of human resource technology. “We decidedon Apache because it was free and a logical extension to our LawsonUNIX environment.”

Four years ago, Pacific Life enhanced the security of the systemby adding OpenLDAP and OpenSSL, teaming up with Apache consultantCovalent, which provided an Apache bundle with the two securitycomponents.

Now, though, the company is planning on replacing the serverenvironment with Microsoft systems, including Windows Server 2003and Active Directory, IIS 6.0, and SQL Server. “We're looking tostandardize our applications on the Microsoft platform to takeadvantage of some cost savings” as well as to provide commoncross-application authentication based on active directory, Johnsonsays.

“We have a very solid, mature, and secure authentication scheme,but it took us eight weeks and considerable expense just torefactor the authentication scheme the last time we had to upgradewith Lawson,” he relates. “If we were running Lawson on the Windowsplatform, we would be using Active Directory credentials, so thatpiece always would be done, and we wouldn't have to worry aboutit.”

The move also will allow Pacific Life to leverage its internalMicrosoft knowledge.

RISK: If our IT staff is part of the OSS development community,our code suddenly will show up in that community.

There is a risk proprietary code can make it into publicdistribution through IT staff involved in open-source projects,either intentionally or by unintentionally recreating substantiallysimilar code.

In fact, Zachary cautions this is one of the key IP risks whencompanies allow employees to become involved in open-sourceprojects either on or off company time. “There is risk for'seepage' [of proprietary code] into the open-source code, andthat's difficult to manage,” he contends.

This concern has led some carriers to institute controls overstaff involvement in open-source projects. “We do lock that downpretty well,” says Gosnell.

Step one in managing any risk associated with OSS is assessingobjectively just how great the potential costs and likelihood ofincurring those costs actually are to a particular company.

“There is a fair amount of knee-jerk response and hysteria toopen source and copyright,” says Mitch Pirtle, founder and CEO ofJamboWorks, which provides services and add-on software for theopen-source content management platform Joomla. “Most of thecompanies that sit down and study the open-source licensesbasically can get an understanding of what their position is withregard to IP without a whole lot of effort,” he claims.

Step two is to develop a policy for the use of open-sourcesoftware, something Driver describes as still lacking at mostinsurers. “Most mainstream companies do not have that in place.They've ignored it, swept it under the rug,” he says.

An open-source policy should outline the allowable use of OSSfor both internal and distributed systems and applications. It alsoshould address some of the specific risk factors mentioned earlierin this article, including setting rules for staff involvement inopen-source projects and acceptable open-source licenses.

Put into practice, this policy should lead to several ongoingactivities that are important to OSS risk management. First, youcan't manage what you don't know you have, so you need a librarysystem to track proprietary, commercial, and OSS code, and you needto audit that library for license compliance. “If you're a largeorganization with a large IT budget and staff, it may make moresense to have auditing software rather than a manual process,”Hiser suggests.

Auditing, or code-compliance, software is akin to virus-checkingsoftware (perhaps appropriate given the nature of the viral GPL),with models updated regularly based on known open-source code andapplicable license types. The OSRM offers its own proprietaryscanning technology to clients, and the two primary softwarevendors specializing in code compliance are Palamida and BlackDuck. Both of these companies report there hasn't yet been muchinterest in their software by insurers. Most of the interest hasbeen from companies involved in mergers and acquisitions as part ofdue diligence or from software vendors themselves.

For instance, Black Duck customer BladeLogic, which providesdata center automation software, uses OSS on an ongoing basis inits software development for commoditized subprocesses. In order tokeep its proprietary code proprietary, the company has in place a“no GPL” policy.

Each time BladeLogic creates or modifies its code, itreprocesses the code through Black Duck's matching engine, which isupdated monthly. The compliance system identifies suspectedopen-source code along with the applicable license type, lettingBladeLogic focus only on areas that violate its policy.

“We've found the Black Duck tool has given us a way of gettinganswers to where we are with respect to those [licensing] goals andto do due diligence without having to hire [auditing] staff,” saysGeorge Moberly, product manager at BladeLogic.

Second, try to use vendors that provide indemnity. “More andmore IT organizations are demanding from their vendors, and notunique to open-source vendors, some kind of warranty and indemnityif there is an [intellectual property] violation within thesoftware. The problem, however, with some open-source software is,because of the communal nature of the code, it's difficult to trackthe [contribution] process, so many organizations are unwilling toprovide indemnification,” remarks Driver.

“If I'm a CIO at a Fortune 500 company, it's an expectation[indemnification] will be there,” Hiser says. “Smaller[open-source] organizations have told me they are losing deals,having deals delayed, or having to bet the farm in order to provideindemnification.”

Finally, keep a low profile. “'Covert' is an overstatement, butlet's say 'don't publicly disclose,'” says Zachary. “Use opensource, but don't become the case study for its success. You canreduce risk by not advertising the fact you're using it.”

For companies particularly concerned about the business risks ofcomplying with open-source licenses, there's an insurance policyavailable. In late 2005, the OSRM, in concert with Lloyd's ofLondon underwriter Kiln, began marketing Open Source ComplianceInsurance.

But as of yet, no insurer “has deemed the risk worth theinvestment,” says Andrew Aitken, managing partner of open-sourceconsultant Olliance Group.

The insurers that are particular targets for the coverage arethose that have made a “substantial” investment in OSS within theirinternal infrastructure or within applications they may havedistributed as well as companies entering into a merger that arerequired to warranty compliance with OSS licenses.

“If someone's looking to acquire a company, the buyer needs tobe sure the technology assets truly are owned by the seller andwon't come back to haunt the buyer later on,” Hiser advises.

Just because something carries risk doesn't mean it shouldn't beused; after all, insurers are experts at managing risk. So, expectthe insurance industry to keep up with the trend of increasing theutilization of open source both within IT infrastructure and inapplication development.

“We use a fair amount [of OSS] today, and it will continue toexpand and grow, but I don't know at what rate,” comments Gosnell.“The advantages from a cost-benefit standpoint are attractive.”

Johnson also indicates Pacific Life's doors are open to OSSdespite the anticipated consolidation of the insurer's humanresources infrastructure to Microsoft. “We have a decentralized ITstructure, and it would be a divisional choice whether someonewanted to do something with Linux or another open source,” hesays.

“The realistic trend is toward a managed adoption of opensource–to use it for certain licenses, in certain scenarios, fromcertain trusted vendors,” concludes Driver. “But that formaldecision framework and risk management policy have to be inplace.”