Originally published in Sandhill.com by Paul Ressler, Principal
The Cirrostratus Group
Open Source Software (OSS) and Software as a Service (SaaS) can work together in a variety of ways to help you deliver a successful solution. Whether you are trying to avoid vendor lock-in, lower your costs, use higher-quality software or take advantage of the significant innovation going on in OSS, using it can help. However, given that there are over 600,000 OSS projects, 100+ billion lines of code and over 10 million person years of developer work on OSS projects, selecting the right project and using it successfully in your SaaS solution is not necessarily a simple undertaking. Selecting OSS for a SaaS solution has some similarities to selecting OSS for inclusion in your licensed software product, but there are also some significant differences.
The opportunities to use OSS include using it as the primary basis of your solution, important components of your solution, as tools for support or as part of the infrastructure. In fact, it is not usual to use OSS in a combination of these uses. Beyond support and support subscriptions, SaaS is considered to be one of the more common ways for OSS vendors to generate revenue.
Several SaaS businesses are based on offering OSS as a service. Acquia, for example, has based its business on Drupal and providing Drupal as a service. SugarCRM is another example, providing a SaaS version of its CRM solution. Amazon provides MapReduce as a service running on hosted Hadoop as one of its many services. Other opportunities exist to select OSS projects and use them as the basis for your service. Ideally, to base your business on an OSS project it is important to have significant internal knowledge or be part of the original project since this participation in the community is an important part of how you will compete and innovate.
Ways to use OSS as part of a solution
There are many ways to use OSS as part of your solution. Databases, report writers, graphic tools and video tools are all good examples. The type of OSS software that is appropriate in your solution is very dependent on the solution itself. In some cases the use may be a significant part of the solution and in other cases it will just be ancillary functionality.
OSS tools have long been used for a variety of support tasks including Nagios for monitoring, Chef for configuration management and deployment, Subversion for version control and Bugzilla for bug tracking; these are just a few examples. In fact, there is an OSS solution for almost any management, technical or administrative function required to operate a SaaS business with the exception of some financial functions.
Using OSS as part of the infrastructure has been done from the beginning of the SaaS business model and is as basic as using Linux for the operating system, Apache as a web server and JBoss as an application server. With the increased use of platform as a service as the development environment for SaaS, OSS projects such as Openshift and Cloud Foundry will likely become popular especially since they provide for a lot of flexibility in the deployment environment. Cloud infrastructure OSS stacks such as OpenStack and CloudStack also likely will become more popular and can be used by SaaS providers either as infrastructure as a service or as a private cloud
In all of these cases, the selection of OSS software is the most important task and has strategic implications for your business. Selecting the right OSS project can help make your business be more successful, reduce costs over the long term, and help introduce new innovative services quickly. The following five requirements are important to successful OSS selection and, properly selected, can add substantial value to your business. Given the importance of proper selection, it is important to have a defined selection process that provides the right level of formality and rigor for your business.
1. OSS Functionality
As a top priority you need to understand the functionality that you require both now and in the future. In some cases OSS solutions may not cover future requirements and you’ll need to predict whether they will in the future. When thinking about functionality, you also need to think about the contributions to functionality that you plan to contribute to the project in the future. Assessing the functionality is similar to any other software selection and a typical requirements assessment is appropriate.
2. Total cost of ownership
Although OSS software does not have an initial license cost, most of the items of total cost of software ownership still apply. In some cases, there are, and you will want to use, external organizations for support. Understanding the availability of this support and the support costs is important, especially when using multiple copies of the software. There are also other internal support and operational costs that may be different among different OSS solutions such as hardware costs and availability of knowledgeable support staff.
3. License type
Although most of the difficult software intellectual property issues do not exist when you deliver the software as a service as opposed to a license, you still need to understand the license types of the OSS software you plan to use and the legal implications. There are some license types that have distribution implications for SaaS businesses. This is important enough that it makes sense to consult an attorney familiar with OSS and your business to understand the various license types and any issues or restrictions for you.
4. Future direction
The biggest question is how popular and successful the OSS project will be in the future, which can be difficult to judge. This will have a direct effect on your ability to hire developers and support staff that understand the project, will affect the availability of new features and will affect the amount of time you need to contribute to the project. In the case where you base your business on the OSS project, this will have a direct effect on the size and viability of your business. Likewise, your business, depending on the size, may have an impact on the growth of the project. The smaller your business is and the less you can contribute to the overall community, the more important it is to understand the future direction since your ability to influence the community will be more limited.
To understand the future you need to understand several things about the current project size and community. Ohloh.net, a free service provided by Black Duck Software, can provide basic information about projects in one location including how many people are using the project (those who have registered their use with Ohloh), the estimated amount of money spent developing the software, number of people in the community, number of people contributing to the project, and frequency of “releases.” Taken altogether, this type of information can give you a good idea of where the project is now and its current maturity level.
The above information is more factually based. Some of the softer items that you need to investigate include how the project is governed, the general enthusiasm and strength of the community, the software quality, the future market need and the importance of security to the community. The security assessment should be focused on whether your security needs match the needs of the community and, if not, the implications to your own contributions to the project. For example, if you are in the business of providing a service that requires PCI compliance, you probably don’t want to use an OSS component that is typically used in an environment where security is much less important.
In some cases for popular projects, the future is pretty clear; but for newer or less popular projects, it is important to try to understand the future. It can clearly affect the viability and cost of delivering your service.
The ongoing management of OSS software used in your SaaS solution is not a lot different than other software except that you will need to be more proactive on certain aspects including security. In addition to the question of the community’s commitment to security, it is important to monitor the security status of the OSS software you use. Security-based updates may come out regularly from the community, and you need to have a process to watch for these updates and make appropriate update decisions.
Implied in the above is the requirement that you know all the OSS projects and components you use in delivering your service and where they exist and how they are used. This will allow you to make timely security updates. Some method of auditing or verifying that the OSS projects you think you are using are the only ones in use. Having a selection and governance process doesn’t mean that somehow a project can’t get into your code or infrastructure that you aren’t aware of. There are commercially available scanning solutions to audit and verify the OSS software in use. Depending on the size of your organization and the risk you put on using unknown OSS solutions, a regular scanning program may make sense.
Another example of security requirements include whether you will need or want to do security scans on all of the software you develop and use. In the case of OSS software used you’ll need to know whether others in the community scan the software and whether this is sufficient for you or whether you want to scan the OSS software yourself. You will also need to decide if you want to report and wait for fixes to security problems or whether you want to fix them yourself.
As you can see, the selection of OSS software, especially where it is a significant part of the service you deliver, is a strategic business and technical decision. The likelihood of success can be increased substantially by focusing on these five areas prior to choosing the OSS projects you use. This will increase your chances of being able to capitalize on the benefits of OSS software in your SaaS solution.
Paul Ressler is a consultant specializing in service delivery for SaaS, Cloud Computing, and Managed Services. As the principal of The Cirrostratus Group, Paul helps his clients improve customer satisfaction, raise service margins, introduce profitable new services, and transition to the SaaS business model.
© The Cirrostratus Group 2012
All Rights Reserved