Linux in Government: How to Misunderstand the Enterprise Linux Desktop

If you are considering deploying open-source software in your organization,
this article aims to help you draw appropriate distinctions for your
business case. We address economic issues, issues of security
and administration and the availability of applications. We also
discuss myths and perceptions of the dominant operating systems in the
market today.
Executive Summary
GNU/Linux and open-source software have matured and attained significant
popularity within the enterprise space. GNU/Linux already has made a
showing of dominance based on empirical indicators. For example, the Netcraft
Web Server Surveys shows the Apache server as having an installed share of
67% to 71%. Apache has become the default Web server for Linux. The Linux desktop
also receives consideration for enterprise deployment. Anchored by cross-platform
productivity suites, such as
OpenOffice.org,
StarOffice
and the
Mozilla FireFox browser, Linux has gained acceptance
in numerous heterogeneous environments.

One measure of enterprise acceptance achieved by Linux is its place among
the elite operating systems produced by IBM, HP, Sun, SGI, Microsoft
and Sony. In addition, two Linux enterprise distributions recently achieved the coveted
status of Common Criteria Certification. This certification offers
governments a high level of confidence in using Linux (see Table 1).
Common Criteria Certification
What is Common Criteria?
Certification in this
area provides standards for security for mission-critical software.
Common Criteria Certification provides a seal of approval recognized by government
agencies and enterprise IT professionals. Countries that recognize the Common Criteria include
the United States, Canada, the United Kingdom, Australia, New Zealand,
Germany, France and Japan.

In January 2004, Novell SuSE Linux Enterprise Server 8 earned the
EAL 3 certification. Atsec Information Security GmbH, along with IBM,
assisted Novell SuSE with the certification process. In May 2004,
Oracle helped Red Hat achieve its Common Criteria certification. Version
3 of Red Hat Enterprise Linux was certified to meet EAL 2 of the Common
Criteria Certification.

Having attained this certification, Red Hat and Oracle and Novell SuSE can be deployed
in government operations and in the Department of Defense. It also means they can deploy
into security-sensitive organizations, such as federally insured banks and
other government and government-regulated agencies. State and local government units
with Federal Assistance programs also can deploy Red Hat and Novell SuSE Enterprise distributions.

Table 1, below, lists all operating systems that have been evaluated, as taken
from the
complete and official list
of all evaluated software products. As you can see, Linux shares space with some prestigious
software.
Table 1. Operating Systems that Meet the Common Criteria
Standards for IT SecurityThe Federal SmartBuy Initiative
On July 1, 2004, the Executive Office of the President of the United
States issued a memorandum for Senior Procurement Executives and Chief
Information Officers. The memorandum emphasizes the President's previous
memorandum titled "Maximizing Use of SmartBuy and Avoiding Duplication of
Agency Activities." In this latest memorandum, OMB 04-16, the President
issued the following ground-breaking statements:

This reminder applies to acquisitions of all software, whether it is
proprietary or Open Source Software. Open Source Software's source
code is widely available so it may be used, copied, modified, and
redistributed. It is licensed with certain common restrictions, which
generally differ from proprietary software. Frequently, the licenses
require users who distribute Open Source Software, whether in its original
form or as modified, to make the source code widely available. Subsequent
licenses usually include the terms of the original license, thereby
requiring wide availability. These differences in licensing may affect
the use, the security, and the total cost of ownership of the software
and must be considered when an agency is planning a software acquisition.

This is merely one example of the changes under way in procurement
policies and habits across federal, state and local government agencies
nationwide. Despite great odds and powerful opposition to changes in
the status quo, open-source software has established a place at the conference
table, where it will stay and survive on its merits.
What Does this Mean for Your Enterprise?
Linux disrupts enterprises because it's different from what enterprises are used
to using. Windows also disrupts enterprises for three reasons. First,
Microsoft will break Windows XP with its Service Pack 2. Second,
previous versions of Windows will not receive the fixes available for XP, so
they are not supported and become deprecated. Third, the next version
of Windows--due in two years--makes radical changes in filesystems and
application program interfaces (APIs). Microsoft also will be phasing out
the Win32 standard in its next OS release.

This week, in DallasNews.com (The Dallas Morning News), Allison Linn gives us an
overview of the deteriorating security picture facing Windows XP users in

"Windows Security Upgrade Set for Launch". According to Linn's article, next month
Microsoft will release Service Pack 2 for Windows XP. It's a response to a long sequence of attacks and
vulnerabilities that have plagued Microsoft software. SP2 (for Windows
XP only) is designed to mitigate the ill effects of the viruses, spam and
malware that have been wreaking havoc for Windows desktop users and
system administrators. Finally electing security over convenience, SP2 is
likely to break a lot of applications that run on XP. John
Pescatore, vice president of Internet security at Gartner Research, said, "The
applications that will break with SP2 were essentially doing things wrong
from a security perspective." Although companies are rushing to improve
the compatibility of their applications or to negotiate changes at the last
minute with Microsoft, they are complaining that SP2 creates headaches.
A spokesperson from RealNetworks, Erika Shaffer, said, "The changes
Microsoft is proposing for SP2 will have serious negative consequences
on the consumer experience of many applications and Web sites."
Next-Gen Windows Is a Radical Change
Add to Microsoft's security woes an under-reported challenge enterprises
will face in making the transition to Microsoft's next version of
Windows. The next version of Windows produces an equally disruptive
effect on Microsoft's installed base. Microsoft's technologies place as
much if not more demands on an enterprise IT departments as a full-house
transition to Linux, which wouldn't be required given the cross-platform nature
of open-source software. For the first time, this theme sees the full light of day in Tang Weng Fai's article,
"Does
Linux really kill jobs?", published in The Business Times on-line edition (Singapore).
Two Disruptive Forks in the Road
So, a fork exists in the road. Enterprises ultimately will confront these issues and must
start considering their options. In making this choice, consider
something a bit esoteric in IT circles--the difference between enterprise
software and popular software. Also, consider that you can own enterprise software today for less than
you paid for popular software yesterday.

One of the aspects of achieving Common Criteria Certification for
Linux involves versioning. Both Novell SuSE and Red Hat won the EALS
based on platforms that are two generations old. That means Linux was
good enough two versions ago to be considered safe. The Novell SuSE
version used to achieve EAL 3 is 8.0 or SLES and contains an older kernel
(Linux 2.4 kernel and glibc 2.25). So, what's the difference between an
enterprise version and a popular Version? Without knowing the answer to
this question, one could be left with a false impression of Linux.

Some good examples of popular Linux are Novell SuSE Linux 9.1 or Fedora
Core 2, the latter previously being Red Hat's plain vanilla version used by most
free software enthusiasts. These are the latest versions of the major
GNU/Linux distributions; the latest from Debian, Gentoo and
others similarly qualify as popular Linux. Popular Linux
is production-ready but is maintained by programmers in
the community, analogous to maintenance programmers in an enterprise--updating and
fixing code that is in production but not quite battle hardened.

In the context of amount of ongoing development activity, popular Linux
resembles popular Windows. Windows Service Packs are the equivalent of
cumulative maintenance programming fixes. Any given version of Windows
is in maintenance mode, not in enterprise production-ready mode, after
being released to the public. Once Windows reaches the space of a Linux
or UNIX enterprise mode, Microsoft phases its version out.

We can make a primary distinction about enterprise Linux as opposed to popular Linux: the innovation
harbored in enterprise Linux is cumulative and is not discontinued. These may seem
like minor points, but they mean the world in the context of a discussion
on the quality of national and corporate IT infrastructure, of spending
tax dollars, of deploying military and private resources and of saving
lives.

Enterprise Linux goes through a rigorous development
and qualification process, which to many enterprise IT departments means
that Linux is never production-ready. But that's not true. GNU/Linux is
not only one thing, although many people hold such an image.

Red Hat came to this conclusion and chose to eliminate its long-time
retail product and turn it into a free project, called Fedora. The free
project hosts the experimental work. Then, when stable, new innovations
stream into Red Hat's enterprise products in a steady fashion. For example,
Red Hat will implement Security Enhanced Linux (SE Linux),
which was developed within the National Security Agency (NSA), our
national eavesdropping bureau. This will be implemented in the open-source project,
Fedora, where it can be broken in by the Open Source
community. It will not reach Red Hat's enterprise products until it's
soup or, more likely, until it's been certified under rigorous international
security standards, such as the Common Criteria.

This approach to popular and enterprise Linux allows Red Hat continuously to improve and develop its distribution
of GNU/Linux and to implement important changes in its enterprise product
at a responsible pace. In this way, Red Hat generates innovation from the
Open Source community, without tuning its production enterprise products
on the backs of enterprise users.

The rigors of keeping up with popular distributions hasn't been lost on
Novell SuSE either. Novell continues to offer a retail product while
marketing an enterprise offering through its primary business and
government partners. Within its business partner channel
lies IBM, which probably provides Novell SuSE with its largest marketing
outlet. IBM has marketed Novell SuSE Enterprise products since Fall 2000.
Currently, Novell SuSE Enterprise Linux runs on the entire line of IBM eServers,
from the xSeries (Intel) to the zSeries (S/390 mainframes), including
the pSeries and iSeries (RS-6000 and AS/400).

It's pretty clear that a difference exists between popular Linux and
enterprise Linux. And it's important that people absorb these
distinctions. You can buy enterprise quality Linux with popular
applications and interoperability extensions from Sun Microsystems,
for example, for 20% of the cost of a Microsoft desktop package. You'll
need to look for other pricing ratios within Novell's SuSE and Red Hat's
Enterprise Desktop models.
Conclusion
If XP is broken soon, and all earlier versions of Windows (see Figure
1) do not receive the same quality of support as XP, one has to wonder
what enterprise-grade software means to Microsoft. You have to wonder
if its next-generation Windows solves the dilemma.
Figure 1. Windows Version SplitsSource: OpenOffice.org User Survey 2002-2003 (total responses:
208,373)
Tom Adelstein lives in Dallas, Texas, and Sam Hiser lives in New York
City. Both work as local and national Linux and open-source software consultants.
They're the co-authors of the upcoming book Exploring
the JDS Linux Desktop, published by O'Reilly and Associates. Both have
written numerous articles on Linux technical and marketing issues as guest editors
for a variety of publications. One of their latest projects
is JDSHelp.org.