A Decision Framework for Selecting Open Source Security

1
A Decision Framework for Selecting Open Source
Security

• Mike Guiterman
• Director Open Source Products

2
Agenda

• Benefits of open source
• The open source ecosystem
• Enterprises have more choices than ever
• Free open source
• Commercial open source
• Commercially packaged distributions
• How much does free cost
• Open source evaluation checklist

3
Enterprise Benefits of Open Source

• Lower license and support costs
• Rapid innovation
• Open, transparent code enables users to verify
  protection
• Greater voice in the direction of the products
  you use
• Try it before you buy it
• Wide availability of trained, knowledgeable
  people
• Reduce single vendor dependence

4
The Open Source Ecosystem
50 global users groups
Global base of skilled security professionals
RD is augmented by the resources of the community
Global community dedicated to advancing the
technology
75 commercial products
5
The Open Source Security Landscape

• Use of open source in the enterprise is
  ubiquitous
• 90 of the F100 and nearly 50 of the F1000 use
  open source security tools in their environment
• Wide adoption in federal agencies
• Enterprises have a wide range of options
• Projects that have become industry standards
• Nmap, Snort, Nessus
• New technology that needs to mature
• NAC, DLP
• 3,472 security related projects hosted at
  www.sourceforge.net
• Commercially packaged, supported and distributed
  open source security technology
• The best of both worlds

6
Just a few popular open source tools
PacketFence
7
Free Open Source Software (FOSS)

• Usually distributed as source code
• Licensed under an OSI approved license such as
• GPL, LGPL, BSD, etc
• Ensures your right to study, modify and
  re-distribute software
• No licensing or support costs
• Support is provided by a community of developers
  and users

8
Commercial Open Source

• Non-OSI approved licenses
• Source code is provided
• Licensing may limit the number of installs and/or
  your rights to re-distribute your changes
• Often free of cost but subject to a license that
  restricts redistribution
• Many times its a stripped down (trial) version
  of a commercial product
• May offer commercial support as a fee-based
  service
• Other enterprise features may add cost

9
Open Source Evaluation Checklist

• Project stability maturity
• How long has the project been going?
• How many users does the project have?
• How active is the community?
• Strength of the community
• How much support is provided?
• In what way - mail lists, forums, IRC?
• Availability of add-ons
• Need binaries? How current are they?
• 3rd party projects for additional functionality?
• Evaluate your capabilities
• Is your enterprise willing and able to
• Develop needed features?
• Perform maintenance and upgrades?
• Keep up with a rapid release schedule?
• If the person who deployed it leaves, what
  happens?

10
How much does free really cost?

• Open source may be free of licensing fees, but
• Real costs are often overlooked
• Hardware
• Database administration
• Ongoing configuration and updates
• Labor and knowledge
• Enterprises need to understand the real total
  cost of ownership (TCO) when evaluating open
  source technology

11
Sample 4 Year Cost Model
12
Commercially Packaged Distributions

• Commercial solutions based on open source
  technology
• Commercial license terms and EULA
• Delivery takes many forms
• MSSP, SAAS, multi-function appliances and
  software products
• Delivered much like proprietary products
• Pre-compiled and configured
• Commercial support
• Documentation
• Typically have license or subscription fees
• The company may or may not run the open source
  project

13
Evaluation Checklist - Commercial
Distributions/Products

• Are the embedded open source applications up to
  date?
• Is the vendor involved in the open source
  project?
• How much visibility/input do they have on the
  roadmap
• How are support issues escalated?
• Does it rely on other projects for significant
  features?
• Are packaging and additional features worth the
  additional cost?

14
Key Takeaways

• There are many enterprise ready open source
  security tools
• Others are great for tactical use as technology
  matures
• Free software has real costs, you still have to
  look at TCO
• Evaluate technology and your enterprises ability
  to use it effectively
• Pick the model that works for you

15
Questions