Gotcha

When will Linux stop being portrayed as the little OS that could? At LinuxWorld, it’s become an annual ritual for some Fortune 500 company to get on the podium and tell us that Linux has “arrived.” Last year it was Unilever, this year it was Amazon, which broke its longstanding silence on technology to describe how its Linux farms are processing up to tens of millions of orders daily.

Clearly, SCO’s lawsuit hasn’t discouraged Linux adoption, although some companies may be reticent to disclose how they are licensing it. With litigation flying, it shouldn’t be surprising that somebody has come up with a tool for tracking open source intellectual property. Introduced by startup Black Duck Software, the tool applies anti-virus like techniques to ferret out “signatures” of known open source code and identifies the appropriate open source license. They count nearly 75 different varieties of open source license, although if you listen to open source evangelist Eric S. Raymond, there is only one: either the license complies with Bruce Perens’ Open Source Definition, or it doesn’t.

Although the conventional wisdom is that SCO has not yet produced a real smoking gun to back its allegations, Perens himself warns software developers not to grow complacent. Sure, he expects the SCO suit to go away, but he warns, beware of patents. Exhibit 1, of course, being the recent $500+ million judgment that Eolas won against Microsoft over browser plug-ins. The fear is that patent suits will halt innovation.

Software patent suits aren’t new. A decade ago, Comptons New Media won a flaky judgment backing its claim to inventing multimedia computing. Yet, a decade later, Comptons’ patent hasn’t slowed multimedia development, not to mention the millions of users downloading MP3s (although copyright suits might be another matter). Admittedly, while large companies like IBM boast of their bulging software patent portfolios, they make their money selling products and services, not patent royalties. We don’t expect the IBMs of the world becoming plaintiffs.

But smaller companies, especially those that can’t make money in their actual business, probably will, as SCO has demonstrated. Legally, there are all too few hurdles to filing frivolous cases. Forget about the debate on whether vendors should indemnify their customers, major vendors won’t leave their customers exposed. Instead, the real risk is to customers buying software from startups who may not have the resources to protect their buyers. Unfortunately, that’s where the real barriers to innovation may emerge.

Who Goes There?

Single sign-on has long been one of the holy grails of IT. Based on the culture of most IT organizations, it’s going to stay that way for a while.

Let’s explain. Inside your typical IT organization, there are systems administrators whose job it is to manage and protect networks, servers, and databases from attack. And there are software developers, whose role in life is to design, build, and integrate the software that draws people to use enterprise systems. For short, let’s call them guardians and providers.

As innovations such as the web have pried open the floodgates to corporate data, the cultural divide demarcating guardians and providers has deepened. Guardians justifiably grow more paranoid over increased exposure, while providers are excited by opportunities to expand the use and breadth of their software. And with web services promising to erode the barriers between one company’s systems and another’s even further, tensions between both groups are simply mounting.

Not surprisingly, software vendors are reinforcing those divisions by selling systems management tools (which include security and access control) to guardians, while selling applications, application development tools, and middleware (such as
web servers, appservers, and portals) to providers.

But what about identity management, the software that controls end user access? Theoretically, that should be the domain of guardians. However, in growing cases, portals, which are bought by providers, are co-opting some of that functionality thanks to embedded user profile databases or rules engines. So what gives here?

Naturally, our ears perked when Novell, which is noted for its directory and identity management products, announced new levels of integration with the portal and appserver middleware that it inherited from the Silverstream acquisition several years back. With a new web services interface, Novell’s Portal can dispatch service requests to Identity Management to clear a user for access. Hey, this way, maybe guardians and providers could actually call a truce.

Although a nice half step, we would have preferred something more dramatic. Like, how about integrating metadata between the portal and the identity management servers, so a portal can be treated as just another local instance of the directory? Sounds nifty, huh? While we’re at it, why not go the whole nine yards and integrate Identity and Portal into a single product to settle matters for keeps?

Novell’s response was interesting, poignant, and quite familiar: The barriers to integrating both products are more cultural than technological. Different people buy those products, they said.

Use It Then Lose It

The old adage of nobody getting fired for buying IBM (or Microsoft) reflects the fact that most IT buyers are a pretty conservative bunch. Forgetting the zaniness of 1995 – 2000, we’ve maintained that most IT buyers couch their decisions based on investment and skills protection. When large dollar sums are involved, conventional wisdom is to go with proven technologies and proven vendors. Otherwise, choosing the right solution from a vendor that goes under won’t enhance your career.

So, in these times of constrained IT budgets and the growing threat of outsourcing, why would anyone in their right mind buy anything from a startup vendor whose future is anything but certain? Credit a point person from — yes — a startup to take the bait. Buying from established vendors won’t guarantee security, maintains Andy Haylor, founder of Kalido, an upstart data warehousing tools firm. Exhibit One: According to published accounts, PeopleSoft is relegating the AS/400 version of JD Edwards’ ERP system to life support (a fact conveniently ignored in press accounts depicting PeopleSoft as JDE’s white knight).

Haylor proposes a two-tier approach: rely on the old reliables for core mission-critical stuff, but take chances with tactical point solution investments that pay off within a few years. He adds a caveat: make sure tactical buys are standards- (e.g., web services) based, so you won’t completely lose your investment once you pull the plug.

He’s got a point. Going with the tried and true is not zero-risk. Besides the reality that vendors eventually retire old software because of age, static markets, or M&A, there is the risk of not taking a risk. Despite what some overhyped (and probably overpaid) tech skeptics are voicing, there is a cost to letting others implement cutting edge technology before you. Obvious case in point, if you’re the last to embrace web commerce, your rivals got first crack at saving money and forging stronger channels to customers and business partners.

But assuming tactical software can be disposable rests on a couple shaky premises:
(1) Reliance on standards reduces switching costs once software reaches end of life. However, while standards are gradually making the job cheaper, don’t expect that transitioning complex business logic will ever be as simple as plugging in new printers.
(2) Aside from productivity, quantifying other benefits, such as competitive advantage, remains anything but bulletproof.

Consequently, in a conservative IT buying environment, the best offense may be a good defense. When going out on a limb for a novel solution, don’t point to soft benefits. Rather, make the case that “safe” alternatives too may have unexpected end of life transition costs, because they will.