For organizations of any size, there come a point in building out an IT architecture where one has to decide to trust the closed, commercial systems provided by vendors or the open source community that relies on code amassed from people all over the world.

The latter is a concept that can create hang ups for some—the idea of open anything maybe give a business owner pause and people have raised security concerns about the option for years. But organizations of any size can embrace open source and, in most cases, improve daily operations and become more secure as a result.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

If you’re searching for an open source success story, look no further than AT&T. Given the size and the requirements for stability necessitated by the telecommunications giant, one would imagine the company would favor closed-source systems—and up until a few years ago, it did. As smartphones took hold and the demand for AT&T’s mobile network increased rapidly, it became clear that closed environment would no longer suffice.

"We have had around 250,000 percent growth in our mobile data traffic since 2008. Between 2015 and 2020, we anticipate the total network traffic to grow 10 fold,” Sorabh Saxena, chief information officer of Network and Shared Services at AT&T told International Business Times. ”With that kind of exponential growth, it literally not possible to support it on the old networking architecture."

Saxena has led AT&T down the path of open source, a process now three years in the making. It has required disaggregating the vendor-provided hardware that once made up the company’s networking architecture.

“Many, many vendors give us black boxes which has their own operating system in it, own hardware in it, own software controls and networking functions inside it. It's pretty much a locked-in approach," Saxena said.

Now, in favor of making a massive collection of vendor appliances fit into a unified network, AT&T has simplified with open source. The second-largest mobile network provider in the United States switched to commodity hardware—widely compatible and affordable equipment without the distinct features and shine of a vendor box—as layer one of its network stack. At layer two is the cloud, and virtual network functions are layer three.

It’s a network now defined by software rather than hardware, and it’s allowed the company to expand its services with more flexibility to account for the growing demands of its subscribers. According to Saxena, AT&T already has 80 cloud locations that support its network services and plans to double that in 2017 alone.

"The reason we went to open source, we didn't want to jump from the frying pan into the fire. In the hold hardware-defined world, we had vendor lock-ins,” Saxena said. He pointed out that vendor lock-ins were both a cost issue—organizations pay for the expertise of developing the closed source systems—as well as an agility issue.

“The future was controlled by someone else,” he said, “and the architecture itself was cobbled together because we had put the products of hundreds of network vendors into our system and deliver something as an end product."

Most organizations are not the size of AT&T and may not be dealing with the same mess when it comes to their IT infrastructure. But an organization of any size can reap the same benefits of open source as AT&T, opening up the future for growth and allowing IT architecture to scale more readily if required.

For those currently locked in to the whim of a vendor producing closed source hardware, the process can feel a bit helpless at times. While vendors will often take input from customers, it has more than one organization whispering in its ear and has to create relatively broad products that may not end up meeting every request.

Saxena described the experience as one of “throwing specifications over the wall” and hoping someone would see it. Even if those requests were acknowledged and taken into account, the development cycle often had long lead times and could take months before the product was ready to be integrated into an organization’s existing architecture.

"On the flip side, in open source, the pace of innovation is much faster, Saxena said. Individuals and organizations have greater voice. “Many of these challenges are being solved in the open-source communities,” he said.

While open source is malleable and scalable in a way that closed source often cannot be, one area that has commonly been thought to be weaker when it comes to open source is security.

These concerns stem from a seemingly logical way of viewing open source. As the names suggest, closed source is closed off. When vendors lock their engineers in a room to craft that hardware, they have also locked up much of the documentation about the product, in turn making more of a challenge for an attacker to compromise.

Open source, on the other hand, lays everything out in totality for anyone to look at. That openness allows experts from all over the world contribute their best work to a project but it also gives hackers full view of the blueprint, making it easier to find and exploit vulnerabilities.

Those concerns are not without merit. Previous reports have shown that open source projects can be slow to issue patches to vulnerabilities than dedicated teams working to maintain the integrity of a closed source product.

However in general, the benefits of open source for an attacker hoping to spot a weakness is often negated by Linus' Law—a principle put forth by Linus Torvalds, the creator of one of the most well-known open source projects ever, Linux.

Linus’ Law stipulates, "given enough eyeballs, all bugs are shallow." Essentially, because there are so many people looking at and interacting with the code of an open source project, it’s likely that a vulnerability will quickly be identified and fixed before it can be exploited.

"There are a lot of back and forth, but it's happening at a faster pace," Saxena said. When there’s a fix, it can quickly be integrated and patched. “We're moving at the speed of software as opposed to the speed of hardware."

Open source doesn’t carry the stigma or the security concerns that it once had, but there is no one-size-fits-all solution for an organization to implement it into their current architecture. Saxena suggested organizations create an evaluation matrix to determine how they are best suited to make the transition.

He noted some companies, especially small or mid-sized organizations, may want to lean more heavily on mature open source projects that are reliable and already well-established.

Others may be more open to embracing the cutting edge, where more investment of time and money may be required—as well as a willingness to contribute to the project. Saxena said smaller organization can embrace the cutting edge of open source in order to create a market differentiator and stand out. If successful, those open source projects are built to scale to keep up with the organization’s growth.

Saxena said going the path of open source, especially after relying on closed systems, can be a challenging transition and requires more than just embracing the technology. "We take all these transformations as a people, process, technology, culture challenge. We work on all dimensions of it," he said. For many organizations, that investing in those changes will pay off exponentially as they grow.

RELATED STORIES
Security Software Security Security