views:

495

answers:

14

When trying to link some well established tools to my company's active directory, I hit a roadblock. I was told that:

"Sorry, I cannot trust our domain admin password to [F/OSS] software...".

This question deals specifically with how to convince IT that F/OSS software isn't (automatically) less trustworthy than any other software just because it's free/oss.

I'm doing fine with adopting OSS software (I'm a linux ninja at heart) so to put it another way: How can I promote the acceptance of OSS at my company?

The technical issue of tying into AD without an admin account is for another post.


EDIT:

I got some clarification on these issues. This really has little to do with the active directory and all to do with trust of F/OSS in general. So I think my original bolded questions are still valid, just ignore the part about the "admin password".

A: 

If you have the source code for (and roughly understand the language behind it) go through the code and try to find any security issues that could potentially put passwords/information at risk. If you can, compile your own version of the source code after you've looked over the code, just to be safe.

Dalin Seivewright
I don't think a cursory look is enough to discover security holes.
Albert
He'd be better off paying $$ for software if this is the prerequisite for using OSS.
Scottie T
+4  A: 

I would try it this way:

Why would open-source software be less trustworthy than it's close-sourced equivalent? If anything, the transparency of its code would require that it be even more trustworthy, in terms of private data storage such as passwords, since any attempt to subvert it would be discoverable by examining the source code.

This, of course, is only valid if the company compiles the source themselves, and does not trust a binary distribution.

jdmichal
Minus a Thompson hack...
Flame
+2  A: 

Identify exactly what he cannot trust about F/OSS software and then you can tailor your explanation to address his concerns.

  • Is it concern about backdoors being coded in?
  • Is it concern about code quality that leads to security risks?
  • Is it concern about how soon security risks will be fixed?
Albert
After discussing this issue with the IT manager in person, your list seems to cover their hesitation.
Michael Haren
+8  A: 

Any IT person worth their salt will be well aware of the benefits of open source software.

The answer that has been given sounds to me like a palm off answer, some possibilities of why they don't want to implement it could be:

  • Possible lack of enterprise level support for that specific software open source software
  • Not wanting non-IT department employees to be modifying the active directory (you)
  • The software you have found doesn't have the industry recognition that other similar products have
  • There is no perceived benefit for the IT department for the work it would require them to do (both in the initial setup and ongoing maintenance)
Paul
I agree with your first line. And yet here I am... ;)
Michael Haren
A: 

I would put the onus on IT to prove their case. Simply ask "why not?", or possibly "what evidence do you have that this is any less secure than non-GPL software?". If they attempt to give some explanation, you can take some of the other suggestions to explain their misconceptions to them. If they just stubbornly stand their ground, they are standing in the way of you doing your job - and for no good reason. Gently explain to them how you have found incredible value (ie free) software that adds value to the company, and that you're sure the higher levels of management would want you to take advantage of it. Hopefully this will remind them they have no evidence. If even this fails and it's important, you could then take it to higher levels of management, but proceed with caution as it's a sure fire way to make enemies.

Draemon
+3  A: 

Ask them if they have read the license since that is what they object too. Ask them specifically what in the license is an issue for them. If what they are really resisting is Open Source Software, then that is a separate issue from resisting the GPL.

EBGreen
*very* good point.
Draemon
I think it's definitely the F/OSS part of it-- not the GPL specifically. I've clarified above, thanks
Michael Haren
I think so too, but if management is saying there is a problem with the license but they really mean there is a problem with F/OSS, then clearing that misunderstanding up is the place to start.
EBGreen
Good point, I'll make sure.
Michael Haren
An once you do know for sure that F/OSS is the issue, then make sure that the software you are trying to use really is OSS. I believe that there is a fair amount of free NOT OSS software that is released under GPL as well.
EBGreen
+3  A: 

Why not run as a non domain admin? I can understand why they don't want to give a domain admin password to any software. Especially if there is only one "Domain Admin" account.

How about you determine exactly the permissions needed to run the software and request a new account with only those permissions. You could convice them to put this in a different OU, with additional auditing. If the software provides value, you are creating a process for them to "audit" and decide to trust OSS.

jwmiller5
I agree--and I should have clarified earlier. I wasn't actually asking IT for any passwords. I just wanted permission to authenticate against the active directory, which doesn't require any admin credentials.
Michael Haren
+7  A: 

I work as a sysadmin. From my perspective this question isn't about trusting Open Source software specifically. Your IT person mentioned a specific case saying he didn't trust it with the domain admin username and password. I think he may be concerned with the software storing that username and password. If that is in fact how it works I would deny the request for open source or commercial software. No properly setup system should need to store the domain admin username and password, possibly an account with lower credentials, or depending on the tool if it is interactive have it setup to ask for credentials at runtime and authentcate against the domain.

Bottom line you need to work with IT to come to a better understanding of your and their needs. Things need not always be only a yes or no issue.

Leroy
I clarified the question: IT is opposed to F/OSS in general, not just with providing credentials to it.
Michael Haren
Sorry to hear that. I'm glad I don't work in your IT Department. I use opensource tools all the time and run half our severs on Linux. Seems there is more and more push for a monolithic homogenuos server environment and there are so many things wrong with that.Good luck.
Leroy
+1  A: 

"how to convince IT that F/OSS software isn't (automatically) less trustworthy than any other software just because it's free/oss."

"How can I promote the acceptance of OSS at my company?"

You can't.

All you can do is the following.

  1. Find the F/OSS they currently use. This can be hard. In some cases, it's trivial because many folks use Apache and Java without thinking about it.

  2. Ask how is what you're going to use different than what they're already using?

That will make the case for exactly one new piece of F/OSS. Or, they'll go crazy and banish stuff they've been using.

You can't make a general understanding happen. You can only make the case one specific detailed case at a time until someone else starts to piece the big picture together on their own.

S.Lott
This is good advice. I would take it further though and say that you have to find F/OSS that violates their constraint. We use Java here, but I can't think of any instance where we use it in application where it has the AD admin password.
EBGreen
@EBGreen: true. However, there's no reason any software should ever have an AD Admin password. There should be separate credentials set aside for applications to use.
S.Lott
I agree with that as well.
EBGreen
Try: any version of windows prior to Vista. You'll find the Berkeley TCP stack hiding away in there.
ConcernedOfTunbridgeWells
Great idea, thanks!
Michael Haren
A: 

What tools do you want to use? Make the business case about how much time/$$ will be saved by using these tools. Give examples of other, highly-successful companies (Google comes to mind) that use these tools.

Scottie T
A: 

You're talking about Windows admins. Just point out how MSFT has handled recent security issues (like the recent IE holes that have mainstream media telling people to use alternate browsers) and ask how OSS can be any worse.

Sean McSomething
A: 

First and most importantly, make sure these decisions by IT are being recorded somewhere. Email or whatever. If you can't do your job effectively because of them, make sure you have enough documentation to redirect the blame where it belongs.

Ant P.
+1  A: 

Sometimes they are not, sometimes they are. You need evidence to backup your thoughts.

CVE numbers don't lie. Go to http://cve.mitre.org/ , http://www.securityfocus.com/bid/, http://www.secunia.com and compare commercial and OSS version of the same line of products that you'd choose.

See which one is better sometimes it's the fact that the OSS product is really rubbish such as PHPNuke but sometimes it's darn good when it comes to security such as qmail.

Also don't forget you need to choose a OSS solution which got a good community otherwise you might see the project is dead after a year. this is possible in the commercial world, but let's face it less likely

dr. evil
A: 

Look beyond IT. Your sysadmin may be following rules set down somewhere else in the company, typically a legal department. If that's the case, you may have a company lawyer who doesn't know about software or FOSS reacting with a corporate lawyer's typical reaction to the unknown - forbid it. After you've demonstrated cost and security benefits, you may need to ask the company to reach out to a legal expert in the area of FOSS.

Will M