Federal agencies continue to be caught between the need to innovate and reduce costs, all while maintaining performance and strong security. This conundrum has driven the adoption of open source software in government, which not only saves money for the government, but also offers more reliability and agility – and better security.
Four metrics – reliability, agility, performance and security – are all critical components of database management, and open source relational database management system PostgreSQL is arguably the gold standard in these areas. Government IT administrators have begun making the jump to open source, particularly PostgreSQL, to take advantage of the stronger security with a lower price point is offers, and many more are poised to join in the switch.
The recently passed National Defense Authorization Act attempts to put legislative authority behind the movement to open source services like PostgreSQL.
Open source and security
Large communities of developers create open source software, all with an eye on writing the best, most secure code. As in many areas of scientific development it is an ongoing peer review by experts augmenting structured testing and methodologies. This means there are many expert eyes reviewing any coding changes to make sure it’s of the highest quality, that it doesn’t have any inadvertent mistakes and, crucially, that it doesn’t contain any malicious code; this is what makes open source products even more secure than the development process of proprietary vendors who ask users to rely on their employees and secret methods for confidence.
The PostgreSQL development community has thousands of members, rivaling the scale of any major commercial software company. Four to six times a year, patches and improvements that can number in the hundreds, are submitted for peer evaluation and approval. The community at large has to reach consensus about their adoption. It is a democratic process, and the benefit is apparent: community members are willing to invest their time and expertise to create code while accepting that it must be good enough to pass review.
Identifying new features to include is also an open community-driven process. Many of the advanced features and innovative enhancements in PostgreSQL come directly from feedback derived from the world’s largest users including the federal government. This includes developing advanced security functionality – a government and increasingly commercial necessity. Stronger security measures enhance the attractiveness of open source and in particular PostgreSQL as a database solution.
Open source, DevOps and the cloud
The federal government’s movement toward using the cloud in all its various flavors – commercial, private, and hybrid – is pulling in open source technologies. When an agency is moving to an environment where there’s both on-premises infrastructure and cloud, open source is quite valuable because there aren’t the same technical or license restrictions that typically affect those environments. There also is a level of continuity; PostgreSQL, for instance, looks and works the same whether it’s being used in a private, on-premises environment or with a public cloud.
Another trend in the government is DevOps, focused projects that brings together teams of developers and operations professionals to collaborate on typically small, specific software changes and improvements, such as adding a single feature, often using rapid iterations of releases to get the changes into users’ hands. Open source software lends itself very well to this kind of collaborative model.
Open source in the regulatory environment
The open source community at large exists because great software engineers want to write great software. Still, even after considerable peer review and testing open source software must stand up to the rigor of International Standards scrutiny to be trusted in the most sensitive application areas.
Open source PostgreSQL has stood up and met the test. Expert enterprise support organizations have sponsored the testing and documentation to prove that it is secure and reliable. For example, commercial organizations have collaborated with federal agencies to match PostgreSQL against their security requirements and document how PostgreSQL meets those requirements. Crunchy Data teamed up with the Defense Information Systems Agency to develop PostgreSQL Security Technical Implementation Guides (STIGs) that define how PostgreSQL can be configured and deployed for government systems and meet Department of Defense security requirements. Open Source PostgreSQL has also been awarded Common Criteria Certification at the EAL2+ level.
Open source and costs
PostgreSQL deployments can result is cost avoidance up to 90 percent when compared to the life cycle cost of typical proprietary database solutions and the return on investment can go far beyond the budget impact. For instance, when a security vulnerability in the software is discovered, an enterprise grade open source support provider will directly interact with the global community to create and distribute a patch as quickly as possible. Many legacy software providers have been known to delay issuing patches until they are ready for broader, more substantive upgrades.
Open source software also helps agencies attract engineering talent. Embracing open source software, encouraging participation in collaborative communities, fostering a work environment where DevOps is becoming the norm, is a desirable recruiting tool. Most software engineers will be more enthusiastic about working where they believe they can contribute and participate in writing peer-recognized enduring code.
Adopting open source software makes sense for government agencies. And, adopting a specific product such as PostgreSQL with appropriate enterprise grade support yields many benefits – cost, compatibility, flexibility and scalability, to name a few. In doing so, IT managers actually improve their agency’s security posture.
Stephen Frost is Chief Technology Officer of Crunchy Data, a leading provider of trusted open source PostgreSQL and enterprise PostgreSQL technology, support and training.