Friday, August 24, 2007

Where Microsoft is still winning over Linux in the Enterprise

There have been occasions that I have been forced to migrate some GNU/Linux based stuff to MS products and after migrated unwillingly, I have come to understand why MS is still competitive and does indeed provide value.
It DOES provide value that Linux is just now starting to provide. Don't send me the flame mail till you are done reading the full article.
We have identified the gaps and our firm is working on the GPLed products to resolve some of the issues. We have planned about 4-5 major products and a couple of minor ones which will in turn be used in the major projects. All of them will be GPLed. Please join and contribute if you can. All help will be well appreciated.

I have been consulting on GNU/Linux based solutions for almost 7 years now and using GNU/Linux since 8-9 yrs now. I do not have to go into a lot of detail about the stability/security and flexibility of GNU/Linux. All of them are very well documented and I am simply awed by the prodigous amount of excellent quality code the communities have produced.

Having said that, there are some of the really painful issues that need to be addressed:
  1. Simplicity for end user. Think Google. I think this is the single most important thing for the success of Google. Simplicity of use will make user WANT to use our applications.
  2. Spectacular lack of competent/qualified sys-admins for GNU/Linux.
  3. Dental surgery like pain in configuring and maintaining enterprise class servers - especially openLDAP, Mail servers, Firewalls. openLDAP has been by far the biggest problem to configure and maintain. It defies imagination on how we can have such a fantastic desktop like KDE but fail so miserably when providing a simple way to manage openLDAP. (Don't jump on me that Linux is simple or that I am a moron. I may well be a moron - don't bother pointing it out repeatedly.)
  4. Lack of application integration. This is a fallout of the excellent choice available. We simply cannot integrate all the Free apps. This is not a 'crib'. I shall discuss what R-Knowsys Technologies will be undertaking to solve some of these issues. We need to encourage choice but also ensure that the end user(admins) are not very stretched. And this is where there is excellent opportunity for entrapreneurs.
Of the ones listed above I think Directory Services will take the first place. The number ONE reason where we face problems with large scale Linux deployments in Enterprises is Microsoft Active Directory and its integration with the rest of the services and most importantly ability to manage hundreds of desktops with the help of Group Policies.
And this is where Microsoft provides real value.

Before we jump off the deep end and start plugging a particular technology, let us try and explore the domain.
What are the really essential pieces in a corporate IT environment? The answer for this can be as simple or as complex as you want. The components can vary widely based on the following aspects of the enterprise:
  1. Size - In terms of turnover/people.
  2. Type - Non-Profit/for profit.
  3. Indusrty/sector - requirements for manufacturing will be very different from requirements of a pharma co.
  4. Budget - Is IT essential, how important/relevant it is to the enterprise.
  5. Collaboration/communication needs of the employees. What kinds of communication.
  6. Mobility of employees.
  7. Security.
  8. Statutory requirements/audits.
  9. Employee profile whether they are IT savy....
  10. Specific applications which run only on Windows and do not have equivalents for Linux.
More factors may affect decision but we may assume just the above for simplicity.

Now obviously we cannot come up with a fixed list of requirements which can be
used for any organisation.
Let us look at some basic requirements for a reasonably modern enterprise with 15 desktops.
  1. Desktops, Office suite, Password security.
  2. Internal network (LAN, WAN).
  3. Basic networked applications - E-Mail, Intranet apps(Browser based).

Let us figure out the administration tasks associated with just the basic requirements:
  1. Ensuring that desktops are up-to-date with patches.
  2. Configured with the correct time.
  3. Making sure that the hard disks are scanned from time to time.
  4. Protection against virus/worm/malicious threats.
  5. Data backup.
  6. Access controls.
  7. Scheduled maintenance for OS/Apps. Cleaning corrupted apps/files.
  8. Ensuring that the user cannot fiddle with settings that he is not expected to fiddle with: IP addresses, proxies, add/remove applications etc.

Let us assume for illustration that the firm is a biotech firm.
Assuming that I am a sysadmin for these people, I might look at any popular desktop Linux distro like Ubuntu/Suse and be reasonably free from headaches.

Now let us change the scenario to more like what we face regularly. The number of employees > 500 and more often than not 1000 or more.
There needs to be a
  1. 'corporate standardised desktop with the mission statement diplayed prominently'
  2. Since the firm deals with research work/sensitive IP/secrets/Govt/defense related work, email policies are such that
    1. only some employees can receive emails from external sources.
    2. Others can send and recieve email internally only.
    3. Of these, only some can send attachments and that too only internally.
    4. People in marketing can send attachements outside but size not greater than 500KB and that too only pdf docs.
  3. Only top mgmt. can recieve attachments. Top mgmt can send attachments above 2MB.
  4. Some employees are travelling all the time and need to access their email securely over the net.
  5. There are about 20 offices worldwide and mgmt. travels all over the place and need to log into the corporate network from any office and work seamlessly i.e. they should not have to configure proxies/mail servers, IP address or ANYTHING.
  6. Now Internet access is restricted based on login and it is restricted to need, seniority and even the actual sites allowed to each person. Internet access needs to be throttled based on user and application. No free email sites should be allowed to a large section of the employees.
  7. Users should not be able to transfer files outside the corporation.
  8. There are about 30 Intranet applications which need to be integrated into a centrally authenticated and centrally administered Intranet.
  9. New users should be automatically given access to all applications (as per privileges) the day they join the organisation.
Do you really think Linux is up to this? Always keep in mind that the sysadmins are not kernel hackers. They cannot be expected to know 'C' or even advanced shell scripting. They just have basic scripting knowledge.

The best part is that I am not making this up. We did face this task from one of our customers. The customer was really pushing for MS products and though we resisted in the beginning, we saw the light and deployed MS-Server-2003 and standardised on Windows XP SP2 on all desktops.

We tried to retain their long serving Qmail server which had run for 2 years wihtout a reboot(I checked the uptime).
Their current IT Head wanted Exchange, we tried to save them money by continuing with Qmail on Linux. We went nuts trying to implement their email access requirements in Qmail. Even if we had implemented the requirements in Qmail, they couldn't get a decent sysadmin for maintaining Qmail. We were not into the sysadmin space either. In the end we gave up and implemented Exchange.
  1. Before the project,
    1. No of servers --- 2Nos, P-4 servers with 512 MB-RAM each. And 1 P-3 server with 512MB RAM(yes in 2006)
    2. Server-1 --> Qmail with about 1000+ email accounts + Spam control + Default gateway for 100 users (squid + iptables firewall with NATing).
    3. Server-2 --> Default gateway for 900+ users (Squid + firewall including NATing).
    4. Server-3 --> LDAP(addressbook) + ftp server + internal gateway and routing. (P3-512MB)
  2. After the migration, their ADS server alone was a dual opteron RAID-5, 8GB RAM box. and they had ADS replication servers in all locations accross the country.
  3. Their hardware acquisition alone ran into tens of thousands of dollars and you can guess the licensing costs for Windows for 1000+ users -
    1. Desktop
    2. Office suite
    3. Exchange
    4. Spam control software licenses
    5. Antivirus (Both server and desktop)
    6. Client access licenses for email - this was unbelievable I couldn't believe that AFTER they had purchased licenses for both Exchange AND outlook, they still had to fork out for CAL.
    7. Sharepoint + Groove.
    8. list went on.......
Now the organisation runs pretty much completely MS-products from desktop to servers and R-KNowsys was instrumental in migrating all of their infrastructure.
  1. From:
    1. Desktops: Win98/ME(Desktop)
    2. Servers: WindowsNT (Authentication), Linux servers(Mail/squid/LDAP-addressbook)
  2. To:
    1. Desktop: Standardised WinXP(desktop),
    2. Servers: Windows 2003 server + Active Directory.
    3. Firewall - Hardware based. ISA failed miserably here even with 8GB RAM and 2 dual core Opteron chips.
Was it a loss for Linux? Definitely.
What could Linux have provided for a win? What is R-Knowsys Technologies doing to improve the situation? Where is the entrepreneurial opportunity?
How can we ensure that Linux provides unquestionable value to enterprises? More on this in my next blogs.

2 comments:

INVINCIBLE said...

@ks - I am not sure what were the constraints while you shifted the organization on MS, one of then must definitely be time. All the requirements you have listed are achievable as of now. They may not be when you did the migration. Still, I'll try to answer your points one by one

1. Mailing requirements: a> As I see there were two requirements regarding attachment size 2MB and 500KB - There was a simple solution if you segregated the attachment size requirement Department wise and then would have setup two mail servers behind the firewall one which allows 2MB attachments and one with 500KB attachments. No hacking the kernel, no scripting, no extra licenses just +1 number of machines and you get two points of failure if one mail server goes down the other is available so a few users always have 100% availibility. MS does that with a lot of replica server and exorbiant costs.

b> "Some employees are travelling all the time and need to access their email securely over the net" - if you are providing mail over web for travelling users give them a https URL if they are using Outlook, pop access with certificate authentication is the answer.

c> "There are about 20 offices worldwide and mgmt. travels all over the place and need to log into the corporate network from any office and work seamlessly i.e. they should not have to configure proxies/mail servers, IP address or ANYTHING." - Radius is the answer, the user just need to have a phone line access.

d> "Internet access needs to be throttled based on user and application. No free email sites should be allowed to a large section of the employees.Users should not be able to transfer files outside the corporation." - A hardware firewall would have easily managed that.

e> "There are about 30 Intranet applications which need to be integrated into a centrally authenticated and centrally administered Intranet." - This is probably where the 'Hell breaks loose' again depending on how the apps have been written you may definitely integrate them.

f> "New users should be automatically given access to all applications (as per privileges) the day they join the organisation." - cfengine is your answer.

Again, whatever I have written above is based on the content of this post there may be constraints which probably I'll never be able to know. But again, the point I am trying to stress is the amount of money you spent for migrating to MS may have been drastically brought down.

On the second thought "whatever the software you use is good till the time it has the flexibility to serve you, once it has reached the limits it's of no use"

kc said...

I will need to look at cfengine. The mailing solution you suggested does seem a practical solution but that was not the only issues - Qmail wasn't as flexible as I would have liked. I had to put in some restrictions in squirrelmail (php.ini) file. Not clean.
We did consider RADIUS but it did not fit our purpose.
My point is that we need to rethink enterprise IT architecture in Linux and have distros aimed at enterprise use. I am trying to have an ALL Linux office in my workplace. I am trying to hack together a complete enterprise Linux solution. I will keep you posted in some things I propose and hope to have your feedback there.