“Don’t use open source. Code it yourself.”
That’s the advice Stratus Digital Systems CEO Greta Geankoplis received when they founded the company in 2016, but she had a persistent feeling that she was hearing antiquated advice.
“We need to break that concept of ‘don’t do open source because you’re trying to achieve a superior level of security,’” Greta said. “The world has changed and it’s an open source world, and that is inherent in the environment you’re going to be operating in.”
Stratus Digital is striving to change how organizations deploy their applications in the cloud, especially as it relates to security. Their patented technology uniquely addresses today's cybersecurity problems and helps companies migrate, manage, and secure the cloud through next-generation virtualization.
Stratus, Greta says, changes cloud computing the same way Kayak or Expedia transformed how we buy airline tickets. With Stratus, large corporations can switch their cloud hosting provider in an instant, or healthcare companies can create a new server with a new IP address each time they want to receive data from their Internet of Healthcare Things (IoHT) field devices, instead of sending it via a static server. This dramatically enhances the IoHT security but also has the benefit of increasing the security of the patients’ healthcare information.
Today, mid- and large-sized enterprises sign multi-year contracts for exclusive cloud computing services, based on the incentives and to avoid the large barriers of transitioning their network to a different cloud provider. This mirrors the early years of corporate airline travel, when American Airlines built their exclusive Sabre reservation system with IBM, and other airlines followed suit with their own exclusive reservation systems.
For decades, changing a reservation between airlines was nearly impossible. But thanks to deregulation and the power of the internet, flight aggregators such as Orbitz and Kayak emerged. Now the air travel market has shifted increasingly towards a commodity market, which means the greatest options are available to the buyer up to the moment of travel. Stratus Digital acts as the data travel aggregator on and across cloud providers with the potential to expand the cloud provider market, similar to Kayak and Expedia’s role in the airline industry.
Stratus Digital enables companies to easily wipe away the trail of breadcrumbs that static cloud server setups leave, because there are no persistent connections.
“Don’t create the cloud instance until you need it,” Greta said, “and then erase everything except necessary data, so you don’t have to worry about vulnerable information persisting in unknown and uncontrolled locations around the internet forever.”
Because Stratus Digital’s services orbit around cybersecurity and reducing risk, making sure their own code is in compliance and secure is fundamental to the organization. When Greta was told by her team that they were not using any open source components, suspicion hummed in her brain.
“Are you sure we’re not using any open source?” she’d asked her development team.
“Yeah, we’re using a few API’s, but we’re not using open source,” they said.
This is a tale familiar to many organizations, big and small. Asked if they are using any open source components, some organizations might deny it. But Tidelift’s research has shown that 92% of applications contain open source components, and that up to 20% of those components are unmaintained.
Greta faced a situation that many before her have encountered: she was confident they were using open source components, but she knew that imposing a risk mitigation process on her development team without their buy-in would fail. She could not review all the open source component licenses herself, or ask the development team to do all the research about potential security issues or whether components were being actively maintained.
In addition to avoiding security vulnerabilities, Greta was also concerned about license compliance.
“I knew there was some bad juju around certain licenses,” Greta said. “You can do anything if you’re a student, but as soon as you sell something, with certain licenses, you are in violation. I knew ‘there be monsters there,’ but I wasn’t getting pragmatic advice from either legal counsel, technical advisors, or experienced developers.”
Enter the Tidelift Subscription. Tidelift helped Greta gain visibility into the over 400 different open source components Stratus Digital was using. Of those components, some licenses were not aligned with their use cases. They also identified one security vulnerability that was quickly patched.
Getting a clear readout of the open source bill of materials was important for Stratus Digital, because security is paramount for their customers, many of whom are in government, healthcare, or other regulated industries. Even one licensing problem could have been a showstopper during due diligence with investors. Or a single security vulnerability could be a deal breaker if a customer in the federal government were to discover it themselves. Lack of compliance or a security vulnerability would be a huge blow to Stratus Digital’s credibility.
“Either we were vulnerable, or we weren't,” Greta said. “It didn’t serve our interests to run a sample size of our code to learn about Tidelift. Tidelift listened to us and proposed doing a 100% check of our software out of the gate.”
That 100% check, Greta said, was phenomenally useful to Stratus Digital. The Tidelift Subscription surfaced these issues and offered solutions, thereby mitigating licensing issues, and identifying security vulnerabilities. All issues were addressed.
What’s more, thanks to Tidelift catalogs, Stratus Digital now has a workflow for analyzing components before they choose to use them. Jason Anderson, Integration Architect at Stratus Digital, relies on tasks generated by Tidelift to check code alignment regularly.
“I can see where issues are,” Jason said. “Say Jakarta’s license was incompatible with our use case. I can go back in and approve or deny it based on the license policy, and in our small company, work with the developers to immediately investigate an alternative component that is both secure and compatible with our license policy.”
Tidelift offered the solutions Stratus Digital was looking for:
- Greta gained clarity on which licenses Stratus Digital Systems should be using, which allowed the team to set parameters for components they might use in the future. These policies are set by Stratus Digital with guidance from Tidelift and its partnered open source maintainers.
- Additionally, Tidelift automates and enforces the process of checking open source licenses associated with dependencies (and transitive dependencies) to make sure they align with the set standards of the company's IP and business requirement.
- Catalogs guided Stratus Digital to the most up-to-date packages, righting any security vulnerabilities. Jason now has a list of known-good, proactively maintained components to use, and can regularly check that they’re on the right path. “We want to make sure that we’re in good shape and this is a great way for us to take the time to do it,” Jason said.
- The Tidelift Subscription allows Greta and the team to generate a bill of materials that shows they are compliant. “We now have a snapshot that we can provide that on this date we are 100% in compliance,” Greta said.
Now Greta has easy answers when investors ask what code they’re using, and Jason has easy answers when researching new components to use.
“Most importantly, through our collaborative, holistic, whole-team engagement between ‘Team Stratus Digital’ and ‘Team Tidelift’, I have full buy-in among my development team, operations team, and even my Board of Directors regarding the importance of effective and efficient managed open source, and optimizing for our business strategy,” Greta said.Tidelift has been essential in helping Stratus Digital implement a solid managed open source strategy—now Stratus Digital can focus on reinventing how customers innovate with cloud computing.