Brian Stevens, formerly Red Hat's vice president of operating system, storage and clustering development, has been named the Linux company's CTO and is leading its newly formed Emerging Technologies Group. He spoke recently with Network World Senior Editor Jennifer Mears about where Red Hat is heading. What follows is an edited transcript of their discussion.
The CTO spot had been vacant for several years. Why fill it now?
We were very much driven around product line. Now, with the CTO post, we've built an emerging-technologies team, and that team's charter is to set a vision that's not just a year ahead, which is typical of the product-line group, but three to five years ahead.
So looking three to five years ahead, where is the focus?
Operational scalability and performance. Instead of coming in and looking at what products Red Hat can deliver to an IT shop, what we're looking at now is what should the overall open source architecture be. It's a much broader view than just which products we can make money on. In terms of building an operational architecture, things like Netscape Directory are part of it, but now it's broadened into things like virtualization, Stateless Linux and capabilities that we just didn't have before.
What's Red Hat's server virtualization strategy here?
We expect to deliver virtualization capability coincident with our next major release of Linux, which is planned for the later half of next year. We're looking at how a virtualized environment changes the rest of the IT architecture in terms of what new management capabilities you need, how security changes, how you build a highly available infrastructure, how all the other aspects such as provisioning and licensing change. We figure out whom we need to partner with, where M&A is needed, what we need to build.
So where do you see Red Hat building, and where do you see it partnering?
We look at potential acquisition every time we're going to build something. We partner in areas that we feel are farther up in the application space. How you plug the legacy management infrastructure into a virtualized environment, that's an area where we've partnered. We feel, for example, that we have to invest in a new management platform for a virtualized environment, but that will become a platform that the Tivolis and others will sit on.
Speaking of moving up the stack, where is Red Hat going in application servers?
We're trying to figure out what the application server environment of the future will be. One of the things that's becoming interesting is what's happening around PHP [Hypertext Preprocessor], for example. PHP is emerging as an all-new application environment that's becoming very robust very quickly.
SuSE Linux now has ID management, network management, collaboration and other pieces integrated into its platform, thanks to its acquisition by Novell. Are you moving in that direction with your version of Linux?
We collaborate any time we feel that it's a product that needs to be on the platform. So while we were comfortable partnering with Netscape and AOL in the past, we acquired Netscape and its directory and security products when we realized that we needed to integrate [that technology] much deeper into the operating system.
Where else are you going to need deeper integration?
Virtualization is the biggest, the most obvious. We're absolutely integrating virtualization into the operating system. With the legacy virtualization products, the operating system has no awareness that they're sitting on top of them. By integrating virtualization inside the operating system, where the operating system knows it's being virtualized, you can build a much more robust solution. That's similar to what we're doing with security and SE Linux. We're doing that around directory and certificate management. And we're doing that around a new project called Stateless Linux.
What's Stateless Linux?
It's an architectural concept whereby servers and desktops have no state on the system. So it forces an environment of operational scalability where you're managing clients and servers by managing the data for those systems that are living on the network. The benefit is not just management scale, but as systems come and go, servers can fail, and it becomes a non-event. A new server can take over the persona of a failed server in seconds because the server's state is on the network. It's the same with clients. It dovetails well with virtualization.
How does all this have an impact on what you're doing with Red Hat Directory Server?
It's huge. The reason for the acquisition of Netscape was to enable this capability. The directory server all of a sudden becomes where you store state.
What needs to be enhanced in the Red Hat products that are out there now?
We're looking at the entire operating system to make it work in a stateless world, where some systems may not even have any disks on them. It really goes pretty deep inside the operating system: How the operating system bootstraps itself, where it stores all of its configuration data, things like that.
Your latest release included SE Linux. How is that being enhanced?
The next phase is around ease of manageability. It can determine what a policy needs to be for an application and harden that policy based on knowledge. That knowledge and management allows us to get to the next level - what's known as LSPP [Labeled Security Protection Profile], a new protection profile for the government that allows us to replace the old, legacy, multilevel security environment.
One customer told me that it's difficult to meet the SAS-70 auditing requirements, because Red Hat releases security updates and general patches together. Is your company addressing this?
It's true that when quarterly updates come out, security is done only for that update. So customers have to move to that update with us if they want to stay secure. What we're looking at now - and this wasn't necessitated until recently, now that we have over 1 million subscriptions out and 36,000 new customers in each of the last two quarters - is offering longer support for back releases. So some customers could stay on an old update release an still get the security patches.
How does the Red Hat Certified Security Specialist certification launched earlier this month fit into the company's strategy?
The intent is to get to the next level of certification. We're working with IBM to get the LSPP. The other intent was to create a new curriculum for a security architect to teach them how to deploy open source at the architectural level for security. Not just dealing with SE Linux capabilities, but also with directory certificate management. Dealing with all of the capabilities that we have for securing applications from exploits.
That's part of the security road map Red Hat announced last year, right? Is it on track?
It's actually coming more quickly than we expected. We really didn't expect the maturity of SE Linux to be sought after by the masses as it has been.
What about the Fedora Project, your open source operating system effort? Where does that stand now?
We've taken the Fedora leadership team and made them part of the emerging-technologies team. A lot of our activities around driving technology happen in Fedora directly. That's the first time you have visibility into the technology, but quite a bit of it is actually happening before it's even consumable by Fedora.
The CentOS Linux distribution has been getting some attention lately, and backers say it is 100 percent compatible with Red Hat's software. Is that putting any pressure on you?
No, we look at that as a good thing. That's why we chose the license and the distribution model that we have. I'm not speaking of CentOS specifically, but any distribution out there that's based on Linux first and a Red Hat derivative second. What we look at with our clients is around providing value to them compared to what they get from Microsoft or Sun, for example.
Speaking of Microsoft, one customer I spoke with complained about pricing, saying that Red Hat's license fees are not that much lower than Microsoft's and that it's a hard sell sometimes when a company has a big investment in Microsoft.
Is the product free?
Absolutely not. Our value is directly measured against the proprietary vendors. That's what we're looking at with virtualization, Stateless Linux. It's not at all about the price of the product, but rather how you provide more compelling value in terms of operational scalability in ways the others haven't. There is frustration with the proprietary products and their ability to deliver technology.