OpenSource Risk Experts
Map your blast radius

CASE STUDY

A healthcare system remediates its Elastic SSPL exposure.

An anonymised composite. After Elasticsearch and Kibana moved to the Server Side Public License, a regional healthcare system found the change reached search and logging across clinical and operational systems. This is how it mapped the Elastic SSPL exposure, sized the cost, and remediated on its own terms.

Situation

The organization is a regional healthcare system running clinical, scheduling, and operational platforms across many facilities. Search and centralized logging had been built on Elasticsearch and Kibana, adopted years earlier under the Apache 2.0 license. The platform team treated it as ordinary open source infrastructure, and it had spread through internal tools and several vendor delivered systems that embedded the same components.

The exposure or trigger

Elasticsearch and Kibana moved from Apache 2.0 to the Server Side Public License and the Elastic License in 2021. Source available is not open source, and the Server Side Public License is not approved by the Open Source Initiative. The healthcare system had continued to upgrade through the change without registering it as a licensing event. The exposure surfaced during a procurement review, when a question about a managed search offering revealed that no one could state, with confidence, which versions ran where and under which terms.

The concern was specific. In a regulated environment, an undocumented license posture across clinical systems is both a compliance question and an operational one. Leadership needed to know whether any deployment crossed a restricted trigger, what a commercial license might cost if it did, and whether a migration could be done without risking clinical availability.

Approach

Work began with an open source license risk assessment that built the full dependency tree and recorded the license state of every Elasticsearch and Kibana instance, direct and transitive. A relicensing exposure review then mapped the blast radius and separated true exposure from harmless references.

  • Each deployment was classified by how it was used, since the license trigger depends on use, not mere presence.
  • Instances embedded in vendor delivered systems were flagged for contract review, because the obligation could rest with the vendor.
  • Every material finding received a cost of exposure and a cost to cure.
  • Containment options were weighed on clinical risk, engineering cost, and timeline.

The analysis showed that no current deployment crossed the service condition that drives the sharpest Server Side Public License exposure, because the system ran Elasticsearch internally and never offered it as a service. The dominant risk was future drift: continued upgrades under restricted terms, with no control to catch the next change. The recommended path was migration to OpenSearch, the community fork led by AWS, for the workloads under active development, paired with a governance layer to hold the line.

Outcome

The organization migrated its actively developed search and logging workloads to OpenSearch on a sequenced plan that preserved clinical availability, moving non critical systems first and validating each step. Vendor delivered systems were addressed through contract clauses that placed the licensing obligation with the supplier. The remaining stable internal deployments were documented and left in place, since they carried no live trigger, with a defined plan if that changed.

The quantified result was a search and logging estate with a known and defensible license posture, a removed dependency on future Elastic commercial terms for the migrated workloads, and an avoided commercial license negotiation that earlier panic had assumed was unavoidable. The cost to cure came in well below the cost of exposure leadership had feared, because the review showed how much of the estate carried no genuine risk.

Lessons for buyers

  • A relicense is easy to miss because upgrades continue working. Detection has to be deliberate, not incidental.
  • Exposure depends on how you deploy. Running a relicensed component internally is very different from offering it as a service.
  • Vendor delivered systems can carry the obligation. Read the contracts before assuming the risk is yours.
  • Sizing the cost to cure against the cost of exposure prevents an expensive overreaction.
  • A governance layer turns a one time remediation into lasting protection against the next change.

For the wider pattern behind this case, read the Redis and Elastic database licensing pillar and the open source license risk guide. To see a related migration, read how a logistics company migrated Elasticsearch to OpenSearch, or browse all case studies.

COMMON QUESTIONS

Questions buyers ask.

What triggered the Elastic SSPL exposure in this case study?

Elasticsearch and Kibana moved from Apache 2.0 to the Server Side Public License and the Elastic License in 2021. The healthcare system had adopted Elasticsearch under the open license years earlier, and the change reached search and logging across several clinical and operational systems.

How was the exposure remediated?

After a relicensing exposure review mapped the blast radius and sized the cost, the organization migrated the affected workloads to OpenSearch, the community fork, on a sequenced plan that protected clinical availability.

Is this a real named client?

No. This is an anonymised composite drawn from common patterns in regulated healthcare environments. It does not describe a specific named organization.

Is this case study legal advice?

No. It describes commercial and licensing risk advisory work, not legal advice. For interpretation of license terms, organizations should engage their own counsel.

CONTAINMENT

Find your Elastic exposure before procurement does.

A confidential open source license risk assessment. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.

Map your exposure