Open source cloud offers another route to better security

Opinion Davey Winder Mar 11, 2013

IBM's move to OpenStack is another indication that open cloud offers many advantages when it comes to security

The news that IBM is going to shift all its cloud services and software to an open cloud architecture comes as no great surprise. After all, it had already signalled an intent to open up the cloud when it joined the OpenStack Foundation last year as a 'platinum' sponsor and then went on to contribute to the codebase.

The announcement will, of course, be a real boost for the whole open cloud movement when those 5,000 or so IBM private cloud customers are migrated to an OpenStack-based architecture. It may not be surprising, after all IBM has needed to do something strategically if it is going to ever really be able to compete with AWS, but is the move to open standards secure? 

Certainly open standards can work with proprietary technologies to drive business growth, which is at the heart of the IBM move, but can they (and in particular OpenStack) improve security?

I asked Daniel Beazer, who is Director of Strategy with FireHost that very question. Beazer, while tipping his hat in the direction of the 'conventional wisdom' argument that any open source IT is inherently insecure, courtesy of source codes being publicly available, argues that the debate is actually something of a red herring and insists quite correctly that "any environment is inherently insecure until you secure it".

That's true enough, but it kind of skirts around the specific open clouds question so I tried Richard Moulds, a vice president at Thales e-Security, who takes the view that open clouds, based upon open source software, can "benefit from the community approach to R&D. And in such a rapidly changing market as cloud computing the ability to take advantage of large pools of shared resource can be a very good thing". And another 'good thing' is the transparency offered by open clouds, providing a clear view on how the service actually works for those consuming cloud services. "It also facilitates peer-review and higher levels of independent scrutiny" Moulds argues "both of which are good for building secure systems".

Of course, the counter argument is that 'closed and inflexible' proprietary systems bring an ability to be quickly tunable (to meet specific threats) and an inherent stability (to enable certification against PCI DSS and other compliance benchmarks) that is all too often missing on the open source side of the fence. 

Clouds based upon open source software can benefit from the community approach to R&D

I knew as soon as I started to explore the whole open cloud issue that there was a good chance of a fair bit of sitting astride the security fence. So it was refreshing to bump into someone whose cloud storage business is based around an open-architecture and is prepared to insist that an open cloud, courtesy of its openness, is definitely more secure than a proprietary one.

That someone was Evan Powell, chief strategy officer at  Nexenta, who went on to say that "based on publicly available source code, a global collaboration of developers and cloud computing technologists are constantly updating and developing the software. This means it is always relevant, reliable and most importantly secure because any vulnerabilities are identified extremely quickly, broadly known which enables work arounds, and quickly addressed. By comparison, clouds based on proprietary, closed technologies have all sorts of vulnerabilities, however these potential exploits are known only to a few – including hackers and on line criminals.   Because users are not told about these vulnerabilities they are unable to adjust and, also, any fixes are dependent on the time lines of proprietary vendors".  

I'm still not sure that an open cloud or, going back to where all this started, an IBM OpenStack-based cloud is necessarily more secure than a totally proprietary one. However, neither am I convinced it is any less secure for that matter. As Kevin Brown, CEO at Coraid puts it "whenever a dominant commercial platform emerges, the remaining players in the market tend to rally around an open-source alternative, and they are properly motivated to improve the robustness and security over time" and you only have to look to the likes of Windows and Linux, Apple iOS and Android, and yes even VMware and OpenStack to see the evidence of this. "For cloud developers, who typically find themselves writing a lot of integration code from scratch" Brown concludes "OpenStack delivers a welcome combination of standardisation, community support, resumé value, and vendor support. Compared with home-brewed code, OpenStack may represent an opportunity to significantly improve the robustness, security, and implementation speed for cloud-based services that require full stack orchestration".

Ultimately though, in trying to answer the 'how safe is an open cloud' question, I'm inclined to agree with Moulds when he presses forward the point that "irrespective of how the underlying architecture was developed, all cloud services should follow a clearly articulated data protection philosophy that consumers can incorporate into their own data protection strategy. In the end, if data is lost, consumers won’t care what cloud architecture was in place they’ll just blame the people they trusted to protect it". 

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.