I’ve been asked to provide a brief security analysis of the OpenStack open source cloud computing platform and whether our enterprise should pursue it as the basis for our cloud infrastructure build-out. My initial assessment is that, like with Apache and Linux, the open nature of the platform allows security flaws to be found and fixed quickly, which helps decrease the likelihood of exploits. Do you agree? What other OpenStack security points (pro and con) are worth considering?
OpenStack is an Infrastructure as a Service cloud computing initiative with the goal of being an easy-to-implement, feature-rich, yet very scalable, cloud computing platform. Launched in July 2010 by hosting provider Rackspace Inc. and NASA, it consists of a series of interrelated projects building various components for a cloud infrastructure solution. All of the code is freely available under the Apache 2.0 license, and there are over 100 companies, including Cisco Systems Inc., Citrix Systems Inc., Dell Inc., Intel Corp. and Microsoft, contributing to its development.
Opting for open source cloud software means avoiding the potential dilemma that is proprietary vendor technology lock-in, and OpenStack’s modular design means it can integrate with legacy or third-party technologies. OpenStack also aims to establish cloud computing standards, which are certainly lacking at the moment. Standards will make it easier to have compatible tools and services that work across cloud providers, thereby easing the process of moving data and applications between clouds, particularly when migrating from private to public. Open source Linux solved the problems caused by the emergence of proprietary flavors of Unix, and open cloud standards could provide the same benefits for large-scale cloud computing.
There are two interrelated OpenStack projects: OpenStack Compute and OpenStack Object Storage. OpenStack Compute is software to provision and manage large groups virtual private servers. It is written in Python using the Eventlet and Twisted frameworks, and relies on the standard AMQP messaging protocol, and SQLAlchemy for data store access. It integrates code from NASA's Nebula cloud platform as well as Rackspace's Cloud Files platform. Object Storage is software for creating redundant, scalable object storage using clusters of servers to store vast amounts of data. If you opt for OpenStack, you’ll be running the same software used by NASA, and the cloud services offered by Hewlett-Packard Co. and Rackspace; other providers are also starting to appear that offer OpenStack, such as Piston Cloud Computing.
Although OpenStack wants to make it possible for any organization to deploy large-scale private or public clouds running on standard hardware, you will need a competent technical operations team that has the capabilities to turn physical hardware into large-scale cloud deployments. It is probably not something the average business would consider deploying itself.
Open source projects generally have a good track record when it comes to security, but they are not immune to flaws and vulnerabilities, and OpenStack is still new. An alternative would be the Eucalyptus framework, which implements the API stack of Amazon's EC2 compute cloud allowing a cluster of servers to emulate what Amazon does internally, but on a private cloud. Eucalyptus has been around longer than OpenStack but is not fully open source. This is possibly one of the reasons the Ubuntu community has decided future releases of the Ubuntu Server will support OpenStack.
It’s unclear whether OpenStack or Eucalyptus will achieve commercial success and -- importantly for you -- longevity, but at the moment the momentum certainly seems to be with OpenStack.