Open-Source Systems Leverage the ‘Power of Many’ for Security

Written by Habib Madani

At first blush, it seems absurd that an open-source system for cloud computing could be secure. After all, the bad guys can read the source code. That seemingly makes it easy for them to write malware, viruses or other malicious code to attack anyone using the open source system.

Indeed, in an October 2012 survey, some 82.9 percent of respondents said they weren’t using a public cloud system. Of those respondents, security was the most-cited reason at 28.9 percent.

But look a bit deeper, and it turns out that open source has a lot to offer cloud systems in the security department. In fact, it’s arguably safer.

For one thing, thousands of developers read, critique and contribute to open-source cloud platforms such as OpenStack. Most of those developers are on the right side, helping to ensure the software is strong, with relatively few vulnerabilities.

That makes it unlikely that malicious code can stick around long, since the open- source community will quickly fix any problems that arise.

Many Minds Are Better than One

Compare that with proprietary vendors, whose security issues can’t be identified from the outside and who might or might not act promptly to correct issues.

When security issues arise, users of open-source cloud systems have a broad community of developers and fellow users to call on, rather than relying solely on experts from a proprietary vendor to solve the problems. Indeed, Google recently began offering monetary bounties to anyone who fixed certain types of security problems on open source software.

Another indirect security consideration is the problem of proverbial “lock-in” with proprietary software companies. As has been noted elsewhere, cloud vendors can make changes to its technology, including security controls, that give them the upper hand in future negotiations.

Open-source cloud operating systems such as OpenStack also tend to forge partnerships with both the private and public sectors in order to bolster their code. In the early 2000s, for instance, the National Security Agency was among the organizations that helped develop what is now known as Security-Enhanced Linux, or SELinux for short. That is a more secure form of the Linux open-source operating system.

The takeaway: Open source, when done well, can be as secure or even more than what proprietary cloud vendors offer. The open-source community offers a robust set of eyes to probe code and fix problems while helping users avoid lock-in to one vendor.

Even So, OpenStack is Not the Complete Solution Companies Need

All that said, companies looking for quick, affordable options still lack a complete cloud management platform. The consensus is that, for most enterprises, OpenStack falls short.

Gartner analysts wrote last year that, “while OpenStack proponents assert that it will eventually displace” the current generation of expensive, legacy virtualization vendors, “at present it is only implementing basic CMP capabilities.”

“Hype around open-source cloud management platforms … is causing some customers to make unfounded assumptions that may lead to poor sourcing decisions,” analyst Lydia Leong wrote.

She recommended that enterprises assess OpenStack as they would any other vendor solution, “keeping in mind that in its current state, it is most suited to early adopters with substantial engineering resources, high risk tolerance and a need for high-scale, low-cost cloud infrastructure.”

Indeed, many companies are in the market for highly scalable, low-cost cloud options. It’s just that, with current options, they’d need a corps of engineers and months to fire up a private cloud stack.

Again, as Gartner has said, “No vendor provides a complete … solution.”

That’s where we come in. We’re excited share more on Connectloud’s offerings in the cloud software platform space. Stay tuned to our blog, and please share your feedback. We want to hear from you.