Why Security May Be the Key Issue in the OpenStack Race

by Ostatic Staff - Jan. 26, 2015

Recently, OStatic interviewed Boris Renski, who is the co-founder of OpenStack-focused company Mirantis. In the interview, Renski noted that much expected consolidation in the OpenStack race may have already happened. "The consolidation has already happened," he said. "I predicted it in December 2013. CloudStaling, Metacloud, and eNovance were acquired. Rackspace and StackOps pivoted to focus their business on managed hosting. MorphLabs seem to have gone away altogether. Piston and Nebula are still around, but seem to be in a niche that doesn't directly compete with Mirantis' OpenStack distribution. It is us, Red Hat, VMware and HP...and that's it."

Still. the competition going on between the remaining players is fierce, and it is becoming increasingly clear that security may be a giant differentiator in the OpenStack race. In fact, Red Hat's Vice President of Customer Engagement and Experience, Marco Bill-Peter, recently made that issue plain in a blog post

Bill-Peter's post focuses on the security-related peace of mind that comes from subscription-based software support—especially after recent major security problems ranging from Heartbleed to Shellshock.

He writes:

"Red Hat's Product Security team supports more than 100 different products and versions, ranging from our flagship product Red Hat Enterprise Linux and Red Hat JBoss Middleware to our emerging products including Red Hat Enterprise Linux OpenStack Platform, OpenShift, and Red Hat Enterprise Linux Atomic Host...2014 will be remembered for a number of high profile vulnerabilities including Heartbleed, ShellShock, and Poodle. While we provided fast updates to correct these vulnerabilities that affected Red Hat products, getting solutions to customers was only part of the service we provided. When serious issues were found in the UNIX-like shell, Bash, called ShellShock in September 2014, Red Hat customers received timely advice, industry-leading security expertise, access to technical information and support, proactive notifications, Customer Portal alerts and articles, and a Red Hat Access Labs self-detection tool."

 Not only are these points that OpenStack administrators will want to listen to, but the simple fact is that almost none of the rapidly proliferating OpenStack training options include any curriculum on security at all. In short, budding OpenStack administrators are being taught to master everything but security.

As the Var Guy notes in a related post:

"The lesson for the channel is that, as security threats (along with data privacy compliance) become more serious than ever, open source software vendors have a growing opportunity for pitching the value of software support services. It's no longer only about having someone to call when Apache crashes and won't restart."