OpenStack - What the future holds

So Krishnan Subramanian, in the Google+ hangout that he kindly arranged, asked "What next would you like to see or expect to happen in OpenStack project this year?"

My more structured response is:

- It is important that everyone in the project understands and appreciates the 'Open' in the Open cloud projects, one of which is OpenStack

- If it is dubbed as the 'Kernel of the Cloud',  take a look back at how the linux kernel is maintained.

- Because of the obvious benefits of the project, there is considerable industry interest. This hasn't been seen before in similar open projects. This is particularly different and may determine the project's future. It is a wait and watch game.

- Open projects tend to have their 'baking phase'. I'm not sure if the industry is allowing this crucial phase. It is critical especially for OpenStack, as PaaS and SaaS will potentially built on it.

- Security must not be overlooked, and it is may be the byproduct of this 'baking phase'. An undisclosed zero-day in OpenStack may be detrimental to the trust in the project.

OpenStack project is a coding/development project driven by the community. The risks to this project are comparable to any other coding project and more, as it is an IaaS-layer software.

Stability, security, release cycles and developer and industry acceptance will collectively decide the success of this project during this and the coming years IMO.

CloudStack ASFisation

Well, with all the news and views being published in the past 24 hours on the Citrix CloudStack announcement, I think the note below from Simon Wardley (@swardley) sums it up very nicely for me.

As rightly pointed in a number of the articles, it is an interesting development, that will influence and impact the key open source cloud projects (Eucalyptus, OpenStack and CloudStack) depending on the adoption by developers and requirement satisfaction of the service providers and users.

It is a waiting game where, for now, there is no single winner in this open source race.

 

Breach Anatomy

I came across this graphic from First Data on this blog post by Brian Krebs and couldn't help reposting it. Hope you find it useful.

Another day, another victim - Global Payments

PCI-DSS is an interesting standard. With multiple stakeholders supporting the transaction process, as explained very well in Martin Mckeay's post, it is a tough balancing act that the card brands have to play with the service providers like Global Payments and the merchants and most importantly the consumers. After all, the consumers are the ones that keep the systems and services of payment card transactions alive by putting their trust in the whole system. This has led to removing Global Payments from the list of compliant service providers.

There are PCI-DSS lovers and haters, so a breach like Global Payments is a good opportunity to raise questions and discuss views, especially in the security community. From a merchant and service provider's perspective, Alan Shimel raises a good point on the trust in the PCI system and what does it hold for the merchants and service providers.

Other interesting coverage on this is at WSJ and SCMagazine.

The card brand moved much faster removing Global Payments from the list than it did when another processor, Heartland Payment Systems, announced a breach of some 100 million card numbers in January 2009. In that case, Visa expelled Heartland from the list about two months later, but Heartland re-validated compliance within roughly six weeks.

In the case of Heartland, Visa told merchants that, despite the processor being temporarily removed from the list, they faced no fines for continuing to do business with it.

The above extract from the SC Magazine link is thought provoking. Will Global Payments follow this route and be back on the list in a few months?

With the number of data breaches happening everyday, is today's consumer even bothered? The emphasis on service always comes before the security, both in business and for the consumer. It is only when such incidents occur that the lessons are learnt. For businesses, compliance with a standard is definitely not the panacea, but if done with intent, I believe it will help remove the low hanging fruit. Security is about defence, in depth.

 

OpenStack Foundation Challenges

OpenStack is an open source platform, developed under Apache license, that enables businesses and service providers alike to create their own infrastructure clouds (IaaS). More details can be found here.

It is a project with great interest and support from the developer community and industry alike. The instant growth in the popularity, is for me, the greatest challenge. Currently 156 companies are listed as supporting the project.

Concerns were raised today by CEO and Founder of Piston Cloud, Joshua McKenty, on the foundation mailing list here, with some further views expressed here, here and here.

Success of an open source project depends upon constant collaboration and valuable input. In this case, it also depends on how long the OpenStack Foundation takes on reaching an agreement on the governance and ensuring that the project aligns to the expectations of all stakeholders, supporters, contributors and most importantly, requirements from the adopters.

Competition from the providers offering similar services is stiff and constantly improving. Agility is required for the project to succeed - it seems OpenStack Foundation needs some of the Cloud characteristics to compete in the everchanging market!