Last week was an exciting week for the Virtualization and Cloud customers and potential adopters. During VMWorld 2009, a handful of announcements by the cloud computing "picks" and "shovel" providers marked the beginning of the "Cloud API War" - The war was kicked off by Citrix with an pre-emptive strike with their opensource "Xen Cloud Platform" initiative. However, it was over quickly shadowed by VMware releasing their specification for their brand new "vCloud API" and submitting the same to DMTF standards body. RedHat also made an orthogonal play by introducing Delta cloud with the stated goal - "To enable an ecosystem of developers, tools, scripts, and applications which can interoperate across the public and private clouds".
Folks, what's at stake here is vendor-lock in (for provider) and interoperability and portability for customers. Cloud API standards when adopted by providers can also enable zero barrier to exit and allow customers to freely move their workloads across public (e.g. Amazon EC2) and private clouds (customer virtualized internal platform). Until now the APIs were primarily driven by public cloud service provider - a few published APIs including Sun's Cloud API hosted in Project Kenai, Rackspace Mosso, Dasein cloud and of course the most popular Amazon's AWS API .
While the high pitched sound bytes from major enterprise cloud vendors were trying to over power each other to gain dominance and customer mind share, I was anxious to find out what nifty security features were packaged into the shiny new Cloud API and quell the top concern and barrier to enterprise cloud adoption. i.e. Cloud Security.
Security features including user access management, virtual network management, image security management, immutable service containers, policy management, encryption & key management are essential requirements for enterprise to adopt cloud services. VMware's press release did mention the word 'security' in their vCloud API announcement - "With the availability of this API, customers can choose cloud services that will enable the on-demand flexibility that they require, and the ability to move their applications in and out of internal or external clouds with the high availability, manageability and security that customers have grown to rely on from VMware." Ok that's a good start but where exactly is security embedded in vCloud API?
After parsing the specification couple of times, I have to say that I am disappointed with the current state of vCloud specification from a security standpoint. My frustration can be summarized by the fact that vCloud API specification does not even have a single mention of the term 'security' in their specification. To their credit, I did came across a role management API feature that allow administrators to create and manage users, group and roles with some privileges that are not yet defined. The spec in that regard says "The vCloud API supports a number of administrative operations that enable the automation of common tasks associated with the administration of clouds and the entities they contain, and with the administration of users, groups, and roles".
Also I was surprised to learn that there were no references to basic API Calls such as managing the REST authentication with a secret key (similar to Amazon EC2 Access key), network security groups (IP based) and key generation/deletion features that Amazon AWS and other public cloud services offer today. Let's hope that those are being baked and will make it to the v1.0 of the specification.
Given the large customer base, Amazon AWS API is sort of defacto Public Cloud API (which is not standards based and rumors of them pursuing IETF path are still rumors) and is further validated by the fact the opensource cloud platform Eucalyptus supports Amazon API. Now with the VMware shooting the vCloud API arrow across the cloud, a serious contender with an enterprise focus has arrived. However, given the first version of the API lacks the traits of enterprise security features, we'll have to wait and watch if vCloud API has the firepower to displace EC2 API from the defacto IaaS cloud API standard pedestal.
I am still dreaming of that API that is designed with security from get-go and that will expedite the enterprise adoption of cloud services by addressing the topmost concern from an enterprise customer. i.e cloud security. And I sincerely believe that cloud service providers can leverage 'security' to their advantage and offer a clear differentiator from the run-of-the-mill competition.
May the cloud provider with the best security arsenal win!