Well they didn’t exactly focus much into security, but taking in the discussions throughout this week’s Open Compute and OpenStack events, it is rather clear that data center architecture is moving towards rapid scale, massive scale and towards getting more and more value out of the data center.  We’re seeing this gravitation to ubiquitous platform models, with flexible APIs that reach into every aspect of these environments – all of these tremendous opportunities enabled by the open community.  These constructs are most closely associated with architecture, but there are some parallels that can be drawn out into the world of security.

Likening technology to the very core of the American soul, Crawford, formerly the Founder of the Open Source Foundation, stated that “everybody wants to be free, and no one wants to be locked in.”

In his opinion, the fundamentals of Open Source apply both in hardware and software:

• the ability to look at the code
• the ability to change the code
• the ability to redistribute the code

Granted, it’s not an exact fit because the nature of these movements are towards openness, something not inherent to the construct of security by any stretch of the imagination.  Still, there are elements there about the energy of this open source vs proprietary systems debate that is very telling of the kind of change that is possible in the security community.  Tomorrow’s data center will be radically different than the data center of today, the rate of change is accelerating and that is mainly based on this open movement.  When you consider these infrastructure changes, one of the biggest motivating notions is one of cost.  The economics favor these Open Source movements in respect to those of proprietary economics.  Quite often these happen to be attached to business demands on technology that would quickly escalate in costs within that proprietary system.  The Open Source proposition may require a different initial commitment, but it is scalable and flexible to those technical demands.  That’s where the movement has taken it.  What was once considered a risk is now an asset.  Extending that out to the world of security again is not an exact parallel.  There are real dynamic issues in security that just aren’t about scale or capacity, but security does have to be incorporated into that scale and capacity at the same time.

“I think it’s one of the things that has started to emerge over probably the last six months to a year,” Pepple noted. “We’ve hit a maturity in OpenStack where it’s actually ready. People on the leading edge…have started to be able to go out there and start to use this and bend it to their needs.” 

Open source also very importantly introduces innovation and wherever possible that goes for security as well.  There are a variety of open source tools out there that have helped the security ecosystem and that can be projected to continue.  Just take a look at encryption for example, or the various open source security stacks and protocols like Snort that have led to fantastic products.  Enterprise-class security standards have been applied to open source tools in the enterprise, such as the integrated encryption and auditing capabilities in leading big data databases.  Enterprise can embrace open source, it can and should be approaching this in a way that meets their needs.

This is the year of the cloud, there’s this new era of data center alpha geeks that are tinkerers and building their own solutions, innovating beyond traditional thinking. The application market is driving this change. As Furrier sees it, software-defined innovation is the future.

I couldn’t think of anything better than a group of alpha geeks looking at the state of security and building something new for the good of the community.  Those mentions of existing open source security constructs are great and despite innovations, are nothing all that new.  The thing to look out for is that community security movement, that love of everything geek, like we’ve seen at these conferences.  The community has always been a divided landscape of sorts with part of the community in commercial circles and then there’s the guys nobody talks about and that don’t talk much about what they do because they are in the government.  There’s some grassroots movement on this as a result of the saga of NSA revelations and perhaps something will come to bear and the security community will benefit.  This could be the year of an industry-changing open security movement with all the energy and innovation seen at these events, however the catalyst for this change would not be cost savings, but rather risk.  We’ve seen discussion of businesses considering not engaging with US companies because of surveillance issues.  That’s an economic risk that may not be acceptable for some and could be a reality that opens the door for a concept like this.