Stephen O'Grady is first out of the gate with 2010 predictions, and this is a solid one
And of course, most of the APIs in question have relatively weak approaches to security; all are incomplete.Cloud API Proliferation Will Become a Serious Problem
When I meet with cloud providers these days, the default answer to questions about the openness or lackthereof with respect to their software is “we have an open API.” But this is, unquestionably, the wrong answer for customers. It’s not that open APIs are bad, individually: far from it. You’d rather have one than not. But how are customers to manage them as they multiply? Cloud providers should be considering Kant’s Categorical Imperative:
“Act only according to that maxim whereby you can at the same time will that it should become a universal law.”
Unsurprisingly, however, they are not. Which means that cloud API proliferation will reach new, frightening heights in the year ahead. Or maybe you want to individually review and compare the APIs as they iterate. Watch the Deltacloud project for traction as a result; platforms with an API compatibility story like Eucalyptus should benefit as well.
On a semi-related note, I expect IaaS to remain more popular than PaaS for 2010.
This makes Hoff's announcement of the new A6 Working Group all the more relevant, the goals of A6 are as follows:
The goal of A6 is simple: to provide a common interface that allows providers to automate the Audit, Assertion, Assessment, and Assurance of their environments and allow authorized consumers of their services to do likewise via and open, extensible and secure API across SaaS, PaaS, and IaaS offerings.This list seems to me to be the most important structural and process concerns to cover initially. I would also vote for rolling it up into a decentralized policy language.
While I agree with Stephen O'Grady that the Cloud APIs will sprawl, it does not necessarily mean that security APIs have to as well. All the Cloud APIs can benefit from a consistent interface to security services.
I wouldn't count on any of the cloud providers to rush headlong into supporting A6. Their "open" APIs, which we know aren't open but rather are published, provide a point of lock-in that service providers like to maintain.
Thus they will support A6 (or any other truly open APIs) only when forced to by big customers that make it mandatory.
I think that's what O'Grady is saying, though sometimes that fancy analyst language is a bit confusing to a simpleton like me...
Mike.
http://blog.securityincite.com
Posted by: Mike Rothman | November 19, 2009 at 01:48 PM
Hey Mike, I am sure they'll want to figure out some way to try and lock customers in, but I am not sure they need to use security mechanisms to do that, they can try and find other ways and leave security to more open standards
Posted by: Gunnar | November 20, 2009 at 06:21 AM