News Stay informed about the latest enterprise technology news and product updates.

OpenStack shops look askance at AWS security, cloud costs

AWS security doubts linger among IT pros interested in deploying OpenStack in a private cloud, and concerns about AWS costs and downtime persist.

IT pros that use OpenStack see a number of inadequacies in Amazon Web Services' cloud that keep them from using the public cloud service, including uptime and security.

In attempts to appeal to security- and compliance-conscious enterprises, AWS has made its Elastic Compute Cloud instances spin up inside virtual private clouds by default, allowed for direct private network connections into its cloud, and removed the ability to retrieve existing secret access keys for root-level access to accounts, among other measures.

AWS also offers GovCloud, a walled-off section of its cloud for highly secure government customers.

But attendees at last week's OpenStack Summit in Atlanta said they're still not convinced AWS is the best choice for them.

Potential customers with data in house want a cloud in a box, and you can't get that with Amazon unless you're the CIA.

Brian Schott,
CTO for Nimbis Services, Inc.

"We have an AWS account, and it's the Wild West out there," said Aaron Knister, a contractor working for a major government agency. Security staff is beginning to pick up on and try to curtail AWS use at the agency where Knister works, as the use of public cloud goes against the agency's security policies. Even though AWS has experienced fewer outages in recent years than in earlier stages of its existence, downtime remains a concern, too.

"I still have some butterflies in my stomach" when considering public cloud, said Douglas Soltesz, CIO of Budd Van Lines, a moving and storage company based in Somerset, New Jersey.

"I'm not saying my security and uptime is really high compared to Amazon, but we know that [in 2012] they had a problem around Christmas, where Netflix and other services went down," Soltesz said.

Budd Van Lines had an outage of its own in 2012 when Superstorm Sandy struck the East Coast, but those circumstances were different, according to Soltesz.

"When we went down with the hurricane, it was acceptable to our customers to say, 'Hey, we had a day of downtime … and we were one of the first companies back online,'" Soltesz said. "But if in the middle of a nice sunny day we're down because we're using [the AWS] cloud and they're down … [customers] don't forgive that."

AWS as competition for internal IT

OpenStack Summit attendees also cited budgetary concerns for going with open source software rather than "paying by the drink" in the AWS cloud.

"At last count, we have thousands of servers," Knister said. "The equivalent AWS instances would blow our budget out of the water -- and then there's the cost of rewriting apps and the cost of migration."

In fact, some big companies building OpenStack clouds see AWS as their primary competition for internal customers' attention.

"We are a networking company, we are an infrastructure company, so outsourcing that to AWS, I don't think it's the right decision for us," said Matt Haines, vice president of cloud engineering and operations at Time Warner Cable. "Now, in the back of my mind, am I preparing to compete with them on price level internally? Absolutely."

AWS is a worthy opponent in this competition, Haines said. Previously it could take up to six weeks to spin up virtual machines, which led frustrated developers at Time Warner to go to AWS in a textbook case of shadow IT.

"They have been poking around at AWS and wondering when we could get something [similar], so they're lined up, and we're almost open for business for them," Haines said.

Making the case against OpenStack

Despite doubts, there was still a wistful look in the eyes of some OpenStack proponents as they discussed Amazon's more advanced features.

This is the subject of some debate in the OpenStack community, but Knister said he'd like to see OpenStack offer a platform as a service (PaaS) layer.

"Something like Elastic Beanstalk -- OpenStack should start to address that," he said. "It would be great to see a PaaS solution that can handle a database with a terabyte of data on the back end; [the API] Trove is a fit for that model."

And not everyone was sold on OpenStack being more secure than AWS, particularly for government.

"We use GovCloud to run [International Traffic in Arms Regulations] workloads," said Brian Schott, CTO for Nimbis Services Inc., a systems integrator that serves Department of Defense (DoD) component suppliers. International Traffic in Arms Regulations is a stringent standard that requires, among other things, only U.S. citizens operate the IT infrastructure.

"Amazon is getting to the point where it's starting to run non-classified DoD workloads," Schott said.

But this still isn't the right fit for every customer, prompting Nimbis to explore OpenStack for customers who still aren't convinced about AWS security.

"Potential customers with data in house want a cloud in a box, and you can't get that with Amazon unless you're the CIA," Schott said.

Beth Pariseau is senior news writer for SearchAWS. Write to her at or follow @PariseauTT on Twitter.

Next Steps

Learn how one company found hybrid cloud success combining AWS and OpenStack to create a successful hybrid cloud.

Dig Deeper on AWS security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Which is the more secure environment?