The Dark Side of the Cloud
Cloud computing has been promoted as a way for organizations to save money with little or no downside, but embarrassing and costly incidents have revealed the fallibility of cloud implementations.
Pondering the benefits of migrating to the cloud, an executive might be forgiven for being transported to cloud nine. Who wouldn’t like to get rid of most or all of the IT department, stop investing large sums of money in servers, and have the organization’s data cared for by a team of dedicated experts? These benefits can come with a price, however, as cloud providers are not immune to the same types of glitches that can occur in organizational IT departments. (For background reading on cloud computing, check out Cloud Computing: Why the Buzz?)
Uptime of Greater Than 99.9% Is a Good Thing, Right?
Amazon’s Elastic Compute Cloud (EC2) is a cloud platform that provides hosting services for a number of websites and has advertised an uptime in excess of 99.9%. In April of 2011, an outage occurred at an Amazon EC2 facility that caused a number of websites to go down, including Reddit, Foursquare and Quora. Although service was restored to some customers later in the day, service was not completely restored to all customers until three days later. The issue reportedly was caused by a routine network configuration task that went awry and resulted in cascading network storage problems.
Organizations that migrate to the cloud expecting continuous uptime should be aware that cloud implementations are subject to the same hardware and software failures and human errors that cause downtime for in-house implementations. As one commentator observed of the EC2 outage, it will be at least 15 years before Amazon can claim the same percentage of uptime – and that's assuming no similar outages occur in the meantime.
Do You Know Who's Looking at Your Data?
In 2010, Google fired a site reliability engineer for allegedly accessing user accounts and using the information to violate the privacy of minors. This was at least the second incident in which a Google employee was fired for the misuse of user data.
Granted, an internal security breach of this nature can occur in the in-house IT department of almost any organization, and engineers and programmers will probably always require some access to user accounts in order to help resolve problems and fix bugs. In fact in many organizations, both in-house and offshore contractors have access to sensitive user data.
However, managers tend to become more uncomfortable the further they believe company data is from their immediate control. If an organization’s data is stored on the cloud, there is always the chance that a malicious employee from the cloud provider might be able to view it. For many companies, that threat is a lot scarier that the possibility of internal misuse of data because it's (at least partially) out of the organization's hands.
Obviously, cloud providers are aware of this issue and are working to mitigate it. Techniques for reducing internal security breaches include limiting the number of employees with access to sensitive data, limiting employees' administrative rights, and logging employee access to user accounts. The bottom line is that while data in the cloud may not be less secure overall, it is open to a new set of threats.
Hacker Attackers Also Threaten the Cloud
Perhaps even more troubling than internal cloud provider breaches are external attacks from dedicated hackers. Organizations that migrate entirely to the cloud have greater exposure to the internet than organizations that sequester some or all of their data within an intranet. Also, a cloud implementation represents a target-rich environment for hackers; a breach of cloud security could enable a hacker to access data from multiple organizations.
In April of 2011, the Sony PlayStation Network was the target of an external attack that involved the possible theft of personal information from millions of user accounts. Sony was subsequently criticized for not notifying users of the breach until several days after it occurred.
Ironically, the hackers may have used a rented account on Amazon EC2 (itself a cloud platform) to perpetrate the attack on Sony, demonstrating that the anonymity and computing power of cloud accounts can be a boon to hackers as well as legitimate organizations. Cloud providers have experienced difficulty in identifying hackers and preventing them from using cloud services for malicious purposes. Although providers often require a user to furnish contact data when opening an account, hackers circumvent this requirement simply by giving false information. (Hackers get a bad name, but they've actually done some good. Read about it in 5 Reasons You Should Be Thankful for Hackers.)
Wait…What? You Lost My Data Completely?!
Partial or complete loss of data can be catastrophic for an organization, and cloud providers are not immune to data loss. In 2009, Carbonite Inc., which provided backup services for companies and other organizations, admitted that it had lost the data of more than 7,500 customers. In turn, Carbonite placed the blame on the company that supplied the software to monitor its hard drives and the system integrator that implemented the software.
In another 2009 incident, several hundred thousand users of the Danger Sidekick smartphone temporarily lost emails, contact information and photos. Microsoft had acquired the Danger company in 2008, and the Danger user data was being hosted at a Microsoft data center at the time. Eventually, Microsoft was able to restore the data from a backup tape, but the restoration was not completed for more than two months.
Again, data loss is not unique to cloud implementations – it can and does happen in in-house implementations. Whether this is a real cloud computing risk may depend on the organization. Organizations with large budgets and sophisticated IT departments have the equipment and expertise to deal with the backup and recovery of data. However, organizations with less-sophisticated IT departments might not have the resources available to a cloud provider, making the cloud a strong, although still flawed, option.
The cloud is a relatively youthful concept in the discipline of information technology. As such, it can be expected to have its growing pains and become more reliable as it matures. And, although cloud computing has major benefits, organizations that migrate to the cloud are not exempt from the same types of downtime, data loss and security issues that are associated with in-house IT departments. As such, an organization must keep its head out of the clouds and weigh the potential cost savings of cloud migration against its very real pitfalls.