Hooray! Another “public cloud is ridiculously dangerous and will eat your babies” news item. Or not. Maybe both. Don’t worry but lock up your babies, is more or less what I’m saying. Lets break it out.
In conjunction with the LulzSec raids on the Web farms of the body politic, the FBI seized servers in Virginia. This, of course, knocked out a number of perfectly innocent websites and services that were on the same servers as whatever the FBI was after.
This has happened before. In 2009, minor hoster Core IP was raided by the FBI and dozens of the company’s customers were suddenly high and dry. The FBI took servers willy-nilly, not caring who or what was hosted on them.
The end of the story is this: Core IP was, among others, implicated in widespread telecom fraud and probably dirty. All the innocent customers who hosted in good faith? SOL, according to the FBI. Whether they knew about it or not, if they partook of a service that was used in conjunction with criminal activities, they were on the hook.
That’s a bit bizarre to anyone even slightly familiar with technology who understands how multitenancy works and does not believe in guilt by association, but it has real world parallels — a distribution center being used for smuggling gets shut down even if legitimate goods are going through and everyone suffers.
But it does seem particularly awful in the virtual world, since incriminating data can so easily be identified and passed to authorities without burning the entire operation to the ground. It’s just so stupidly, pointlessly destructive that it makes the nerd in us grind our teeth in frustration.
Anyway, it’s either spite, pre-trial collective punishment or willful ignorance by the FBI, but two’s enough for a trend. The implications for cloud computing are clear, since they are almost by definition multitenant environments; host in public and you are at terrible risk from naughty neighbors. The whole thing can blow up in your face overnight, and then the FBI has all your junk. Therefore, private cloud is way to go, right?
Wrong. “Do not host with small-time operators” is the lesson here. Until the day the FBI marches out of Equinix trundling a rack or two or Amazon’s gear, I will not believe that this risk will ever touch service providers over a certain scale. The limit on that scale is an in-house legal department (or a law firm on retainer), if I’m not very much mistaken.
Much for the same reason they don’t sent SWAT teams to rich people’s houses, the FBI does not flash into Google or Microsoft or Amazon data centers and start kicking things over. They engage in protracted, legally sanctioned and highly specific co-operation with those providers, because the FBI does not want to dragged into court and possibly curtailed in its ability to abuse those without the legal resources.
When the feds need data or user information or evidence from MS/Google/etc, you can be sure that it is an employee of one of those providers handing it over to them. Hey, it’s plainly stated in most web services and cloud providers SLAs — “We fully co-operate with legal investigations” or something.
So don’t worry about this happening to you if you use Amazon Web Services or Rackspace Cloud. Worry about encrypting your data. And this certainly doesn’t do a thing to change the current calculus on on enterprise data security and the cloud (which is “MONGO SAY CLOUD BAAAAD!!!”).
Or instead, worry about what your lemur-brained development crew is doing on Amazon’s cloud. There we find a rich source of security delights, from crappy apps running in public to this little gem: The pool of publicly available, user created Amazon Machine Images (AMIs) is riddled with highly insecure, vulnerable virtual machine images, according to new research from Darmstadt Research Center for Advanced Security (CASED) in Germany.
Out of 1100 user created AMIs they tested, 30% were vulnerable to compromise right from launch. Don’t you feel better now?