The topic of risk in the public cloud elicits a strong emotional reaction from IT executives. In response to one of my recent stories about the WikiLeaks episode, I heard from readers on both ends of the spectrum.
“WikiLeaks was not a public cloud scandal,” said a director at a financial services firm. Furthermore, so-called “experts” are turning acceptable use into a faux security risk that requires the assistance of — what else — consulting services, he said.
An IT manager said I hadn’t dug deep enough into the forensics of a public cloud gone bad.
“I think you’re ignoring a basic point,” he wrote. “Amazon and a few others pulled the plug on WikiLeaks under severe governmental pressure. The talk of ‘contravening the terms of service’ was pure hogwash. Amazon and the others knew pretty well what Wiki was doing; it gave them a lot of business and everyone was happy … till the government stepped in. If the government machinery decides to nab you (or me), no matter how law-abiding you are, it will find some excuse and some archaic law, invoke that and … zap.”
Is it 1984, 27 years later?
The financial services director is aghast that this “unprecedented concept — to prevent the Feds from coming in and shutting down the cloud!!!” illogically “builds fear into the service provider background check process which exists for very different reasons.”
Who’s right? You tell me.
The IT manager who suspects the government’s influence on private enterprise said his question about risk in the public cloud is this: “What is the security that I can get for the continuous use of the platform without the platform owner using some specious excuse to drop me? ‘Continued and Guaranteed Service’ is now a risk item that has to be examined seriously,” he said.
Would nefarious use of the same public cloud on which your data resides come back to bite you, or is segregation and encryption enough to protect your data? It is unlikely that the government would shut down all of Amazon Web Services for the misdeeds of a few — especially, as Drue Reeves, a Gartner analyst has pointed out, AWS may be too big to fail. Like the financial institutions that recovered with the help of bailouts, large public clouds are becoming cornerstones of the economy, he said.
But it is possible to have data residing on a cloud that suffers a distributed denial-of-service (DDoS) attack in retribution for another customer being dumped. That’s exactly what happened on December 8, when “hacktivists” launched a DDoS attacks against Amazon.com and several financial institutions including Visa, PayPal and MasterCard for their decisions to stop processing payments to WikiLeaks.
What other risks are there? How about hackers using high-performance cloud services on Amazon to break passwords on wireless networks? We’ll hear more about that when security expert Thomas Roth delivers a talk at the Black Hat conference in Washington, D.C., next week.
Regarding the financial services director’s concerns, I plan to follow up with a story on SearchCIO.com next week about best practices for mitigating risk in the public cloud.
What’s your experience? Email me at Laura Smith, Features Writer.