In 2008 we published an article on cloud computing, which basically said, don't turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article - since Shortinfosec was and is hosted in the cloud. After three years, and a lot of additional examples of cloud development, it is time for a serious reconsideration:
Our original argument was that the confidentiality, availability and integrity triad was unsustainable in the cloud world at the time (2008). Today, things are looking different:
- Backup storage is humming in the cloud in some form or another - and is being used by enterprises
- At least 3 different vendors of banking software are collaborating with cloud services providers to enable the cloud operation of their software (Tieto, Misys, Temenos)
- E-mail and office applications are happily running in the cloud (Google, Microsoft)
- Web applications are more available then ever
From it's inception, web hosting was in a sense hosted in the cloud - but a very simple cloud. Very few people or even companies own and operate web servers, and others host their web sites on provider servers throughout the world.
But hosting is not exactly the cloud. The cloud offers so much more for web hosting.
Now, this is not the time to start thinking: "I'm thinking of upgrading my web host and I've been checking some web hosting reviews. It's pretty hard to decide which host especially when reading the editorial and user reviews since all of them have good reviews." Let's go on and choose the most expensive one."
When reviewing moving the web to cloud, understand the strengths and weaknesses of the cloud:
- Availablity - any cloud service is distributed over multiple servers, datacenters and sites. And the cloud systems can transfer the hosted applications/sites near-instantly between this infrastructure. So even if a server fails, your availability will be nearly unharmed.
- Coping with large load variations - again, since there are multiple servers and datacenters, if your application/site suddenly become very popular, the cloud infrastructure won't fall to it's knees under the load of additional requests.
- Timely and consistent updates - the underlying servers of the cloud infrastructure need to be fully consistent with each other. Also, since they are running many customers applications/sites, a failure due to a patch is not something the cloud service will accept. So you can rely on the fact that all servers will be very quickly and consistently updated.
- Extremely fast scaling out - If your application/site has a sustained high visit rate, it needs more servers to run on. This is very easy to implement in a multi-server, multi-site environment of a cloud service.
- Custom platform - each cloud service provider designs the cloud service environment with it's specifics, like underlying operating system, databases, application server and development platform. These are fixed across the entire cloud platform, and if you wish your application/site to run on the cloud service, you must make it work with the cloud service.
- Lock in - once you have adjusted the entire application/site to run on the cloud service environment, it may be difficult to move it to another cloud service provider - since then you'll need to re-adjust everything to run on the new cloud service. This is even more difficult if the application/site was developed from scratch with specific cloud service in mind.
- Isolation breach - your application/service is not the only one running on the cloud service systems. A breach between the isolation controls of different applications/customers can cause access to proprietary data, use of other party's resources and in general a very large amount of grief for everyone involved. At the least, you could be billed for resources that another application in your context due to such breach
- Data protection - placing your application/site in the cloud also puts it's data in the cloud. And this data is very important to you, and sometimes very confidential in nature. Since all this data is managed by the service provider, incidents of data loss, data leaks and security breaches can all happen.
- Cost - the cloud service providers have a lot of innovative pricing mechanisms, like pricing per I/O, or per CPU used, or bandwidth, or any combination of those. So while efficiency and availability will definetly increase, so may the costs of your hosting.
The cloud is very ripe for web services. But before you choose one, be careful to do a serious consideration on your pros and cons. If you can match your application/site to a cloud service, you can bring it to a new level of efficient operation.
Talkback and comments are most welcome
Cloud Computing - Premature murder of the datacenter
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Checking web site security - the quick approach
Tutorial - Secure Web Based Job Application
Rules for good Corporate Web Presence
Labels: information strategy