Tuesday, 9 June 2009
A dark dark cloud
More on the talking tech side and this event really is a stark warning of the potential destruction that a self service provided administrative interface for "cloud" services can wreak to end users, this particular provider was easily exploited due to technology insecurities in the HyperVM product giving exploiters extended full root access to delete practically anything public facing.
Ok so this hyperVM app was insecure but how many other shops enable root because they are lazy? Who remembers when we used to have root enabled by default in ESX 2.x???? I wonder how many other apps that are developed in what is effectively still the early adopter era for Cloud are being developed with very little security governance and certified hardening process (I'm not a developer so excuse the possible lack of knowledge here).
This news piece has also provided a warning that public Cloud services and the current ecosystem of management interfaces in its current bleeding edge form is still very raw and rough around the edges, it certainly highlights cloud services are susceptible to destruction on this scale by the security flaws possibly found in any interfaces that manage "cloud" datacentres.
I guess the question is would this type of exploit occured in a Datacentre which was physically secured and more conventional to today i.e. a Private Cloud? I think not, the security model is more aligned to current conventional security policies, you are not putting security in the hands of your service provider as much and you are most likely using a proprietary management interface and Virtualisation platform like VMware which is tried and tested and not of the new generation of cloud developed software.
Another thing with this news story is the sheer lack of backup and recovery activity that seemed to be on offer and used to restore customer workloads, again this along with less stringently imposed SLA's are what initially makes Cloud cost look so appealing on the figures and balance sheet, something that many C levels certainly are likely to be attracted to in Cloud computing. Before investigating the feasibility of the cloud it maybe wise to ensure that typical belt and braces activity such as backup and recovery which is currently defacto in any datacentre is part of your service or even performed to another cloud provider such as Amazon S3, if backup isn't an available option think very hard about committing and running your business on what is effectively a ticking timebomb.
Hopefully this provided a brief outlook on Cloud and any possible insecurities that may exist to any current early adopters and my condolences go out to anyone related to the poor guy that took his life.
Subscribe to Posts [Atom]