Cloud Vendor Lock-Ins Lock Out Secure Practices

The ramping up of the Open Cloud Initiative (OCI) brings to light an important security issue that makes the development of a federated cloud framework essential. The corporations and governments that will use these services will not only want to be able to move services from one cloud supplier to another but, more importantly, they will want to use several suppliers.

As has been seen from recent hacks, putting all your data within a single third-party’s cloud infrastructure leaves everything open if the chosen supplier is breached. It would be foolhardy not to spread the risk by storing data and applications with several suppliers.

Customer Need v Corporate Greed

The problem is that the suppliers are aware of the pure concept of federation but resist interoperability because they are busy locking users in – just as the minicomputer and mainframe companies did in their day.

It’s a question of trying to reach critical mass which, in this case, simply means grabbing the lion’s share of the market before the users stop to think about what the lock-in means. The ambitions of the suppliers and their shareholders’ desire for profits conflict with the actual needs of the customers.

When I have used the “lock-in” phrase in the presence of cloud vendors, they deny there is anything stopping users from moving elsewhere. Though there is truth in this, it is the manner in which that move has to be made. It could mean being given a carrier bag full of optical discs with CSV files to take to your next supplier – hoping to sort things out before the business starts to miss the information source. It’s unlikely to be as crude as this but the reality of the problem existing is apparent.

To have data in one place and applications in another allows some kind of freedom but we’ve yet to see a true mechanism for making it work without introducing serious latency problems.

Federated Data In The Cloud

From a security angle, it would be better to split a single body of data across several providers. If a hacker should then find a vulnerability in one system, the damage would be limited to a subset of the database and not the whole information store. Equally, if a site experiences a major distributed denial of service attack, at least some of the data will be available which could minimise the damage.

Complacency is not an option. As has been shown many times, nobody is safe these days and, while companies are becoming aware of the new set of best practices they need to follow to combat stealthy and persistent attacks, there is no guarantee that a third party is showing the same degree of vigilance.

Hacking is a professional market with gangs pooling their resources to wage a kind of guerilla war, nation states funding disruptive or espionage attacks. With such great, dark powers ranged against them and the import of increasingly mission critical data, the cloud providers are set to become major targets and the likelihood of a successful breach is only a matter of time.

Can A Hack Be Forgiven?

It would be interesting to see tolerance levels tested. Is the inconvenience of a data breach in the cloud enough to make a corporation move to a new supplier or will the event be shrugged off in the face of the further disruption that would be caused and the financial gain accrued from any penalty clauses?

While the current cloud silos exist, I would argue the customer is running a risk that is beyond acceptable. Vulnerabilities will be found and exploited as new techniques are discovered or as cloud employees are handsomely bribed or blackmailed into the service of the miscreants.

Standards development and interoperability are welcomed – though the number of “standards” are increasing rather than consolidating – but these new bodies have yet to prove their worth by gaining the membership of all the big players. Perhaps it is time for citizen power or corporate push to force the issue and combine their clout into a mighty blow that will knock some greater sense of responsibility into the cloud providers.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • Weirton Area Port Authority - Yes Cloud computing has several significant advantages, leveraging the cloud lowers individual entities cost in software and IT Support, allows for quicker implementations, real time software upgrades, better tools, etc. However, it also has significant drawbacks: Time consuming and difficult to change software providers, or move to new cloud hosting providers as it increases risk of disruptions - similar to contract manufacturing as it is possible to move, but there would need to be significant problems before it would justify an change in suppliers, meaning more problems become acceptable. Hacking or collapse of your cloud supplier could significantly harm your business, hacking into your data, requires contract language as to the consequences of the cloud provider who are very reluctant to any peripheral or consequential damages above the cost of the cloud services, which could be infinitesimally small when compared to the problems caused by the compromise - government cloud break for example. So additional flexibility and solid exit/change strategies need incorporated into the contract language.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago