Security is still a mystery and other hard truths about cloud computing

Security is still a mystery and other hard truths about cloud computing

This isn't to say there's no truth to what the cloud companies proclaim, but there are plenty of tricky details that aren't immediately obvious.

For the past few months, I've been [poking around the various commercial clouds, buying new machines, trying software, and running benchmarks. Well, not exactly buying machines -- just renting them for a few hours and plunking down a few pennies on the barrelhead. Along the way, I noticed it wasn't working out the way I expected. The machines aren't as interchangeable or as cheap as they seem. Moving to the cloud isn't as simple or as carefree as it's made to be. In other words, the machines weren't living up to their hype. Anyone who's been chugging the Kool-Aid and dreaming that the word "cloud" is a synonym for "perfection" or "pain-free" is going to be sorely disappointed.

This isn't to say there's no truth to what the cloud companies proclaim, but there are plenty of tricky details that aren't immediately obvious. At their core, the machines aren't miracle workers, just the next generation of what we've been using for years. The improvements are incremental, not revolutionary. If we dial back our hopes and approach the machines with moderated expectations, they're quite nice.

To keep our expectations in check, here is a list of what to really expect from the cloud.

Cloud computing hard truth No. 1: Machine performance isn't uniform

The cloud is meant to abstract away many of the choices that normally go into shopping for a server. You're supposed to push a button, choose your operating system, and get the root password. Everything else is supposed to be handled by the cloud, a nebulous Great Oz that takes care of all those computational chores behind the curtain.

The one thing the benchmarks have taught me is that machines behave quite differently. Even if you buy an instance with the same amount of RAM running the same version of the operating system, you'll find startlingly different performance. There are different chips and different hypervisors running underneath everything. Then the companies can load up their boxes with different numbers of virtual machines.

Cloud computing hard truth No. 2: Too many choices

Sure, many machines pretend to be commodities, but what does it really mean for something to be a high-CPU machine? Then there's the CUDA architecture.

Here, the great promise of the cloud rings true: You can rent something souped-up by the hour and see what it can do. Your boss may not want to give you the money to actually purchase a rack of Nvidia cards to test out the parallel-processing power of the CUDA architecture. A rack of video cards on the purchase order looks like it might support too many time-wasting games of Call of Duty. But a few hours on an Nvidia cloud box is an easy decision for a purchase manager to make.

Expect more complicated hardware as the infatuation with big data grows bigger. Renting out the machines by the hour is an ideal way to get people interested in trying the devices. But with increased choice comes increased complexity and increased uncertainty about what is truly needed.

Cloud computing hard truth No. 3: Hours turn into eternity

Was it several weeks ago that I built up a machine just to try something? The machine only cost a few cents per hour, so I said, "Why not start with a clean slate? It's just a few pennies."

But by the time I got done installing the software and configuring everything, I didn't want to shut it down. This was something neat that I built. Pushing Delete hurt my insides. Now it sits on the back burner waiting for me to get around to find the time to do more -- and the meter keeps clicking.

One of the biggest dangers for the bean counters will be making sense of these long lists of cloud instances that are all running up the bill at a few cents an hour. Simply auditing the lists of machines will take longer than the cost of leaving them up for another month. I think the cloud companies will make plenty of money on servers that sit there waiting, like those mythical primitive islanders, for the plane filled with gods to descend again with instructions.

Cloud computing hard truth No. 4: Software services are hard to price

Software as a service is another temptation from the cloud. You don't need to purchase, license, or install anything. You just ship your bits to an API and it does everything for you.

The prices seem simple. If you're going to store N things, you'll pay the basic price N times. If you have K customers and they each generate M things, you'll need to pay to store K times M bags of bits. Who cares how big K and M happen to be? The prices are always quoted in millipennies.

Ah, but will you really have K customers? Will they really store M things, even on average? The danger is that your neat new project will be wildly successful and 3,000 or even 10,000 people will show up. That means your data budget just went up by a factor of 3 or 10.

The problem is that the bean counters aren't budgeting a flexible amount. They gave you $X and told you to make them last. They're going to be happy that you're getting 3 or 10 times as many people, but they won't be happy when you tell them your data storage budget will be 3 or 10 times bigger.

In these events, buying a fixed infrastructure is a simple way to limit your spending. If you're wildly successful, the server will probably be able to handle it by just slowing down. This sluggish behavior may not make your customers happy, but it is better than the bank shutting you down for overdrawing your account.

Cloud computing hard truth No. 5: Totally integrated solutions are scary

When Google first announced App Engine, it looked like a great appliance that would make cloud computing simple. Upload some Python, and Google would do the rest.

Alas, hand-holding is also handcuffing. The neatest features are proprietary, and that means you'll be locked into the proprietary solution until you can rewrite your software. Who has time to do that?

The smartest clouds are pushing flexibility and openness. The OpenStack standard is gaining traction because everyone is leery about locking themselves into one provider, no matter how good the provider happens to be.

Cloud computing hard truth No. 6: Security is still a mystery

At first glance, it looks like you completely control your machine. You and you alone set the root password. If the OS is secure and the patches are installed, you should be set, right? But all of the clouds are far from clear about what is really going on underneath where the hypervisor lives.

One cloud tech told me that the versions of Linux his company sold came with bastardized monitoring utilities to block the customers from seeing some of the extra backdoors they had installed themselves. It was all for the good of the customer, he said, and he was probably right most of the time.

The cloud companies are working on securing their machines by partitioning the networks and locking down access. However, they have a long way to go before they can offer anything as secure as a locked cage in the server room of your home office.

Cloud computing hard truth No. 7: Calculating cost is no easy algorithm

It looks simple: The providers sell you something by the hour for pennies. Heck, you can afford a few pennies, right? But should you buy one faster machine for 7 cents an hour or three slower machines for 2.5 cents an hour? Each shop charges slightly differently for bandwidth, storage, and other features.

Expect to spend hours benchmarking your application on various sizes of servers. Then put all of this data into a spreadsheet to determine the cheapest configuration.

Cloud computing hard truth No. 8: Moving data is not easy

You've been smitten by the idea of buying the machines by the hour, but buying the machine is often the smallest part of the job. Getting your data into the distant racks in the cloud can be a substantial chore. If you're loaded down with log files or big, big data sets, you could be spending a long time just moving the data where you need it to be.

The best configurations are making it easier to store data locally, then buy computation time when you need it. Amazon even has its intriguing storage Glacier that's much cheaper than its regular cloud, but only promises that the data will be available in hours (hours!).

Cloud computing hard truth No. 9: Little is guaranteed

The marketing message may try to imply that the magical cloud will lift all of these responsibilities from your shoulders, but those are just the warm, fuzzy feelings from the department of warm, fuzzy feelings. The legal department buries scary things in that sea of words you clicked past when you were experimenting.

If you think that the cloud will save you from the responsibility of backing up your data, you're mistaken. Underneath it all, the machines are as fragile as the machines on your desk. They're built from many of the same components. The cloud companies don't have access to magical disk drives and chips.

The best clouds are starting to be upfront about their guarantees. Some have terms of service that explain a bit better what they do and don't cover. They are also starting to surface geographic differences, and that's making it easier to understand what you have to do when you're designing your server farm. If you want your data backed up across the country, you must design it into your system and pay for the bandwidth to carry that data.

Cloud computing hard truth No. 10: No one knows which laws apply

It's easy to imagine that the cloud of data services is living off in some Shangri-La away from those pesky laws and rules that weigh down the lives of humans living on earth. The clouds are floating in cyber space, and we'd all like to believe that's a beautiful place filled with so much harmony and mutual respect that lawyers aren't needed.

This is sort of true because no one really knows what laws apply. It's possible that all the laws apply because the Web stretches everywhere. If you ask a cloud to give you the first instance available, you might end up being governed by Texas, Virginia, California, or wherever your bits happen to end up. What if your code runs in a Virginia server owned by Amazon, a company governed by the state of Washington and the city of Seattle? Are you under only the thumb of Virginia, or do the Seattle cops have a say? It could be all of the above!

Corporate lawyers are trying their best to create Acceptable Use policies that seem to focus on the really bad things people do, but the language appears overly broad. Amazon's Web Service Acceptable Use Policy, for instance, bans content that is "invasive of privacy." Has Amazon seen its own tracking cookies? It also bans "defamatory" and "objectionable" behavior. Who decides what qualifies? It might be too late when you find out.

No one has a clue how this will all shake out, and the cloud lawyers are crossing their fingers as they type.

Cloud computing hard truth No. 11: The extras will get you

Businesses have it tough when the customers start buying on price. The only choice is to cut expenses to the bone, then pray.

The cloud business seems to be following the paths of the hotel and airline businesses. They'll do anything to get the core cost as low as possible because they know that people buy on price. But then they'll try to make up for this cheap price with add-ons. Didn't one airline investigate charging to use the bathroom? Shh. Don't tell the cloud companies; they'll wonder if they can charge you to use the rm command with your server.

The trouble for most server customers is that it's hard to guess how many extra services you'll use. It's easy to count the number of instances and keep a lid on them, but can you estimate how much data will flow between your machines? Some cloud companies charge for that. If one programmer uses a fat data structure like XML, it could quadruple your bandwidth charges.

The companies aren't the only ones to blame. The customers who buy on price alone push the clouds to adopt this model, and there's no easy way out of this dynamic.

Cloud computing hard truth No. 12: Responsibility for backup still rests on you

It's tempting to buy into the marketing hype and think of the cloud as one giant, perfect collection of computing resources. When you need to crunch numbers, you cast your spell across the ocean and the answers rise from the mists.

In practice, the machines are just machines. When you get root on some instance, that machine is as delicate as a server downstairs. Do you build a backup plan for your server today? Then you should build one for your software in the cloud, too. It can fail as well.

The best cloud companies are making it obvious how to accomplish this. They're telling you where the computers are located and allowing you to spin up machines in different locations with disk drives protected by various levels of RAID. More transparency about these features is cluing you in on the necessity. You should take the hint.

Some cloud providers are also building services that offer rather abstract promises that stop just short of perfection. No one can come up with perfection, so you shouldn't be surprised when the cloud can't do it either. Instead, find a way to create your own backup of the data periodically and store that in a vault. Back it up outside the cloud to a nice box on your desk or down the hall. Then check this data periodically.

Follow CIO on

Twitter @cio_nz



Download CIO for your tablet here.

Click here to subscribe to CIO.

Sign up to receive free CIO newsletters.

Send news tips to

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments