Confidence in cloud services took a severe one-two punch last week with the lengthy downtime of Amazon Web Services' Elastic Compute Cloud and the breach of Sony's PlayStation Network, in which 77 million accounts were stolen. Last year I noted that more than half of IT pros surveyed felt cloud services weren't secure enough to trust. Well, the events of the past week won't help.
A brief recap: Amazon Web Services went down on April 21 and took dozens of sites with it, including social network Foursquare, news aggregator Reddit, and question-and-answer site Quora. The error was eventually traced to a network failure that caused problems with Elastic Block Storage, an Amazon storage service that's similar to a disk array for a standard datacenter. Some sites were offline for days as Amazon struggled with the outage, and some data was permanently lost.
In the PlayStation Network case, Sony discovered two weeks ago that PSN and Qriocity, a streaming service similar to Netflix, had been hacked. For the sake of security, it shut both services down completely until it could revise the network to make it more secure. It's still down as of this writing.
In both cases, it wasn't the disruption or breach, it was the handling of the problems that hurt the companies.
Amazon was painfully slow to alert its users of the outage and repeatedly failed to make timely updates on the status of the service. Cloud management provider RightScale summed up Amazon's failings in its own blog post, and there were a lot -- starting with no blog updates from Amazon Web Services for four days. What we had there was a failure to communicate.
Sony messed up even worse. It took down PSN and Qriocity on April 20 but didn't admit that personal information, including credit card information, was possibly accessed until April 25. Finally, on April 26, the company said on its blog that credit card info was encrypted, but personal data (name, address) was not.
So a lot of people are canceling credit cards now as a precaution, and the Xbox stands to gain a whole ton of sales.
The lawsuits are going to pile up over these outages, and Sony could be in real trouble if a 77-million-person class action suit is brought against it. But this is the time for cooler heads to prevail. If there is one thing I detest in what passes for political discourse it's the habit of both sides to define their opponents by the worst among them and make them the rule, not the exception. So let's not do it here.
Don't abandon Elastic Compute Cloud. Are we forgetting that Amazon started out selling books, and has done a better job with a cloud service than most of the companies with the expertise in this area? Amazon has done a better job than any other cloud service provider, which is reflected in just how many major, important services were taken down. Amazon was subjected to DDoS attacks for kicking Wikileaks off the EC2 service, and it withstood those hackers.
Do diversify. Your 401k doesn't consist of one stock or mutual fund, does it? EC2 sites that stayed up, like SmugMug and Twilo, didn't use Elastic Block Storage, and Netflix only used some of EBS for storage. It split the storage service with other providers. Don't put all your eggs with one provider if you can help it. Amazon is not the only infrastructure-as-a-service provider. There's Microsoft, CSC, and more.
Check that SLA. Amazon's SLA does promise 99.95 percent uptime, and given that AWS has been around since 2006, it's had a pretty good track record. Again, this is one screw-up in five years. That said, make sure any cloud provider has some teeth behind its SLA. CSC likes to note that its SLAs have penalties if they ever screw up as badly as Amazon did.
Pick up the phone, send some emails, make some noise. People sat around waiting to hear from Amazon. If the provider messes up, take initiative and contact them.
As for Sony, I don't know what to say about that company anymore. Its string of failures just grows daily, and it's hard to believe Sony was the model on which Steve Jobs based Apple. Waiting five days to inform people that their credit cards might have been compromised is just inexcusable.
We learn from our mistakes. The fact is, Amazon hasn't had that many to learn from. But let's hope it learned well from this outage, and let's learn a few lessons ourselves. The first should be to not depend entirely on one provider. You wouldn't get all of your IT equipment from one vendor, would you? The same should apply to IaaS services.
"You wouldn't get all of your IT equipment from one vendor, would you?
Actually we do. And we do it because said vendor goes above and beyond for us and promises the moon and stars - we haven't been able to get the same level of attention anywhere else. If our IT Director calls them at 3am and says he needs something by 5am - it happens.
So, I can kind of see why people would fall under Amazon's spell and put all their eggs in one basket.
To be fair, I'm unaware of any evidence that Sony did not let its customers know about the personal data breach as soon as it had learned of it and was able to.
This kind of crisis does take some time to handle; it has to go both through the legal department (to determine what information legally must be told to customers, what information should be told to customers to help reduce liability, and in what ways in can/cannot be said) and through CRM and/or PR.
Could Sony have handled it better once they found out about the personal data breach from a PR standpoint? Sure. But crisis communications are always difficult. I'm not ready to say that Sony's behavior was egregious.
Amazon's, on the other hand, has been abominable -- between the lack of communication, and the poor quality of what little communication there has been (not even greeting clients with a "Dear valued customer," but instead a fairly empty "Hello").
The sad thing is that Sony's business may take the biggest hit (personal data breaches are always bad news), whereas cloud-happy tech-hipsters and they C-levels they evangelize to may be happy to forgive Amazon because, "Hey, everybody has outages/data losses from time to time! The cloud is still OMG AWESOME! Let's get rid of our local storage entirely and give Amazon more money!"
This here is the essential appeal as well as the most likely failure of the Cloud - it makes things so easy that its failure seems both impossible and disastrous. I've been wary of the Cloud since I heard about it, yet there I am, downloading all my games from Steam. It's just so easy! And if it ever fails, well, there will be no strictly legal way for me to recover those games.
@Fowler- regulation is still iffy on issues regarding data breach in the cloud. But I believe the onus falls on the company storing the data, not the cloud provider, to keep that data safe and to notify the users. Presumably, a good SLA will cover breach notification from the provider to the client, but I susppose there can be loopholes.
Looking back over this, the identity theft issue starts to bother me more.
Protection of consumer data has been pretty dismal. As I recall, the rule is that if a company knows that their customer's data has been stolen, they need to inform them.
If the data breach happens in the cloud, are hosting providers required to inform their customers? This is B to B, not B to C and they may not know that consumer data was lost. If not, companies may find moving their data to the cloud reduces their liability to consumers re: data theft.
The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Please join us for the "IT Convergence Strategies: Why, When and How " to learn more about:
• 5 truths about infrastructure convergence today that go beyond the hype
• How to exploit the 4 phases of convergence maximum efficiency and agility
• Key milestones to plan for on the convergence journey
• Why integrated management is a critical component of convergence plans
• The importance of an open, modular approach, such as Dell’s active infrastructure, to building a converged data center
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: firstname.lastname@example.org
Dell's Efficiency Modeling Tool The major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise. Read the full report
Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
VMware has a new solution to the MDM problem, two virtual phones inside a real phone, at least for Android phones. Currently limited to two models, the idea could expand and provide a way of letting companies harmonize their need to manage corporate use of phones while preserving BYOD.
There's a lot of hype about virtualization of networks, NaaS, and SDN, but there's a couple of proven applications that enterprises could adopt right now and potentially save money and improve operations.
Skype/Outlook UC integration means we're going to have competition and fragmentation of UC client architectures, but is that bad? Modern devices can support IM, email, voice, and video clients, so maybe it's the back end of UC we need to be worried about.
Workers are now used to portable device support throughout their everyday lives. We should be looking at the policy of providing fixed-desk devices to support stationary workers. Could portable support be smarter?
Input devices run the gamut, from the humble Missile Command-style trackball to advanced speech recognition. Unfortunately, these input devices can be used for evil as well as good. Case in point: mobile ads that want you to talk to them.
Enterprises want three things in storage systems: First is some speech-recognition way of capturing videoconference data for indexing; second is semantic/AI analysis of emails and IM for content indexing; third is a better system for managing hierarchical layers of storage.