Jump to content


Photo

Cloud Computing; Good, Bad, Or Ugly?


  • Please log in to reply
49 replies to this topic

#1 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 08 July 2014 - 0743 AM

We have quite a few IT workers here on Tanknet, and now that we're in Stage II of the cloud computing hypestorm, I thought it would be interesting to critique the realities of cloud. Some of the facets I would like your opinions on are:

 

- security

- performance

- regulatory/standards compliance

- manageability (particularly high-level stuff like vendor lock-in)


  • 0

#2 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 08 July 2014 - 0802 AM

I'll start off by writing a couple of my concerns.

 

On security, I have no idea how well cloud providers are handling security inside their firewalls. I am increasingly skeptical about the security of IPsec tunnels, simply because the US government has proven to be a bad actor in the realm of communications security. If Diffie-Hellman has been compromised, the whole IPsec infrastructure is compromised. And then there's the issue of firmware backdoors being soldered into routers, supposedly for overseas sales. If a backdoored Cisco router is sold to some firm in the PRC, ends up in the used gear market, and finds its way to another country such as the US, there's no feasible way to prevent Local Savings and Loan, Inc. from buying it and using it in their DMZ.

 

Note that I'm not so much concerned about the NSA databasing all traffic through an IPsec VPN to a cloud provider; I'm concerned with a fundamental flaw that turns out to be exploitable by anyone, such as the fatal flaws in WEP. A backdoor that the NSA can exploit at will IMHO is a backdoor that will eventually be exploited by all sorts of governments and criminal syndicates.

 

On performance, I've read differing opinions. In big cities with lots of big pipe access and a short geographic distance from a compute center, I can believe that application performance is no worse than a local datacenter. I'm wondering though how this works out for small and medium sized firms in towns and cities somewhat off the beaten path. If you've got just one telecom provider in town, and/or the last-mile providers only have one real route to the big pipes, its not hard to imagine having higher latencies, bandwidth throttling, and lower availability.


  • 0

#3 Colin

Colin

    Member

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 16,977 posts

Posted 08 July 2014 - 1012 AM

If you live in a smaller town, considering investing in your own server, perhaps have a cloud backup or have the data backed up in 2 separate buildings.


  • 0

#4 T19

T19

    Love Life, hate Taxes

  • Admin
  • PipPipPipPipPipPipPipPipPipPip
  • 35,579 posts

Posted 08 July 2014 - 1118 AM

I use cloud to back up only my pictures off my iphone

Otherwise I avoid it like the plague

I don trust it

#5 Panzermann

Panzermann

    REFORGER '79

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 16,604 posts

Posted 08 July 2014 - 1125 AM

Make your  own "cloud". You just cannot trust some random firm in the cloud. You never know what might happen with it. Being bought by another firm. Going out of business suddenly. And all those other bad things that can happen. And can you really trust another firm especially when it is a big one not to peek into your data?


  • 0

#6 Fritz

Fritz

    Master of Panzer

  • Members
  • PipPip
  • 7,598 posts

Posted 08 July 2014 - 1126 AM

I keep on OneDrive (the MS cloud) some photos and some unimportant docs that I have to access often, otherwise no. But some expensive software is now offered "as a service" where you only pay a little every month as opposed to a one-time huge lump of cash, so I am doing that (we're talking about programs that normally cost thousands of $). This is directly linked to the cloud. We'll see where this is all going.

Regarding "your own cloud", actually I do that with my webspace, but OneDrive is just more convenient for photos.

Edited by Fritz, 08 July 2014 - 1127 AM.

  • 0

#7 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 08 July 2014 - 1239 PM

Make your  own "cloud". You just cannot trust some random firm in the cloud. You never know what might happen with it. Being bought by another firm. Going out of business suddenly. And all those other bad things that can happen. And can you really trust another firm especially when it is a big one not to peek into your data?

 

At the "brochure engineering" level, to me the private cloud concept seems pretty appealing. Most of the advantages of cloud computing without questionable 3rd parties rummaging around in your data. If something goes badly wrong at least you can box up the hard drives and bring them home. Plus you've got end-to-end custody of discoverable evidence, in case of suits and filings.

 

Even the biggest names in cloud raise some uncomfortable questions. Google, well they have a miserable track record for corporate ethics. I pretty much expect their execs and staff to perform a certain amount of subtle hacktivism against customers inconsistent with Silicon Valley mores. An oil company or Christian church would be hosed, I think. Amazon I would tend to trust, simply because their bookselling arm seems to treat all authors equally fairly; Bezos doesn't creep me out, and I haven't heard of Amazon doing anything unethical. Microsoft I would tend to trust on ethics (no, really!) but they seem so unpredictable in terms of customer support. I am thinking here of the overt program for eliminating SBS and forcing those customers to the cloud. Kind of a regime uncertainty sort of thing.

 

It would be fun to create a corporation called Trustable Cloud, Inc. and see if we could get anyone to sign up. A nice professional website, some stock photos of a big datacenter, Facebook and LinkedIn presence, it just might work.


  • 0

#8 Guest_Jason L_*

Guest_Jason L_*
  • Guests

Posted 08 July 2014 - 1934 PM

I'm a pretty huge fan of dropbox, it has really changed the way I work. The threat of fatal computer issues causing irreperable data loss is from my perspective a much bigger and more likely risk than data theft and the like.

 

Dropbox has already saved my ass numerous times when files got corrupted, it got me up and running right before a huge deadline when my HDD crapped out a bit ago, saved my ass when I urgently needed something and I was able to pull it up remotely, and of course the ability to use it collaboratively. The only other real option to have all your data on the go is carrying a USB key that is constantly synched and encrypted in case you lose the damn thing.

 

Same problem with smart phones and laptops, more data vulnerability comes from having those things lost or stolen than from a company creeping on your data or someone intercepting traffic between you and the cloud.


  • 0

#9 TTK Ciar

TTK Ciar

    Member

  • Members
  • PipPip
  • 2,026 posts

Posted 08 July 2014 - 2054 PM

Security:  The data security at most tech companies is poor, and I know for a fact that employees often do go spelunking in customers' data.

AFAICT, Diffie-Hellman is not itself compromised, but the most common random number generators used to create DH keypairs on Windows and Linux systems are not very secure.  An adversary who can predict the output of your RNG can surmise the content of your DH private key, and it's game over.

AES ciphers might be compromised.  The security community is split on this.  Schneier makes a good point that if the NSA could defeat AES, they wouldn't be using riskier methods to circumvent SSL, and they have been observed to do so.

A Chacha20 cipher is available for some SSL implementations, but it's not used much yet.  The security community is split on the viability of Chacha20 as well, but mostly because it is relatively new and hasn't yet had thousands of eggheads and blackhats spend significant brain-hours searching for vulnerabilities.

An AES-Chacha20-Counter or AES-Threefish-Counter cipher would be the best of both worlds.  I'm working on an implementation of the latter (for OpenSSL; nfi if it has a chance of being accepted upstream).

Performance:  It's a crapshoot.  Some services perform well, others perform poorly, and some (like AWS) perform well sometimes and poorly other times.  Ditto with reliability.  A sysadmin friend described his experience working with AWS EC2 as "like having a datacenter that you can't get in which also happens to have a bunch of rabid macaques running around turning the power on and off".  I've held the shoulder of another who was at wit's end because network performance between two EC2 instances could be superb one week and abysmal the next.

If you can try before you buy, you totally should.  Give it a nice several-months-long burn-in and find the gotchas so you can decide whether you can live with the gotchas.

Regulatory / Standards Compliance:  Also a crapshoot.  They all claim to be compliant, about half are lying, and you have no way of knowing which.  I worked for a little 40-employee company which provided EXCELLENT regulatory compliance (including a separate datacenter in the UK for EU Directive 95/46/EC compliance), and I've worked for a huge Fortune-500 company which played fast and loose with observation of regulatory laws.  From what my friends in the industry tell me, it's about half-and-half.

You'd think Google, of all companies, would be decent at standards compliance, but at DM we got some of the worst-formed LF and XML datasets from Google's legal department.  Neither company size nor public reputation are any indicator of what to expect.

Manageability / Vendor Lock-In:  Also a crapshoot.  Some services are very good about this, and offer an easy way to download all your data so you can archive it locally and/or migrate it elsewhere.  Others close on your hand like a toothy steel trap.  Again, if you try before you buy, you can root around and see if infrastructure management and mass data export are available (and work as described).  Linode's simple web-based infrastructure management interface is decent for small deployments, for instance, but you'll be wearing out your mouse-clicker-finger if you try to use them to manage hundreds of instances.

Private cloud:  If you already have the talent and infrastructure in-house to implement this, you should do so.  If your application can be made to work with EC2, for example, you can implement a cheap private Eucalyptus cluster to handle the expected load, and have jobs "spill over" to AWS EC2 instances if load bursts higher than your local capacity can handle.  "Cloud Computing" mostly makes sense for companies which do not have sufficient in-house technical talent, but are willing to spend $$$ for immediate capacity, even if that capacity is expensive and low-quality.  It's faster and easier than finding and hiring engineers/sysadmins and building out space in an Xo or HE datacenter.  It's a way to become profitable immediately, and not six months from now when the market might have already moved out from under you.

Alternatively, if your load is predictable or slow-growing and you can get away with an entirely in-house solution, you can make do with a much simpler infrastructure than the current "cloud" offerings.  A single sysadmin can run and maintain a big dumb linux cluster several hundreds of nodes in size.  OpenStack is pretty easy to pick up, and gives you most of the Enterprise VM management goodies (if you even need those).

I know that's all very general and vague, but you haven't said much about the specific problem you're trying to solve :-)


Edited by TTK Ciar, 08 July 2014 - 2108 PM.

  • 0

#10 Corinthian

Corinthian

    Stone Age Bitter Delusional Retard

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 21,354 posts

Posted 08 July 2014 - 2055 PM

Cloud hates slow interwebz.

 

And Philippines being the slooooooooooowest in the region, cloud is basically off-limits IME.


  • 0

#11 m1a1mg

m1a1mg

    Crew

  • Members
  • PipPip
  • 1,033 posts

Posted 08 July 2014 - 2255 PM

What about Amazon. Small for individual and larger for business? 

 

I use Google Drive, but only for generic stuff. 


  • 0

#12 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 08 July 2014 - 2329 PM

I know that's all very general and vague, but you haven't said much about the specific problem you're trying to solve :-)

 

Only hypotheticals. If I were CIO/CTO of some medium sized business, or a non-tech enterprise, and the CEO/prez called me in and started waving a "cloud uber alles" article from HBR or whatever, the challenge would then be to explain to PHB that you can't just cut a monthly check to your cloud provider and watch increased margins come rolling in.

 

Excellent response, BTW, exactly what I was looking for. A bit depressing! But that's how a lot of IT stuff seems to be.

 

I'm only vaguely aware of OpenStack, having watched an intro video or two. It does look interesting.


  • 0

#13 rmgill

rmgill

    Strap-hanger

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 24,192 posts

Posted 09 July 2014 - 0112 AM

What ever app a you build for amazon, make sure it's redundant. Their TOS assumes no fault tolerance on their physical iron.
  • 0

#14 Ssnake

Ssnake

    Virtual Shiva Beast

  • Members
  • PipPip
  • 6,821 posts

Posted 09 July 2014 - 0311 AM

In Germany could services are being used by many companies, but the legality is actually dubious if personally identifiable information (PII) is processed (and which corporate documents don't fall into that category?)

 

The point is that PII receives special protection under German law, among which is that while you may task a third party to handle the data processing, you must keep track of its physical whereabouts and it must not be transferred to countries that do not comply with European privacy standards related to PII. With cloud services you know neither where the data are stored nor do you have firm control over them, and that should be the end of the debate already. Of course, some companies don't care (and one day it'll blow up in their faces).

 

Another rather obvious point is that anything transmitted over public IT infrastructure can (and probably will be) intercepted. IT security depends on nobody in the entire chain fucking up, and how likely is that? Add to the mix certain interest groups that have every incentive and interest to not play by the rules, who have the financial and technical means, and whose understanding of their job description is to snoop around without any restrictions whatsoever; parties who are known to have subverted the academic world (as far as cryptography is concerned) as well as parts of the IT world.

 

Anything that is publicly transmitted I treat as letters in an open envelope. If encrypted, it's like a "Do not read this" stamp, but the envelope is still open. If it's really well encrypted with forward secrecy and real good infrastructure and a cloud service provider that does his job the envelope may actually be sealed, but then you invariably attract the interests of the NSA what it so particularly secret in your data that you want to hide it from them, and they will actively seek to undermine whatever level of security you may have achieved.

 

Technical aspects are only one thing. But security is a mindset of everybody involved. You need motivated and alert people who will recognize attempts from outsiders to breach security as such, they need to report it, and management needs to act on such reports. If simple, automatized signal intercepts don't work, they will try social engineering to figure out passwords to hack into your databases. So not only is it a question of how secure the transport between end user and cloud server is, or how secure the cloud storage is but also whether Joe Schmoe is willing to help that "new intern" calling who needs the "misplaced" password of Mr. Bigwig for whom he is supposed to "create that Powerpoint presentation until tomorrow morning", or else he's fucked. Mr. Peacounter from purchase department must realize that this special offer for routers that is too good to be true IS too good to be true, and that the big savings he might make will actually cost the company a fortune if he buys those discount hardware backdoors. Very soon people will complain about an atmosphere of paranoia in the company, and they are right: You HAVE to be paranoid when it comes to (IT) security if you take your job seriously, and that's an aspect that the nerds usually overlook. You can't get security without a paranoid mindset, and while the paranoia might make things more secure it's usually detrimental to the quality of work and/or to the quality of work atmosphere/corporate culture.


  • 0

#15 Murph

Murph

    Hierophant Lord

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 19,089 posts

Posted 09 July 2014 - 0641 AM

I don't trust it at all, too many security breaches.  I only back up to the cloud those things that I absolutely, positively cannot avoid backing up.  Now Lupe and the girls, iCloud was the only way to go for them, since I cannot remember everyone's passwords, etc.  I make them remember those passwords, and I make them multi character, numeric, and special character nightmares. 

I use cloud to back up only my pictures off my iphone

Otherwise I avoid it like the plague

I don trust it


  • 0

#16 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 09 July 2014 - 0935 AM

In Germany could services are being used by many companies, but the legality is actually dubious if personally identifiable information (PII) is processed (and which corporate documents don't fall into that category?)
 
The point is that PII receives special protection under German law, among which is that while you may task a third party to handle the data processing, you must keep track of its physical whereabouts and it must not be transferred to countries that do not comply with European privacy standards related to PII. With cloud services you know neither where the data are stored nor do you have firm control over them, and that should be the end of the debate already. Of course, some companies don't care (and one day it'll blow up in their faces).


There is the bittersweet aspect of nations not-US. You don't enjoy the wealth that develops due to hosting Big Web (Google, Amazon, etc.) but you also don't have legislatures that have been thoroughly compromised by said Bigs. I would luvvv for the US to pass some Euro-inspired privacy and DLP laws, but it will never happen. The guys who became billionaires collecting and selling PII can simply buy enough legislators to prevent any restriction on their racket.


I think some time back I read a short article or blurb where prevailing national legislation was used to create a market niche. IOW, host your datacenter here in X and your data must be protected to Y standard. I really like that, lets have nations compete in the global marketplace in terms of beneficial regulations as well as adverse.

Another rather obvious point is that anything transmitted over public IT infrastructure can (and probably will be) intercepted. IT security depends on nobody in the entire chain fucking up, and how likely is that? Add to the mix certain interest groups that have every incentive and interest to not play by the rules, who have the financial and technical means, and whose understanding of their job description is to snoop around without any restrictions whatsoever; parties who are known to have subverted the academic world (as far as cryptography is concerned) as well as parts of the IT world.


Yeah, if we treat a packet like we treat a piece of physical evidence from a crime scene, then the chain of custody thing looks absurdly complicated. Its bad enough in-house, with the number of people who could sniff and store packets. Throw in your Tier III ISP, their Tier I ISP, and the whole staff of a cloud provider, and all bets are off.
 

Technical aspects are only one thing. But security is a mindset of everybody involved. You need motivated and alert people who will recognize attempts from outsiders to breach security as such, they need to report it, and management needs to act on such reports. If simple, automatized signal intercepts don't work, they will try social engineering to figure out passwords to hack into your databases. So not only is it a question of how secure the transport between end user and cloud server is, or how secure the cloud storage is but also whether Joe Schmoe is willing to help that "new intern" calling who needs the "misplaced" password of Mr. Bigwig for whom he is supposed to "create that Powerpoint presentation until tomorrow morning", or else he's fucked. Mr. Peacounter from purchase department must realize that this special offer for routers that is too good to be true IS too good to be true, and that the big savings he might make will actually cost the company a fortune if he buys those discount hardware backdoors. Very soon people will complain about an atmosphere of paranoia in the company, and they are right: You HAVE to be paranoid when it comes to (IT) security if you take your job seriously, and that's an aspect that the nerds usually overlook. You can't get security without a paranoid mindset, and while the paranoia might make things more secure it's usually detrimental to the quality of work and/or to the quality of work atmosphere/corporate culture.


Yeah, the humans are always the weak spot in the defenses. Riffing on TTK's sermon above, my gut feel is that everyone is lurching madly towards the Next Big Thing with a lot of rationalizations and proof-by-assertion w.r.t. security, rather than careful analysis.
  • 0

#17 Ssnake

Ssnake

    Virtual Shiva Beast

  • Members
  • PipPip
  • 6,821 posts

Posted 09 July 2014 - 1401 PM

Corporate manages have always behaved like lemmings. Everybody is doing it, we must not fall behind! We cannot tolerate a cloud gap!

 

...and the all-time classic:

The cost savings! The cost savings!

 

 

Robustness and resilience are no categories in most businesses because there rarely are rewards for that - - - aside from the corporation's survival, but why would you care about it if you're just an employed manager who can easily find some management position elsewhere, if everything begins to fall apart?


  • 0

#18 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 09 July 2014 - 1506 PM

Corporate manages have always behaved like lemmings. Everybody is doing it, we must not fall behind! We cannot tolerate a cloud gap!

 

The Future™ lies in the Cloud After Next™!

 

I guess I'm going to wait for the HyperCloud. That is, unless the MetaCloud becomes beta-release vaporware.


  • 0

#19 Corinthian

Corinthian

    Stone Age Bitter Delusional Retard

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 21,354 posts

Posted 09 July 2014 - 2108 PM

Wait till the hackers have a StormCloud™ and a veritable Hurricane™ with special Tornado™ features that'll suck up all your data and dish it out in unrecoverable pieces - except JPEGs of babies and kittens which will be deposited gently in what remained of your cloud storage space.


  • 0

#20 Ivanhoe

Ivanhoe

    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 32,226 posts

Posted 11 July 2014 - 1550 PM

TTK and/or Ssnake; how about licensing? I guess a major benefit of public clouds is that the cloud provider does all the license management, and just bakes that cost into the metering rate. Does it really relieve the customer from all that hassle, though?

 

I'm trying to think of what things would look like for an SMB using public cloud. Network admin, Windows Server admin, Exchange admin, SQL Server admin, desktop admin, help desk. IT manager/director no longer does capacity monitoring or planning, or license management. Like electricity, use what you need, pay for it monthly.  


  • 0