Amazon outage a valuable lesson in cloud security

Amazon's recent cloud service outage points out the vulnerability of these types of services, and the importance of having backup plans for data and applications.

Amazon's recent cloud service outage points out the vulnerability of these types of services, and the importance of having backup plans for data and applications.

"What this episode demonstrates is that cloud computing does not absolve those responsible for designing and deploying applications from understanding how the dependencies of the underlying platforms impact the availability, resiliency and survivability of their architecture -- regardless of how opaque it may be," says Chris Hoff, director, Cloud & Virtualization Solutions, at Cisco's Security Technology Business Unit.

"As distasteful as the phrase 'plan for failure' is to some people, the lesson here is not an unfamiliar one: hope is not a strategy and putting all your eggs in one basket means you may end up with a well-contained omelet. This failure could happen to anyone, using any service deployment or delivery model, internal or external, cloud or otherwise."

More on cloud computing and security

While Amazon is clearly responsible for the failure of service, Hoff says, "so too are those customers who are responsible for delivering service based on AWS, and not appropriately planning for a failure when options are available to do so. Ultimately, it's the customers who own their availability, not a single provider, regardless of how reliable they may be."

The outage "underscores the importance of taking a broad risk management approach to adopting cloud computing, and the shared responsibility that exists between customer and provider in infrastructure as a service," says Jim Reavis, executive director of the Cloud Security Alliance (CSA).

"Customers with high availability requirements for their cloud application need to consider a basic virtual machine instance as a single point of failure, the same way one would view a single hard drive," Reavis adds. "It is then important to explore the additional redundancy services you can get from your chosen provider or develop a systems architecture that can tolerate failure of a single cloud component. You can even build applications to fail over to a second or third cloud provider."

Reavis says CSA uses several cloud providers, including Amazon. "We did not experience downtime in our AWS usage because of the redundancy we built into the application architecture," he says.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.