Sony, Amazon Uptime, Security Problems Aren't Unique to the Cloud

Cloud services aren't inherently riskier or more insecure than maintaining applications and data in the corporate data center. In fact, some experts still believe that the cloud provides greater security to enterprises.

The recent Amazon EC2 outage and the Sony PlayStation Network data breach have served to renew concerns in enterprises that cloud computing is inherently less secure than private, self-contained data centers.

Amazon's Elastic Compute Cloud and Elastic Block Storage platforms were both affected during an April 21 outage that had major Websites unavailable for three days. The cause of the outage remains unknown. Meanwhile, entertainment giant Sony shut down two of its cloud services, the PlayStation Network for games and Qriocity for music and video, on April 19 after "an external intrusion" that resulted in the theft of personal information belonging to 77 million customers.

The problems, while significant, are not unique to cloud services. Amazon's outage focused a lot of attention on availability issues and reliability, but those concerns exist in traditional data center environments as well.

"It happened all the time," Chris Drake, founder and CEO of Firehost, told eWEEK. People generally didn't hear about outages in the data center because they affected only one organization and were smaller scale, but they often added up to far more lost time, money and business, Drake said.

The Amazon EC2 outage "pointed to the elephant in the living room that availability is a real issue," Paul Roberts, a security evangelist at Kaspersky Lab, told eWEEK. Redundancy is critical, whether it's having additional backups, having redundant servers in another location or creating a failover system with another cloud provider, Roberts said.

"In this age of customer uptime, we've forgotten that it used to happen all the time," Roberts said.

For organizations that have moved security applications to the cloud, this kind of an outage may seem a little nerve-wracking. However, the severity of downtime affecting cloud-based security services depends entirely on how "paranoid" the organization is and on its tolerance for downtime, Roberts said.

The most common cloud-based security applications are Web and spam filtering, hosted email, malware scanning and hosted application firewalls. If any of these services were unavailable for a stretch of time, it would be inconvenient and leave the organization vulnerable, but it wouldn't bring business to a standstill, according to Roberts.

"An outage of 36 hours wouldn't stop attorneys at a law firm from being productive," Roberts said.