T-Mobile USA’s Sidekick mobile phone service operated by Microsoft’s Danger subsidiary encountered a service disruption that resulted in some Sidekick phone customers losing their personal information including contact names, phone numbers and digital photos (the New York Times had a summary, and The Register has some juicy speculation on the origin of the outage). Many commentators used this episode and other recent “cloud” system outages to cast doubt on the reliability of cloud computing. I suggest taking a breath and a think.
What happened to Microsoft with Danger was an IT snafu that could have happened to any data center. While data was apparently lost, it was not compromised. The Register article points to possible design issues in the infrastructure. This unfortunate event was not something unique to “the cloud”, but what was different is that an apparent IT process mess-up affected lots of consumers. When you compare the Danger episode to what happens when your internal email server dies, the difference lies in who is aware of the problem: with your internal email server, only your company knows it is down (not the entire world).
From a security perspective, both the Microsoft Danger episode, Amazon EC’s recent DDoS, and Google’s hosted email availability challenges point to birthing pains for some Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offerings. Something significant to note is that while we have seen service outages, we have not yet seen security breaches that compromised sensitive data. Such a breach might slow cloud computing’s adoption, but most enterprises are being careful in what data they move to the public cloud and how they protect it.
A data breach in the public cloud will eventually happen, but my prognostication is that the cost savings and flexibility provided by Sofware-as-a-Service/Platform-as-a-Service/Infrastructure-as-a-Service (and hosting) will drive adoption with security teams highlighting and attempting to mitigate risks. A key challenge for security professionals is to avoid saying “no, no, no” and instead say “Yes, cloud computing is good, but you need to do X, Y and Z to secure your application and sensitive data”.