Pundits around the industry are using the repeated – and successful -- attacks on Sony’s Playstation Network as proof clouds aren't secure. But what's "cloudy" about PSN? It is the antithesis of the cloud: a closed architecture, which happens to use the internet to connect locked-down clients (PS3s) to a closed, proprietary server (PSN).
While we may never learn the full details about this wave of attacks, if they prove anything, they prove that determined attackers can breach many online services, cloudy or not. PSN was very visible, and spawned interest from attackers. Given the publicity and impact these attacks had -- goodness, they shut down the system for weeks! -- I wouldn't be surprised to see this cycle continue for a long time. Perhaps a wholesale rearchitecture will be needed. Sony may lose significant revenue, and perhaps market share, as a result. But because it is a proprietary system, where Sony controls (and can arbitrarily update) the clients and the servers at will, Sony has the opportunity to revamp the system whenever its engineers can come up with the goods.
What Sony's service isn't, is a cloud. It isn't a service open to the public. It is single tenant; no arbitrary apps hosted here. It works not with standard interfaces, but with proprietary applications embedded into the clients Sony provides. One has to wonder if having an open architecture would have made security better. Security through obscurity never seems to work.
That's not to say public, multi-tenant clouds are inherently secure. They aren't, any more than any IT service is. People who run large public clouds have told me privately about the range of security problems they encounter. From the embarrassing (running porn sites on their systems ... but wait, I thought porn was the big internet money maker!), to hosting dangerous bots run out of North Korea, Libya, and Iran.
The bottom line is that any service available to the public is open to attack. And probably will be attacked. Just as with traditional data centers, no claims of invincibility have any credibility ... and those who make outrageous claims will invite the attention of the most skilled attackers. What's important is that this is not a cloud phenomenon. Its just part of life in IT.
Scott Crenshaw leads Red Hat's Cloud Business Unit, responsible for Red Hat's Cloud Computing and virtualization businesses. In addition, Scott leads the company's drive to integrate marketing across all business units. Prior to this position, Scott was the Vice President leading the company's Platform Business Unit, during which the company's flagship RHEL business grew nearly 300%. Before joining Red Hat, Scott was Chief Executive Officer of NTRU, a leading innovator in embedded security technology whose investors included Greylock, Lehman Brothers, Sony, and Texas Instruments. Scott held a number of executive positions at enterprise software vendor Datawatch, including Vice President of Business Development and Vice President of Product Development. Earlier, he held engineering roles at IBM and start-ups. Scott was a Sloan Fellow at the MIT Sloan School of Management. He received an MBA from MIT, and a Bachelor of Science in Computer Science from North Carolina State University's School of Engineering.
The opinions expressed in this blog are solely Scott's, and not necessarily shared by his employer.