So what does the Wikileaks saga have to teach us about Cloud, if anything? Actually I think that there are a number of lessons to be learnt.
1) The first lesson actually has nothing to do with the Cloud and certainly nothing to do with the debate about private versus public Cloud. Without people leaking data to Wikileaks, there would be no Wikileaks; Wikileaks is not about hacking really, it's more often about people already having access to the data taking it away with them and leaking it.
Make sure that only the people who need access to the data have access to the data and make sure the distribution of such data is controlled. Flashdrives etc are very convenient but they also make it relatively easy for someone walk away with large quantities of data. The move to towards 'Bring Your Own Device' type Corporate IT could open new conduits for 'data theft'. Be aware, you may be allowing people to bypass your perimeter security and that brings risks.
2) The actions of your Cloud provider may put your own environment at risk. If you decide to run your systems in the Public Cloud, if your Cloud provider does something which leads it vulnerable to attack etc; your services might be impacted. Obviously, this is true of not just Cloud but any hosted environment or even arguably any service provider. For example, your network provider may manage to piss off a number of people and find itself under a DDOS and this might impact your operations.
However, most sensible organisations ensure that they have their network services provisioned from multiple network providers. You should apply the same principle to your Cloud environments; running in the Cloud does not abrogate the requirement for proper DR and BC planning. If the EC2 Cloud goes down and you have no way of carrying out your Business; you are pretty much guilty of negligence.
3) Amazon's Cloud is remarkably robust and it has certainly survived a number of DDOS attacks over the past few days; whether the outage last night in Europe was due to a hardware failure or a DDOS has yet to be fully revealed. If I was an AWS customer, I would be more concerned about a hardware failure/issue having such wide ranging implications; if it was a concerted attack against Amazon, well the fact that they managed to get themselves up and working again so quickly, that's pretty impressive. If your organisation underwent a concerted attack, would you recover as quickly?
Hopefully Amazon will disclose everything that went on and allow us all to learn from the events.
4) Understand the 'Terms of Service' of your providers; if your actions endanger service to all, you might find that your service is withdrawn as a precautionary measure. You may feel that this is censorship but at the end of the day, if your service provider takes a business decision to sacrifice your service to protect the rest of their customers and their business; that is something that you are probably going to have to live with.
5) The Internet still often operates like a wild frontier…beware of signs saying 'Here Be Dragons', they may be telling the truth.
Not sure how (4) relates to what happened wrt. wikileaks, as Amazon didn’t make a business decision, and no website is likely to “endanger service to all”.
Really? If you decide to host a website which attracts a DDOS all in itself; that risks every other customer which is hosted. Amazon could well decide that hosting a particular website is too risky as it has a potential to disrupt everything hosted. Wikileaks is a site with that potential; whether you like it or not, decisions are often made for purely commercial reasons.
Lets say Wikileaks disclosed a whole host of Chinese or Russian classified documents; do you think either government would think twice about launching a DDOS?
You refer to a website “attracting” a DDOS attack; so if a site is arbitrarily attacked, is that the same?
The whole point is that the decision is NOT purely commercial. Otherwise they could just charge more to mitigate against some perceived risk. Fear of DDOS is technical, accepting pressure to remove a client who is paying is political / legal.
How much would you charge to mitigate the risk? How much to charge to cover any potential lawsuits brought by other websites.
I think it would be wise of anyone using a hosting service to look at the policies of the hosting/cloud provider; firstly to check what they can and can’t do but also to be aware whether the provider will buckle under political/legal/commercial pressure. Political and legal pressure can rapidly turn into commercial considerations.
However, you might also view some restrictions as a positive thing; if your hosting provider will happily host controversial websites, perhaps that site is not the home for your core business…
The Wikileaks affair has brought all these considerations home or will at least to start bringing these things home.
BTW Amazon’s decision was in my view disappointing but completely understandable; I wish they’d stood up and continued to host Wikileaks…