The biggest threat to the promise of cloud computing to appear this summer wasn’t the failed trademark attempt by Dell, but rather brilliant research by a leading white hat security researcher. Dan Kaminsky discovered how a well-known and widespread vulnerability in DNS servers could be exploited in seconds and turn any one of millions of servers directing Internet traffic into a cybercrime gold mine in mere seconds.
Note: For those unfamiliar with cloud computing, or the delivery of software and other IT-related functionality as a service, you can read more at Archimedius. Some leading technology players involved or associated with cloud computing include: Google, Microsoft, Dell, VMware and Amazon.
As a result July and August saw unprecedented DNS media attention. Yet the discovery of a DNS exploit was only part of the story. Events soon unfolded that took the exploit from specialized security blogs (like Rational Survivability and Matasano, where the exploit leaked).
When the exploit inadvertently leaked (ahead of the disclosure timeline established to allow service providers ample time to patch their systems) the news quickly spread throughout more generalist blogs and even into mainstream media, including front page coverage in the NY Times referenced at Archimedius on July 31.
The Linux Journal published one of the best high level technical explanations of the exploit and why it matters. Despite the release of a patch and the heroic actions on the part of internet service providers, issues remain.
While the business press dwells on Dell, Microsoft, Google and a handful of key players making investments and strategic moves based on the eventuality of cloud computing, some of us in security and networking are all too aware of the storm clouds. You can read about the security issues at the newly established Infoblox DNS Security Center, with news, developments and resources hand-picked by leading experts.
Dan Kaminsky has openly labeled the patch just applied to protect the DNS vulnerability a temporary fix:
I listened to the Black Hat webcast today to grab as much info as I could on this subject. The biggest thing that I heard from the whole talk is that the patch fixes things to a reasonable point, but that long-term, there will have to be more work done to prevent the issue.
- Nathan McFeters, ZDNet
Unfortunately, it is likely that the DNS summer exploit story will fall back beneath the headlines in coming months; yet the vulnerability will still exist and it will likely require more patches on an ongoing basis. That will place an unprecedented level of demands on the management of the DNS infrastructure, the backbone of the Internet. That infrastructure is made up of millions of servers updated and managed manually. That is a serious problem.
An IDC report sponsored by Microsoft concluded that hardware costs were only a small fraction of the cost of operating a server (see page 5 for the IDC breakdown). Staffing expenses (management) and downtime constituted 75% of a server’s total cost of ownership, according to the April 2007 paper by Randy Perry and Al Gillen. More manual updates will impact both management and availability, the leading cost components before the DNS exploit discovery.
Internet integrity is a critical requirement for cloud computing. It requires a very high level of trust to use an online application for commercial and even personal uses. More management and availability challenges will further increase the cost of internet integrity while introducing new risks. The DNS exploit and the recognition that the recent patch is only a short term measure suggests that internet integrity may be more at risk than ever.
A few days ago I discovered this YouTube piece by Cisco promoting green data centers and couldn’t help but to take notice of the points made about other server costs, including power. Cloud computing could suck up huge amounts of energy if cloudplexes are not virtualized properly and managed efficiently. For all of the opportunities posed by cloud computing it is obvious that substantial technical burdens remain before servers will follow the moon In pursuit of cheap electricity.
While low cost electricity and VMotion are important requirements for cloud computing, Internet integrity is the table stake: few will trust IT services from an unknown source. That is why the rise of cloud computing will depend upon the continued success and evolution of utility-grade core network services. Without network integrity the economics of software as a service will always be limited to low value consumers using low value services.
You can read my disclaimer at: About ARCHIMEDIUS.