Cloud
Commentary
8/28/2009
08:28 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Amazon's Private Cloud: Virtually Private Or Maybe Private?

Amazon, purveyor of the EC2 public cloud, suddenly announced Aug. 26 it's a private cloud supplier. Isn't there something wrong with a multi-tenant, shared resource provider transforming itself into a private cloud service? I'm not sure Amazon can offer a private cloud --yet. Then again, I see no reason why it couldn't sometime in the future.

Amazon, purveyor of the EC2 public cloud, suddenly announced Aug. 26 it's a private cloud supplier. Isn't there something wrong with a multi-tenant, shared resource provider transforming itself into a private cloud service? I'm not sure Amazon can offer a private cloud --yet. Then again, I see no reason why it couldn't sometime in the future.Amazon announced Wednesday that it's offering an enterprise service oriented toward private cloud use, the Virtual Private Cloud. That means it will make facilities and services available that can be accessed solely by the subscriber over a VPN. No snooping eyes or devices on the network are going to see your private data.

Werner Vogels, in his blog on the subject, says: Amazon Virtual Private Cloud customers will be able to "seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work."

Companies making use of Amazon to establish their external "private cloud" will access resources over their own routers, which will be configured to go only to IP addresses in a particular company-owned address block. Amazon will set up a Virtual Private Cloud that serves that address block, Vogels explained.

"These resources are fully isolated and can only communicate with other resources in the same Virtual Private Cloud…" he continued.

That may be true, in one sense. But I'm wondering if "isolation" as Vogels uses it means the physical server resources being used are dedicated to the customer's Virtual Private Cloud, or just the network access is isolated by the VPN. Amazon might answer that the isolation provided by the VPN is enough. There may be additional Amazon measures that try to insure that it is enough. But he's going a long ways down the "private" descriptive path if these resources are multi-tenant, perhaps even existing EC2 servers that have been co-assigned the task of supplying the Virtual Private Cloud.

Werners notes in the blog, it's already spent "$2 billion in developing technologies that could deliver security, reliability and performance at tremendous scale and at low cost."

Fair enough. But does that mean if an intruder succeeded somehow in getting into my Virtual Private Cloud, my data would still be protected, highly sensitive virtual machine operations would be shielded from less sensitive virtual machine operations, and suspicious activity, such as an irregular fund transfer, would stand out as an exception and be reported swiftly by the Virtual Private Cloud's monitoring service?

If the answer is, "If you configure your end right, then no intruder can get in," that's a red flag. To keep my data secure, Virtual Private Cloud security is going to have to amount to more than network isolation. There will need to be intruder protection and virtual firewalls built into each virtual machine that isolates it from traffic with other virtual machines; in some cases, isolated it from other VMs even though they are inside the same Virtual Private Cloud. More detail needs to emerge on this offering. But I think what we have in Amazon's latest service is not a private cloud as I understand it but a "virtual" private cloud, a private cloud, maybe, a private cloud that mostly secures the data but can't do everything the typical chief security officer does inside the data center.

My questions: Will I remain in full compliance if I mingle use of my most secure, private data between the data center and the Virtual Private Cloud? Where has the security boundary moved to? It used to be at the perimeter of the data center. Is it still there or did it move into the cloud, with the data? Who's now responsible for that boundary, Amazon or me?

Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.