Cloud customers risk collateral DDoS

Salesforce.com experience

Salesforce.com also boasted international data centres and exeception-handling mechanisms that customers could use to isolate or abort suspicious behaviour.

The company's platform research director Peter Coffee said that although customers shared physical infrastructure and a foundation code base, data and customisations were rigorously partitioned at a metadata level.

“Not only are Salesforce.com customers isolated from each other, but even within a customer’s operations there’s unsurpassed precision of managing privileges and auditing actions,” he said.

“It would take a Hollywood screenplay writer to come up with a movie plot that takes down Salesforce.com, and even then, our customers would knowingly tell each other, ‘that would never happen’.”

But there was no getting away from the fact that cloud customers shared infrastructure including compute blades, routers, switches and storage.

According to Jason Needham, a senior product management director of security vendor F5, the effect one cloud customer might have on another depended on where the services met.

Cloud customers shared data centres, network connections and even computing systems, so operating in the cloud could put users “kind of at the mercy of what everyone else is doing”, Needham said.

Know your neighbours

Despite a growing cloud market, he expected organisations – especially those in the finance industry and the public sector – to prefer a ‘hybrid’ cloud model that kept critical data in-house while using cheaper, more flexible public cloud services for limited applications.

Arbor’s Labovitz said potential cloud customers needed to ask hard questions of their providers, and consider service level agreements and DDoS protection when selecting a provider.

“As a customer, you generally don't know how your services maps to physical resources and what you may or may not be sharing with other customers,” he said.

“And you may be sharing resources in a ‘bad neighbourhood’ with customers likely to incur DDoS attacks like gambling, adult content, etc.”

Neither Microsoft’s Strathdee nor Salesforce.com’s Coffee would disclose terms of their respective service-level agreements, citing client confidentiality.

Strathdee said customers had “no need to know” which other organisations shared their resource pool, since Microsoft assumed responsibility for maintaining the agreed availability.

Last year, Coffee said that risk management was an opportunity for insurance providers, criticising service-level agreements for being “written by lawyers to be consumed by accountants”.

“We have enormous incentive to stay up," he said at the time, referring to the publicity that any downtime would attract. "Our life is on the line."