Wizard Lays Waste to Acme Data Analytics with Chef Spell…

As reported today on the front page of Cloud Wizard’s Journal:

Easy come, easy go. The same Cloud Wizard that created Acme Data Analytics cloud based data services, the differentiator that has enabled their dominance, their literal Midas Touch in every market they have entered… Undid it all when she cast a angry curse, scripted in her native Chef, in response to this years bonus and compensation letter. Regrettably, the bonus letter contained a typo and was missing four zeros. As Acme’s “Core Knowledge” 40 Petabyte market intelligence database appears to be unrecoverable as well as the 4 billion lines of analytics and machine intelligence code, the company will likely be deemed worthless and delisted from the stock exchange…

Ok, so I am trying to have a little fun here, but there is a reality here that many organizations are overlooking in their infraucture and platform cloud deployments. The clouds great capacity for rapid creation, is also a capacity for almost instantaneous destruction.

Importantly, destruction doesn’t have to be deliberate!

How often has non-production code been accidently run in production environments? Or test systems run against production databases? Anyone who has worked in IT for any length of time has encountered these problems. The cloud of course is a whole new type of creature that is subject to this same type of error, and with devastating effect, as the cloud itslef is software defined. In the past the “worst case” scenario for this kind of error was rolling back the production environment to a known good point and then painfully working forward from there. “Painfully” could be lost customer orders, dropped transaction information, scheduling problems — but usually doesn’t threatened the end of the enterprise itself.

The cloud is different

A simple script, say designed to wipe away a test environment if run in production can wipe away production in a whole new way. In a moment, not only can the machine instances be removed, but data, storage and backups. In a few short moments an entire infrastructure can disappear. In the physical world such destruction is almost unthinkable — what kind of disaster can make all your computers, network configurations, data and backups disappear all at once? In the physical world that would require the total destruction of multiple sites, but not so in the cloud as your CSP’s master account may allow management (aka destruction) of resources across the globe all from a single console and account.

Privilege Management

The good news is, this is a problem with available solutions.

The management and control of privileged accounts, those accounts with significant administrative capabilities, has always been an important aspect of effective risk management. In cloud environments, due to their agile, software defined and scriptable nature, the danger associated with these privileges is amplified, which is bad news. The good news is that many of same techniques, technologies and products that are effective at the control of privilege accounts in on-premises deployments work for privileged accounts no matter where they reside, or how they are used.

My colleague Nick Nikols has just published a research report that touches on these and many other issues associated with managing identities and access in the Amazon web services public cloud environment:

Identity and Access Management Within Amazon Web Services’ Public Cloud
March 2014
Analyst(s): Nick Nikols
(Gartner for Technical Professional’s subscribers can click here)

Last August Nick published research from a broader perspective, again exploring the problem as well as viable solutions:

Managing Privileged Access in Private Clouds and IaaS
August 2013
Analyst(s): Nick Nikols
(Gartner for Technical Professional’s subscribers can click here)

Nick’s research can help you avoid both kinds of disasters, accidental and purposeful, in addition to aiding in the adoption and management of cloud services — which can have pleasant benefits!

Thanks,
Erik