By Jonathan Lewis, vice president of product, NS1
The widespread adoption of public cloud services by businesses of all types has raised awareness of how dependent we are all on these services. Ten years ago, an outage on a cloud storage service would not have made front-page news, whereas the recent Amazon S3 outage made headlines due to its significant, widespread impact.
The effect on online retail was particularly noteworthy. Analysts determined the AWS downtime affected more than half of the top 100 internet retailers with a decrease of 20 percent or greater in performance. Many online retailers went down entirely.
Events such as this raise the question: Are public cloud services appropriate for hosting mission critical business services?
In some respects, public cloud services have risk exposures that are greater than services hosted on private infrastructure. A primary exposure of using a shared service is the increased risk of attacks such as denial of service (DDoS). The target of such attacks can be the cloud service provider itself or attacks that target specific customers. In such instances, as a subscriber, you can wind up in the unfortunate position of “collateral damage.” Each subscriber is a shared party to the cumulative, collective risk of all subscribers.
An additional risk with shared services comes from the increased scale and complexity of multitenant, highly dynamic data center operations. These operate at much larger scale, are more dynamic, and are functionally more complex than dedicated, private data centers. Subscribers are dependent on their providers “getting it right” 100 percent of the time. Logic and experience tell us this is not possible.
These risks call into question the transformation strategies driving enterprise adoption of IaaS, PaaS, and SaaS services. In a retail business, should these be confined to non-critical functions only?
Maintaining IT services on private-only infrastructure simply substitutes one set of risks for another while foregoing the cost and agility benefits vital to maintaining competitive advantage. Most infrastructure services require specialized skills to operate effectively and reliably. The cloud providers who deliver these services have that as their primary mission. They have the staff, expertise, and focus to do it better than the vast majority of enterprises can do on their own. So, in spite of the aforementioned risks and issues, bringing services in-house is not the answer.
What is the answer, then? It is recognizing and accepting the fact that, regardless of the provider and the 100 percent service-level agreement they offer, outages will happen. The right response is to make sure you have designed your deployment of public cloud services for redundancy. You may need to think a couple of levels deep. The S3 outage revealed unexpected dependencies, in that businesses that weren’t even S3 subscribers were still impacted. So, to whatever extent is practical, avoid “downstream” single points of failure in your redundancy strategy.
Your DNS services should be included in that strategy. A secondary provider — and one that is not using the same facilities as your primary — is essential. Run not just storage but database services, as well from more than one facility. Discuss in detail what your redundancy options are with your provider. If your provider does not give you the answers you need, talk with someone else. It’s critical your online retail business has redundancy in place to reduce downtime risk — because when your site is down, you are losing money.
About the Author
Jonathan Lewis brings to NS1 more than 25 years of experience in the IT industry in a career comprising product management, product marketing, customer service, and systems engineering roles. Prior to NS1, Lewis led teams at Nortel that brought numerous network and security products to market including IPsec gateways, SSL VPNs, and end point security. He played key product marketing roles, contributing to the success of mid-size and start-up companies, including Arbor Networks, and SSH Communications Security. He holds B.S. and M.S. degrees from McGill University, an M.B.A. from Bentley College and a CISSP certification.