

We say end IaaS walled gardens - cloudsigma
http://www.cloudsigma.com/en/blog/2011/01/02/17-iaas-cloud-customer-security-control

======
p_nathan
As a counterpoint, I'd like to say that it makes a lot of sense to retain some
level of control of servers you are renting. You want to avoid your cloud
becoming a botnet cloud (what would that be, a virus cloud? O.o).

If you have your own admins keeping things up to date and polished, it removes
(1) some grief from the customer and (2) allows you to rest more comfortably
knowing your admin (theoretically) knows what he's doing.

The author points out that for conventional electric devices, there is no
input from the electric company. True. But, if one puts in an industrial
facility, the electric company starts caring, because the loads can not be
simply ignored (c.f. inductive/reactive loads). That has analogies to the
cloud.

There are decided advantages for the customer to have full control, there are
decided advantages for the vendor to have full control.

~~~
cloudsigma
Yes you are right, it is certainly easier to snoop on customers as an IaaS
vendor if you keep full root access and file system visibility. I'd say that
constitutes 'lazy policing' and not needed and that is certainly our
experience :-)

Botnets etc. rely on free hijacked capacity not computing resources bought on
an industrial scale on commercial terms. The cloud is no more prone for use as
a botnet or other problematic activity than dedicated hardware. Although often
touted, I've yet to hear a compelling case for IaaS clouds being any more
susceptible to such use than VPS, shared hosting etc. etc.

Likewise, such activity becomes very obvious very quickly and it isn't access
inside a customer's cloud server that allows you to spot such activity.

As I say, there are not real reasons not to give customers full control of
their cloud servers any more than they have full control of their dedicated
servers. In fact, the flexibility of the cloud makes policing it more easy
than dedicated hardware without snooping inside customer servers or
restricting their ability to control their computing.

In terms of administration, customers can choose to use their own in-house
admins or that of a third party and many of our customers do. The point is
they done have a choice, with other clouds they have one choice, the cloud
vendor as the admin. That's overly restrictive and it isn't surprising why you
get such concerns raised over security and control in the cloud.

Thanks for the great feedback by the way.

Best wishes,

Patrick CEO CloudSigma

------
jarito
There are people moving towards an open source implementation of high
scalability cloud services. For example, the OpenStack project at
<http://www.openstack.org>.

The main pieces were contributed by Rackspace and NASA, but dozens of other
contributors are involved in the project now.

Full disclosure: I work at Rackspace.

------
ccomputinggeek
I didn't realise fixed instance sizes were a false construct of cloud vendors.
Nice little blog post.

~~~
luca-giovanni
+1

Definitely. I am a really high CPU user but don't need hardly any storage (I'm
doing chess calculations). With bundled resources I always notice I am always
over-specced on RAM and storage (in particular). Would be nice to have
'liquid' computing resources. As you say, nice post and nice to see someone
doing that.

------
fleitz
The post (marketing article) says nothing and doesn't identify what vendor
they are trashing. As far as I know my 'IaaS' vendor doesn't retain root
access. The article makes almost no sense, it starts be trashing iaas, then
suggests paas, with out attempting to explain any difference between a
'platform' and 'infrastructure'.

The only thing missing from the article is an affiliate code on the enstratus
link. Then it would be fully clear who wrote it and why. Has anyone not
selling something ever uttered the phrase 'deploy best of breed solutions'? I
think not.

If my current iaas vendor retains root access then I certainly don't want a
more 'managed' solution.

~~~
tobias-ch
Having just read the post I disagree. The post clearly says that most current
vendors place significant restrictions on the software and networking layers
in their cloud. As someone who has used GoGrid, Rackspace and AWS I can concur
with this position. You have a lot less control over your cloud servers than
you do over say a dedicated server.

CloudSigma are an IaaS provider who presumably take a different approach.

Overall I think it is a valid point for them to make, especially as it seems
that a lot of these restrictions are vendor created.

~~~
fleitz
I think that most of the problem with IaaS vendors, EC2 in particular is that
the IO throughput is absolute shit. I've never had a problem with the software
I'm allowed to run on EC2, I've always had a problem with its horrible IO
throughput.

There is also a lot of comfort in knowing everyone else is running the same
kernel and there will be some difficulty in executing various exploits for the
hypervisor.

