Reposted from LinkedIn -- feel free to add your thoughts below, or on LinkedIn. And feel free to send me an invitation to connect, if you'd like to network.
Here are several risks that come with developing applications on the #cloud:
π° Overspending due to over-provisioned or idle services [1, 2, 4].
π Potential for vendor lock-in -- If you're not writing to a standardized API then you're tied in directly to the service provider so buyer beware [3]. Wootton in [9] seems to think this lock-in is not necessarily a problem with #AWS and I disagree with this since we're not just talking about code, we need to consider process and skills as well. Plus if one is writing directly to a specific vendor's web service API, they're locked in. Finally, some of the stickiest services are the ones you don't see.
π Potential for a conflict of interest [12*].
π What if you've done your part but the vendor has a security vulnerability? [5, 6, 7, 8, 10, 11*]
π° Cloud providers are potential #cyberwarfare targets, for ex. "[t]he Lloyd's/Air Worldwide study concludes that the complete failure of a top cloud services provider that extends for at least three days would cost the U.S. economy $15 billion." [10]
π° Increases development complexity and #hiring cost by requiring cloud service platform provider expertise.
- Recommended reading.
π― Note that I am currently available for consulting engagements.
1.) "Report: AWS Customers Overpay by $6.4 Billion Each Year"
2.) "Where Is the $10B in Waste in Public Cloud Costs?"
3.) "Game of Clouds: Lock-In Is Coming"
4.) "$14.1 Billion in Cloud Spending to be Wasted in 2019"
5.) "AWS Vulnerabilities and the Attackerβs Perspective"
6.) "Researchers demo cloud security issue with Amazon AWS attack"
7.) "Researchers Find New Approach to Attacking Cloud Infrastructure"
8.) "Hunting the Public Cloud for Exposed Hosts and Misconfigurations
9.) "Why Cloud Lock-In is a Myth: The Openness of AWS"
10.) "Bombing the Cloud: Why an Attack on Amazon, Microsoft, or Google Cloud Could Lead to 'Cybergeddon'"
11.) "Major US Companies Breached, Robbed, and Spied on by Chinese Hackers"
12.) "Is Google Facing a Backlash From Medical Record Vendors?"
Top comments (1)
"idle services", often referred to as "orphaned" or "zombie" infrastructure, is also runs the serious risk of misconfiguration. If you aren't aware of a cloud resource you have running, you're not patching it and you're not scanning it for misconfiguration. Quite a few cloud-based breaches begin when a bad actor exploits a vulnerability in an orphaned cloud resource, which gives them access to the environment (and often discoverability with regards to what else is in the environment).