Everything in the cloud: finding the right security and performance solutions for your company’s IT needs Featured

11:22am EDT October 5, 2011
Everything in the cloud: finding the right security and performance solutions for your company’s IT needs

Smart Business spoke to Bill Mathews of Hurricane Labs about not letting an irrational fear of the new keep you from using cloud solutions for your IT dilemmas.

We have an expression at my company, “Everything in the cloud!” Basically it means, if you’re asking for infrastructure then have you considered the cloud? If not, why not? We tend to get very wrapped up in the security of things so we shy away from putting anything out of our control, but lately we’ve come out of our shell a bit and moved some things to the cloud that made some sense. This is the story of those decisions and their reasoning.

Download site

We host a download site for our customers, which is basically a large (approaching 105 GB at this writing) software repository that houses the software we need to do our jobs for our customers. While cost was definitely a factor — the site costs a few dollars a month to host — the biggest issue was speed. When we hosted the download site ourselves it was slow, especially overseas. Basically there was nothing we could do about that other than — you guessed it — everything the cloud! Now customers are able to download things fast with really little regard to their geographic location, and it’s been great.

Obviously our download site isn’t what you would call “confidential” or “private” information so it was a pretty easy decision to move it to the cloud and be happier campers. Of course, we took all the necessary security precautions. For instance publicly available links can be made to expire after a certain amount of time, which is great. An increase in customer happiness plus less infrastructure to purchase made the business owner in me very happy. Cloud: 1, Irrational Fear of the New: 0.

Log storage

We need to be able to keep A LOT of log files around for various reasons. These can get very large very quickly; buying the infrastructure up front is expensive and it can be cumbersome to maintain. What should we do? That’s right, everything the cloud! This one was a little trickier because logs can contain very sensitive data, so we dug into our brains and came up with a pretty simple solution: encryption. Encryption is cheap and, if you do it right, it’s easy. I ended up writing a tool called “logsup” (Log Secure Upload) and basically it does exactly what it says. First we generate a private key (which stays on our site), compress the data, encrypt the data and then upload the encrypted data to our cloud storage. The cloud storage then implements the rest of our security. We never make the files “public” and we provide no other interface into it. Secondarily, logsup writes out a receipt for the log file so we can better keep track of what file is where. No system information or other identifying information is ever stored with the encrypted file. Really it’s a simple and novel solution to what, on the surface, appears to be a big problem.

This one hasn’t gone into production yet but it will soon. It should cut our storage costs significantly and actually increase the security of our long-term stored log files. This is another instance of a practical application of old principles to supposedly new technologies. Encrypt early, encrypt often, I always say. Cloud: 2, Irrational Fear of the New: 0.

The moral of these two stories is that new technologies do not have to be scary. We didn’t have a large learning curve to implement this stuff (all done on Amazon Web Service, by the way) and while it did require a small coding effort, it was just that, a small effort. New things can be scary but you should always be willing to give it a shot with the appropriate amount of caution, of course. Security matters, performance matter, just make sure you’re worried about the right ones in the right order.

Will you be increasing the cloud’s score?

Bill Mathews is Lead Geek of Hurricane Labs, an IT security services firm founded in 2004. He has nearly 20 years of experience in IT, 13 of that in information security, and has been interested in security ever since C3P0 told R2D2 to never trust a strange computer. He is also not a cloud fanboy, but likes to apply new technology where it makes sense. He can be reached at @billford or @hurricanelabs on Twitter, and other musings can be read at http://blog.hurricanelabs.com.