When the Cloud Actually Catches Fire

On Wednesday, March 10 of this year, a fire broke out in a room at SBG2, one of four buildings belonging to OVHcloud, a data center located in Strasbourg, France. The fire caused 3.6 million domains to be taken offline including those belonging to government agencies, banks, businesses with a .fr domain, and even a selection of APT-level cybercrime units including Charming Kitten. It was determined to have been an uninterrupted power supply unit (UPS) that had been physically updated by a technician earlier that day which overheated and caused the fire.

The fire was significant because it was tangible. This wasn’t a sophisticated hack that locked someone’s system down. It was an actual fire, and few people ever really think about all their data being consumed by actual flames. The fire brought together the virtual world and the physical world in a way that many people never got to see before. Most cyber issues are solved the same way they start – with a bunch of mysterious people sitting in front of laptops.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Trend Micro

Trend Micro
Threat actors want what you’re storing in the cloud. Trend Micro’s Cloud One platform provides cloud security from a single console, keeping you at your most resilient. Let what happens in the cloud, stay in the cloud.

In our recent article we looked at 30 myths of cloud security, many that contradicted each other, and we had experts debunk them. Perhaps the most salient lesson to come from that article is that hands-on security is still the obligation of the customer. No matter who you choose to work with in the cloud services world, these providers are not fully and exclusively responsible for the safety of your data. It is likely that quite a few of OVH’s clients were surprised to learn they were sharing space with sophisticated cybercriminals, as much as they were in learning their data was permanently gone.

Lacking the “ability to act”

This becomes the challenge: how much should organizations and their leaders know? Aaron Ansari (@TheAnswar), vice president, cloud security at Trend Micro, had a look at the article, and agrees. “There’s a long way for most organizations to go,” he said, “and it’s not because of a lack of desire. It’s because of a lack of resources and a lack of action And when I say action, I’ll say ‘ability to act,’ so whether it’s compliance, business constraints, or cost, there’s something that is holding the organization from being able to migrate.”

Let’s look at that term: “being able to migrate.” The customers who lost their data at OVH did so because they were using bare metal servers at the OVH data center, and not cloud. Was this a deliberate policy decision? Or ignorance as to which technologies were being used – an ignorance supplemented by the pressures of cost management, speed, and scalability?

Ansari points out the glaring differences here: companies that were born in the cloud, sometimes referred to as sky crafters are inevitably going to default to cloud and to virtual activities as their standard mode of operation. But the companies that came before this, or that are somehow stuck in between these two worlds are going to have a harder time of it. And it might not be a simple case of ignorance.

“Think, if somebody built a data center and planned on this data center being around for ten years and capital expense and all this sort of stuff was tied to it. Now if you come in and say, ‘well, you know that thing you built five years ago? We really don’t need it anymore. We’re going to migrate away from it,” said Ansari.

That type of conundrum, placed on the desk of the executive who must decide, is going to crash directly into all these oft-contradictory cloud myths, making clear thought much more difficult.

Decision makers and leaders naturally like clarity in their decision-making process, and a collection of myths such as those posted in our article – as accurate and as relevant as each may be – make strategy exceedingly difficult. Ansari describes it as “an avalanche of techspeak.”

“Do you think this article is the kind of thing that a leader from a non-born-in-the-cloud company would stop and read,” asked Ansari, “or does it need to be translated into C-Suite speak before it becomes credible?”

Trying to keep up with the speed of business

He points out the now infamous scene when Mark Zuckerberg was called to testify before Congress, and congressmen were asking him straight-up, “How does FaceBook make money?” That lack of understanding, he says, whether it’s up on the Hill or in any private sector enterprise – that’s a detriment to customers. They will lose faith in what’s happening when they perceive their leaders to be out of touch and not comprehending what day-to-day life is.

It comes down to the clichéd term of “moving at the speed in which your business wants to move.” It is imperative to find the balance between that speed, and a company’s ability to match it. Shadow IT is a great example of that. As Ansari notes, “Somebody went off and did something or got some hosted version of software. Why is that done? The answer is, ‘Well, security or IT wasn’t responsive enough or fast enough or didn’t give them the permissions to do it. So, the business unit just went off and did it on their own.’” That’s the speed of business.

This comes down to an ultimate determination of who is responsible for establishing, funding, and maintaining a cloud strategy and how much of this gets thwarted by silos. “Senior decision makers must adopt and follow security best practices as part of their shared responsibility model,” said Ahsan Mir (@ahsanmir), CEO, and co-founder, Rapticore, referring to our article.

Not every corporate decision-maker is completely unaware of the cloud’s varied and contradictory attributes, of course, but the growing list of companies that have lost data and money to ransomware, internal theft, and now, fire, show that grasping the tangible realities of cloud remains a serious challenge. The OVH fire was a melding of two worlds, the virtual and the physical, much like the concepts of cloud versus on-prem, which, as we have seen remains a recurring theme in corporate cloud strategy everywhere. The cloud ultimately is a big, complicated, and connected physical machine, and once in a while, as OVH showed, it goes boom.