Why do companies go for Amazon AWS / EC2?

[Kukulkan]

Hi,

I just had a longer discussion with a colleague. He said, millions of companies start to outsource their servers to AWS (EC2). But all experiences I had in the past still keep me away from this. How do they solve the issues?

This are my concerns about Amazon Web Services (AWS) with EC2. How do those companies solve it?

* There is no console access #1 *1): If the machine drops out (eg networking), there is absolutely no chance to access the console, do some checks and restart services etc. I can't imagine how long it takes to fix such a machine on AWS. How do companies work around that risk?

* There is no console access #2: In order to setup systems, today I needed to install and setup locally (eg VMWare or VirtualBox) to be able to setup networking, firewall and SSH. After this, I needed to convert the machine and then uploaded it to EBS to be run on EC2. If it did not work, I needed to repeat.

* Data privacy being in the EU: Everything in AWS is fully accessible by the US government. How do they argument the risk of spying intellectual property? Or loosing a deal because some US company did get some internal information? *2)

* No phone numbers: Each time I've had a question, I needed to fill in a form and wait for the answers. There is no phone number to get quick support or easily discuss and issue with billing. Is this acceptable today? Really? Only solution was to get payed support (business support options).

I just wonder how technicians explain the usage of AWS to their management?

Any good arguments out there I simply missed (except the price)?

Kukulkan



*1) http://docs.aws.amazon.com/AWSEC2/lates ... nsole.html
*2) http://sputniknews.com/europe/20150801/1025306272.html
https://en.wikipedia.org/wiki/Industria ... ge#Germany

[Shield]

* There is no console access #1 *1): If the machine drops out (eg networking), there is absolutely no chance to access the console, do some checks and restart services etc. I can't imagine how long it takes to fix such a machine on AWS. How do companies work around that risk?

That's why you get a service level agreement with Amazon that says your server cannot be offline more than X amount of time per year.
The more you pay, the better the uptime. Generally, the risk is probably much lower than if you do self-hosting.

* There is no console access #2: In order to setup systems, today I needed to install and setup locally (eg VMWare or VirtualBox) to be able to setup networking, firewall and SSH. After this, I needed to convert the machine and then uploaded it to EBS to be run on EC2. If it did not work, I needed to repeat.

Not sure if they offer such migrations, but why not just set it up on their machine directly? It's probably a lot faster anyways.

* Data privacy being in the EU: Everything in AWS is fully accessible by the US government. How do they argument the risk of spying intellectual property? Or loosing a deal because some US company did get some internal information? *2)

Do proper encryption for sensitive information. If that's a risk you're concerned about, do self-hosting.

* No phone numbers: Each time I've had a question, I needed to fill in a form and wait for the answers. There is no phone number to get quick support or easily discuss and issue with billing. Is this acceptable today? Really? Only solution was to get payed support (business support options).

Pretty sure they have better support but it probably comes at a cost. Again, these things should be covered by service level agreements.


The main reason people migrate to AWS is for scalability and cost reasons. Doing hosting in-house is very expensive and risky.
Also, the guys at Amazon generally know what they are doing so it make sense to outsource these tasks.

[Kukulkan]

* There is no console access #1 *1): If the machine drops out (eg networking), there is absolutely no chance to access the console, do some checks and restart services etc. I can't imagine how long it takes to fix such a machine on AWS. How do companies work around that risk?

That's why you get a service level agreement with Amazon that says your server cannot be offline more than X amount of time per year.
The more you pay, the better the uptime. Generally, the risk is probably much lower than if you do self-hosting.

You did not get the point. It is not about their SLA's. What if my(!) system is having problems and I need to use the console to fix it?

* There is no console access #2: In order to setup systems, today I needed to install and setup locally (eg VMWare or VirtualBox) to be able to setup networking, firewall and SSH. After this, I needed to convert the machine and then uploaded it to EBS to be run on EC2. If it did not work, I needed to repeat.

Not sure if they offer such migrations, but why not just set it up on their machine directly? It's probably a lot faster anyways.

Please, tell me how you setup a new system from ISO image on a machine where you do not have access to a keyboard and the output? Remember, initially, there is no SSL access available... The only solution is to install systems that do DHCP initially and open up everything by default. This way you can login and start to lock down access later. But if you lock out yourself by accident, there is no console to fix it. You have to start from scratch...

* Data privacy being in the EU: Everything in AWS is fully accessible by the US government. How do they argument the risk of spying intellectual property? Or loosing a deal because some US company did get some internal information? *2)

Do proper encryption for sensitive information. If that's a risk you're concerned about, do self-hosting.

Even if everything is encrypted, in order to work the key must be on the same system. Thus, it is more secure against hackers, but not against the people on Amazon (which have full access incl. the keys and source to access the data). The next issue is, for example, if you host your CRM (customer relationship management) on AWS, they have full access to your sales database (which is important knowledge in every company). To my knowledge, there is no software able to operate on a server and hide everything against a person with full access... Yes, I'm concerned about. But the aim of this post is to find out why companies do AWS anyway. My wish is to understand the arguments against my concerns.

The main reason people migrate to AWS is for scalability and cost reasons. Doing hosting in-house is very expensive and risky.
Also, the guys at Amazon generally know what they are doing so it make sense to outsource these tasks.

I fully agree on the pricing thing, but I believe that people sell their souls because of the price...

[freak]

Regarding the privacy argument:
There are providers for cloud services within the EU that advertise the fact that the data does not have to leave the EU. They are just not as big and well known as Amazon.

Regarding the cost/scalability:
A key point here is that it is painless to scale in both directions. This means if resource demand is high, you can just order more resources and just as easily remove them (and the cost) again if the project changes. This makes the initial increase in resources much easier to sell to management because it is not a longer term investment like buying real servers.

[Kukulkan]

Thanks freak,

for privacy, you say, to go to some EU hosting company. But I see many companies with sensitive information still using AWS. The reason for my post is to find the arguments they have for this. How to store sensible and company critical data on AWS services and also being able to stand managements questions.

I agree that AWS is having some nice features for scaling and redundancy etc. But how do companies come around the issues I mention?

[tj1010]

Gov-proof encryption on a high-demand server? Lol good luck with that. Even a good stream cipher in hardware(PCIe TPM) will bottleneck big time.

I'd just use out of bounds security like a remote hashing and heuristics daemon. Never expose the salt to attackers who root public servers to avoid hash table creation, and also have it SFTP in to the server and do heuristic checks on all files at intervals to detect anything not white-listed and sql tables for malicious stored procedures etc..

[IdeasVacuum]

the guys at Amazon generally know what they are doing

...yet their servers have crashed and been hacked in the recent past. If you need your data to be secure, do not use a cloud solution, keep it in-house.

http://www.techtimes.com/articles/86667 ... ternet.htm
http://www.darkreading.com/cloud/amazon ... id/1322469

If the cloud does fit your requirements, ensure that you know exactly where the supplier's servers are and what country's legislation they are bound to comply with. Note that some of the small suppliers are actually using Amazon to supply their service to you! If you keep a backup with a seperate supplier, make sure the two suppliers are not actually sharing the same resources.

[Kukulkan]

Sorry guys, but this was not the question I asked. I know that and I would never set up anything important at Amazon. I also do not look to alternatives - or techniques to make it more secure.

But I know that many companies are hosting their sensitive information on AWS. And I need to know how they do the argumentation to their management board as the drawbacks are so many (see my 1st post here). Not only privacy, also the missing console.

Is there a workaround to the missing console issues I mentioned?
Is there a good argumentation against the security concerns?

I need to understand how they do argumentation beyond the pricing. I can not understand how companies host important stuff on AWS. IMHO, it is a bad decision. But there must be answers. Otherwise all of them are stupid. What I don't believe...

[tj1010]

There is no console work-around, no support line, and companies just drop a lot of data on AWS because it's more economical and they know nothing about security.

A project I developed and handed over to the investors was put on it that way and the investors mentality was higher profit margin.

There is no such thing as US or NATO proof countries in term of web hosting. Even Russia and FSB help the US. South East Asian companies sometimes take longer to process US legal filings but they still obey especially when their export is threatened.

You need TOR hidden services or a double-flux DNS to protect your infrastructure.

[IdeasVacuum]

Otherwise all of them are stupid

That is the case I'm afraid - it's fashionable to call this 'naiveity'.

[Kukulkan]

Hi,

my worst fear was, that there is no rational explanation to host sensitive or mission critical infrastructure on AWS (except of the price). But it turns out that exactly this is the case. All security concerns and all maintenance abilities are thrown away because of the cheap price. I'm pretty sure, the first time they have to fix the networking stack or some data appears to be lost, the cost savings are much less than the efforts needed to fix the problems...

Anyway, thank you for your ideas and thoughts about this. I still try to understand the motivation. I'm not yet ready to believe that all of them are stupid or naive. Maybe I still missed something...

[Techie42]

Hi Kukulkan,

Depending on how you configure your services (and which ones you use - there are a lot, and just as many ways to achieve the same result), you have two choices: you can remote login via command line, and / or you can use the AWS console (their website).

You can relaunch instances (servers), restart, terminate, etc... you can view logs, manage security, etc...

You can host for free with AWS if you choose the correct services and keep requirements under certain thresholds. You also get access to the free tier for the first year after registration (but be careful, you can still incur costs).

You need to learn a bit about AWS services so you can make informed choices - follow their getting started tutorials and most of them work on the free tier.

Your concerns about logging in remotely if a server freezes are valid, but this should not happen if you know what you are doing. For example, you create a "standard" server instance. Then remotely login and configure it. You can then create what is called an AMI - use this to apply updates and to test new functionality. If you fry it, then simply reload it. Once you've got the AMI working how you want, you can then roll this out and create new server instances from it.

AWS can solve a lot of issues for you, but it introduces a whole lot more. It can seem scary at first, but register for a free account and follow the getting started tutorials - you will quickly discover the answers to your questions and learn a lot in the process. The only thing is information overload - the AWS documentation is huge, and there are a lot of ancilliary skills you will need to acquire along the way, but it can be a lot of fun Good luck!

[Mijikai]

They are buying protection by not 'knowingly' hand over data.

[tj1010]

You'll never be able to use AWS securely if you have local processes that use the data(encryption keys).

Amazon just got a lot of US defense contracts, and I see at least one headline a month where some Fortune 500 configured AWS wrong and leaked gigabytes... You would think billion dollar revenue companies could get someone who could do basic admin stuff; this seems industry standard, though...

Personally I'd just code a crypto proxy on a hardened platform like Gentoo in front of some reputable fail-over CDN and use HTML5 stuff for transparent UI/UX... Mega kind of does this...