Who do you trust with your cloud credituals?

Krishnan Subramanian has written a review of and as part of his analysis he highlights a few concerns. At the end of the review he lists this as a con:

Even though ACL is used to give read/write permissions, I am still not 100% convinced about the security offer a video encoding service. You basically upload files to your S3 bucket, where by they will periodically scan it looking for uploaded video files. They will then download it, encode it, and upload it back again, already to be streamed via the FLV format.


This is a good example of transcoding services that we'll probably see a lot more of now that the cloud operators such as Amazon have made it so simple to manage bandwidth, resources and storage.

Krishnan is absolutely right to highlight security as as a concern, but have been very shrewd in how they integrate with your Amazon account. They do not required your Amazon keys, merely READ/WRITE access to your bucket for a specific defined user.

Many add-on or value-add services require that you hand over your valuable Amazon keys; basically freedom to do with them as they please. For example Cohesive FT and RightScale both require access to the Amazon kingdom before they can give you their value added service.

We always preach to everyone as soon as they stand upright that we should never tell anyone our password, pin number or anything that would allow someone to transact in bad faith on our behalf.

At first blush it would appear that this advice is now thrown to the wind as we happily type in the two pieces of information to the likes of Cohesive FT/RightScale so they can go off and potentially cost you a fortune, running up and consuming cloud services. The damage the likes of could do in comparison is nothing - the worse they can do, is to run up a huge storage/transfer bill.

It is vitally important that you do your research before you hand over crucial information such as your cloud credituals to a 3rd party company. Cloud providers could also recognize this need for 3rd parties to integrate and help you manage this but ensuring they are only given boundaries to which they can operate. For example, a temporary expiring creditual, or one that is restricted in what they can do. This would open up the market place for new partners and ease the trust barrier.

Creditability in this space is what will hurt many a new cloud-orientated start-up and it is here a lot of work and trust has to be earned.

In the meantime, use common-sense, and do not willingly give your cloud keys over to anyone asking - you could be signing a blank cheque.


Recent Cloud posts

Recent JAVA posts

Latest CFML posts

Site Links