Sysadmin blog The implosion of source-code hosting biz Code Spaces should have rung plenty of alarm bells.

A company with a loyal following and a bright-looking future suddenly disappeared, never to be seen again. What's worse, for the past several years a significant chunk of the IT community has been warning about exactly the sorts of issues that ultimately resulted in Code Spaces' failure.

I feel sorry for the real human beings affected by this incident; jobs lost, years of work evaporated.

Unfortunately, that's not all I feel. I also feel something almost, but not quite, entirely unlike schadenfreude. When I heard the news, the dark uncharitable part of my soul wanted to climb atop the tallest tower and bellow: "I told you so!" A release of years of pent up tension and frustration at watching company after company swallow cloud vendor marketing tripe hook, line and sinker.

A lot of people told the world so. Nobody listened.

Herd immunity

Just because your workload is in the public cloud doesn't mean you can stop worrying about it. In fact, you need to worry more. When you ran your workload on your own premises, you were part of a great big blob of stuff behind a load of IP addresses.

Will this IP hide a multimillion-dollar corporation, or will it hide a home business that sells knit sweaters and makes a few grand a year? What will the security look like? What services could be running there? Is it a researcher's honeypot, or the real deal?

There was some security to be had in that obscurity. If enough zebras run together then they all look the same. Predators must rely on attacking the weak and the infirm because they just can't get a lock on those who are able to keep up with the herd.

To contrast, cloud providers are great big fat targets. They run a lot of workloads that are very alike. They use common security applications and procedures and – most critically – they can all be accessed through a limited number of management interfaces.

Do you remember how Microsoft Windows became the target for every nefarious ass on the planet simply because it was used by everyone else on the planet? This is replaying right now, but with the big three public cloud providers playing the role of planetary target practice.

The cloud is not a free pass to disable your brain

Public cloud computing is marketed as a free pass to disable your brain, but that's a blatant lie. I don't care what your company does in the cloud, you still need a proper systems administrator – an IT operations specialist – to keep it all in line.

Most importantly you need to actually listen to that operations nerd and understand that just because the nice cloudy marketing advert says you don't need things like "backups" or "monitoring" or "security" doesn't mean it's true.

There are some basics that apply, regardless of whether you are using the public cloud, on premises equipment or have a hybrid approach. Here's what you need to know:

1. If your data doesn't exist in two places, it doesn't exist

Always make backups of your data, and keep one of those backups somewhere that is not where your primary data is kept.

If you keep your primary data on premises, get a disaster recovery (DR) site, or encrypt your backups and send them to a cloud provider. If you already use a cloud provider, back up your data to a different cloud provider. Under no circumstances back your data up to the same cloud provider as is running your primary workloads!

2. Never use the same username and password for multiple accounts

Make damn sure the bad guys can't get all copies of your data by compromising a single provider, be that a cloud provider, or your local network. What good would using one cloud provider for primary workloads and one for backups be if you used the same username and password for both? What good is a DR site if getting hold of the domain administrator's username and password unlocks all the treasure boxes on both sites?

3. Use multi-factor authentication

Yes, those stupid key fobs or Google authenticator are annoying. I hate them too. Use them anyways, we don't have anything better.

4. Fear lock-in

If, under duress, you can't arrange to leave behind your existing infrastructure provider in a week, you're in a bad place. Whether that infrastructure is local, or it's cloud-based, you need to know enough about backing it up and restoring it that you can take the whole kit and caboodle and move it on short notice. You just may have to.

5. Don't just plan backups, plan restores

So you used cloud storage as a cheap disaster recovery storage location. Then disaster struck. Can you get your data back and be operational again in time to save the business, or are you going to be trying to suck 40TB through an ADSL modem? Never underestimate the bandwidth of a truck full of disks. Consider a colo facility or a truly local cloud provider before you consider the majors. They may be able to put your data in a car and drive it over to you if you ever need it.

6. Monitor everything

Don't just check to see if your site is up or down. Make sure you use cloud providers or in-house security systems that can tell you how many times an administrator has logged in, and from where. Actually check these things.

7. Always assume everything is compromised.

The days of "eggshell" computing – where you defend only the perimeter and leave everything behind the edge firewall wide open – are behind us. Always assume every single system you operate – on your own premises or in the cloud – is compromised. If I compromise the administrative account on that server, how many others can I attack? What information can I steal? How will you ever know if a breach has occurred? Learn to compartmentalize.

8. Make sure you have enough staff; pay and train them well

Clouds – public or private – aren't an excuse to fire a bunch of people, or attempt to make existing staff do more. The public cloud means that your administrators face a whole new set of challenges. You want them to provide a stable, reliable, secure service that can withstand both malice and incompetence. Don't ask them to work for a pittance, pay for their own training and do it on their own time.

9. Pay for appropriate hardware, software and services

If you run all your stuff locally, or in the public cloud, you still need to buy the right gear. A public cloud play will require – at a minimum – backups, monitoring and security auditing from a company other than the one you use for your primary cloud service. Running your workloads on premises could require pretty much anything. Don't cheap out. It could cost you your business.

The cake is a lie

You might notice a theme here. The theme is that the biggest advertised benefit of the cloud – the cake, if you will – is a lie. That dream that you will save vast quantities of money because you don't have to actually think about the pesky details of how your infrastructure is run, is just that: a dream.

If you want push-button simple infrastructure, you can buy that. Nutanix and SimpliVity will cheerfully sell you a server cluster with associated storage, hypervisors and so forth. VCE will sell you anything from a rack to a data center, and most of the majors will cheerfully sell you entire sea cans pre-assembled and ready to go.

If you feel the burning need for the orchestration goodness of that cloudy special sauce, you don't need to go far to find it. Pivotal will gladly get you going with Cloud Foundry, making either your VMware or Openstack setup shine. Redhat's OpenShift can do the same, while Microsoft offers Azure on premises.

Don't feel like setting it up yourself? Pistoncloud is as close to clicking "next, next, next" and getting a fully ready to rock OpenStack private cloud as currently exists. Metacloud will not only install OpenStack for you, they'll manage it. Both of these can move workloads to other OpenStack clouds and back again. Or can be used as the disaster recovery, or any combination you can imagine.

If it's ease of use you crave, you can have it, and you don't need to give up control over your data to get it. If what you're looking for is time to market, the public cloud still may not deliver because you still need to put in the basic amount of care and feeding of your data.

You can spin up a VM in seconds on a public cloud, but that doesn't mean you should just take that VM and build a business on it. You still need to care about managing risk, even in the cloud. ®

Related story

• Code Spaces goes titsup FOREVER after attacker NUKES its Amazon-hosted data (18 June 2014)

  https://www.theregister.com/2014/06/18/code_spaces_destroyed/