As you may have noticed, cloud computing is pretty fashionable at the moment. Its benefits are obvious: on-demand power that is managed by specialist suppliers, most of whom have chosen to base their infrastructure on open source – another plus. But, inevitably, there are downsides to moving to the cloud, which are are all-the-more insidious for being subtle.
Here's an interesting example:
Last week, a Linux kernel vulnerability that allows for local privilege escalation through a NULL pointer dereference was announced. Many of the major Linux distributions are still working to provide updated kernels, and a few already have. Once updated kernels are released, applying the patches should be straightforward. But for systems running in the cloud, additional complexities and delays may arise.
Most providers of on-demand cloud servers require the use of custom kernels, which are tuned for the provider's specific virtualization implementation. These custom kernels significantly change the upgrade path, and may even affect the short-term workarounds provided by the upstream distribution.
The problem here is that when a company is running its code in the cloud, it may not be using the infrastructural software it thinks – for example, as here, the kernel may well be a custom variant. This means that corporate users find themselves in the dangerous position of having a misleading mental image of their computing setup – never a good situation.
As the post quoted above notes:
This vulnerability sheds light on an area that hasn't been completely hashed out yet by on-demand providers; they need to be more proactive in both distributing information about kernel security issues, as well as documenting image and instance upgrade procedures once a fix is available.
This is a timely reminder the cloud computing is still in its infancy, and that companies would be wise to treat it as an ongoing experiment, rather than a mature facility that you can safely bet your business on.