Commercial Cloud Outages Are a Wake-Up Call

vchal/iStock

As cloud computing’s versatility gives it the potential to become the easily identifiable “central nodes” of America’s economy, these policies are needed to ensure resilience.

On Nov. 26, Amazon Web Services, the world’s largest cloud service provider, experienced a major outage in its US-EAST-1 data center due to a “relatively small addition of capacity” to the Amazon Kinesis real-time data processing service. Just over two weeks later, Google’s Cloud Platform suffered a major failure in its quota management system, severely reducing the capacity of its authentication system. The AWS outage caused services from major organizations such as Adobe, Autodesk, Fidelity, New York City’s Metropolitan Transport Authority and the Washington Post, to go down without warning. The GCP failure prevented users from logging in to their Gmail and Google Cloud applications, leading to interruptions for organizations using Google for their core office utilities.

These failures should serve as warnings for organizations to be vigilant over cloud computing’s pitfalls, but more urgently, act as a wake-up call for the U.S. government to reevaluate how it works to manage the risk from cloud services and consider cloud interoperability to bolster national and economic security. Organizations are increasingly integrating cloud computing for its convenience and the revolutionary technologies it unlocks. Critical infrastructure operators, from energy to health care, are making the cloud a key next step in their future development. And because cloud computing is an industry with extremely high barriers to entry, operators are likely to default to AWS, Microsoft Azure, Google Cloud, IBM or Oracle in the future, making any disruption in their services a potential threat to national and economic security.

The recent AWS and GCP outages follow a string of major cloud computing failures from the three largest providers. In April 2011, AWS’ Elastic Block Store, a widely used storage service, went down due to a similar routine capacity upgrade, leading to cascading disruptions in the US-EAST-1 region. In February 2013, Microsoft’s Azure cloud service experienced a global outage after certificates securing customer data expired. In August 2015, Google Cloud’s data center in Belgium suffered minor data losses after lightning strikes on power grids knocked out its primary power supply. And in February 2017, AWS’ Simple Storage Service (S3), a host of entire websites and applications, experienced a four-hour disruption in the US-EAST-1 region when debugging slower-than-usual performance.

These three internet giants’ positions as industry leaders do not exempt them from failure; if anything, they are pioneers in the current era of complex distributed computing systems, making failures due to internal mistakes or act of God events to some measure unavoidable. In spite of cloud vendors’ promises of cost savings and commercial pressures to adopt the cloud, these recent failures should remind organizations to assess whether they can tolerate these “growing pains,” especially with respect to their critical functions.

Each cloud failure has impacted the economy more harshly than the one preceding it. The earlier disruptions, such as the 2013 Azure outage, only caused relatively minor disruptions with the most apparent problems occurring in the Xbox Music and Video platforms. A more serious impact occurred in 2016 when a power disruption at a Verizon data center containing JetBlue Airways databases caused JetBlue flights to be grounded for hours. The 2017 S3 outage saw consequences across different industries, affecting popular services like GitHub, Quora, Expedia and many mobile apps. And in this latest outage, services from critical sectors such as finance (Fidelity, Coinbase) and transportation (NYC MTA) were meaningfully impacted.

These realities raise important issues for regulators. Steps such as requiring organizations to disperse their computing infrastructure across several cloud providers and requiring providers to increase interoperability aren’t just prudent, they’re necessary. Interoperability could be reflected in common architectures or a software middleware layer to help organizations relocate their workloads between cloud vendors easily and greatly reducing the probability that all of an organization’s systems could fail at once. Instituting some of these changes would keep problems “localized” and prevent industry-wide failures due to overreliance on any one provider.

Cloud vendors should also be evaluated against more frequently assessed and risk-sensitive regulatory models. Compliance with an annual audit does not measure the current state of cloud providers or their true ability to respond in a crisis. As cloud computing’s versatility gives it the potential to become the easily identifiable “central nodes” of America’s economy, these policies are needed to ensure resilience. In all likelihood, the oligopoly in place in the United States and some other major markets, reliance on Google, Amazon and Microsoft before "everyone else" is here for the foreseeable future. The economics of cloud computing rely upon achieving economies of scale to construct massive data centers and globe-spanning infrastructure so the government has a valuable and urgent role to play.

Cloud computing has become more than a specialized tool—it is quickly permeating all corners of society, and will soon be core to its functioning. We must accept that cloud computing is possible only because companies like Amazon, Microsoft and Google have the resources to invest in the amount of infrastructure required. But like all else, they are not impervious to failure. The key to mitigating this risk is addressing better inter-cloud interoperability early and implementing more frequent assessments of cloud providers' ability to adapt to failure and secure their infrastructure. This will undoubtedly entail numerous disagreements and raise complex engineering issues to the public policy sphere but there could hardly be a better time—before the next crisis is too urgent or catastrophic to easily overcome.

Tianjiu Zuo is a research assistant at the Atlantic Council’s Cyber Statecraft Initiative. He is an undergraduate at Duke University and researches various technology issues at Duke’s Sanford School of Public Policy.

Editor's note: This piece was written prior to the Microsoft Azure outage on March 15, 2021.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.