On a recent visit to New York I saw Cortlandt Alley. It’s pretty much what you would expect of a New York alleyway — narrow, dark, lots of fire escapes, small loading docks and back entrances, some of them mysterious. What you wouldn’t expect is that it’s the only such alley in all of Manhattan.
That’s right, all the seedy and threatening New York alleyways you see in movies and television, the Manhattan ones anyway, are based on this one atmospheric two-block stretch on the edge of Chinatown. I suppose I was lucky to see it on a day they weren’t filming something here.
We talk about “wandering down the wrong alley”, leaving the relatively safe and well-lit thoroughfare by mistake, or maybe because we were enticed by someone who really is a threat.
The same thing can happen to your data on its way to and from the cloud.
It’s tempting to talk about “the route” between two hosts on the Internet, as if an X.25 circuit were established and all packets between the two hosts moved over that. But IP routing doesn’t work that way. A routing decision is made for each packet at each hop along the way. The traceroute program only suggests the route one packet would take. Once the packet arrives, you can (probably) tell how many hops it took by examining the time-to-live field, but you don’t know what those hops were.
The U.S. Government has rules restricting some of its data to reside within the U.S.A., in facilities owned and operated by specially vetted American citizens. Amazon’s GovCloud service addresses this large market segment with facilities in Virginia and Oregon.
As Amazon tells us repeatedly, and as I most recently pointed out just a month ago, you should design your cloud architecture to take advantage of Amazon’s geographic diversity. Amazon’s Virginia site seems to have more problems than the others, don’t rely entirely on it.
I would hope that packets can reliably make their way across the river (plus a few more miles) between Washington, D.C., and Ashburn, Virginia. But what about getting to Oregon and back? That’s just across the U.S. heartland, right?
Maybe not. Routers have no common sense, and can easily be misled by bogus reports of attractively short or fast or cheap routes.
A U.S. Congress committee reported in April, 2010 that nearly 15% of the world’s Internet traffic, including traffic to, from, and between U.S. government and military sites, was briefly routed through China after routers there advertised misleading routing information. This got the attention of the media as well as technical experts who explain some of the reasons this happened.
The thing is, this is just the event that was widely noticed and discussed. These episodes happen frequently because of innocent errors.
Then there are the problems caused when the Chinese government’s censorship program corrupts worldwide DNS information and misdirects connections.
If you can’t keep your data on the safe thoroughfare, how can you protect it on its way to and from the cloud? Encrypt it! Learning Tree’s Cloud Security Essentials course shows you various ways to protect confidentiality when you can’t protect routing.
There is more to this, come back next week for more on international routing disruptions and their impact on your security.