darren whittingham - Fotolia

Why would public cloud providers turn off customer cloud accounts?

Public cloud providers reserve the right to shut off vulnerable cloud accounts, but how does it work? Expert Dan Sullivan explains.

I've read about how major public cloud providers can turn off customer cloud accounts if the providers suspect the customers' virtual machines have been compromised or if the customers haven't applied proper vulnerability patches. How does this work, and is it something my organization should be concerned about?

It is true that some cloud providers have publically stated they shut down vulnerable accounts under rare circumstances. You can see a report on Microsoft's practices here.

It may sound drastic to shut down a paying customer's cloud account -- and even counterproductive to the cloud provider in the long term. To understand why this might happen and why it is in our long-term interest to have such practices, let's consider the problem from the cloud provider's perspective.

IaaS clouds such as AWS, Microsoft Azure and Google Compute Cloud function on a shared responsibility security model. Part of the provider's job is to monitor patterns of behavior in server activity and network traffic. When suspicious activities occur, the provider investigates and possibly informs a customer about actions the customer should or must take.

For example, if a cloud provider detected one of your servers was vulnerable to the severe SSL Heartbleed vulnerability, it would probably inform you. If you did not patch the vulnerability, your encrypted data might be compromised. While for the most part you and your customers would suffer the brunt of the attack, there might be some adverse consequences for other cloud customers if your compromised server was under constant attack and large volumes of data were stolen from your server.

Consider a vulnerability like Shellshock, a widespread vulnerability that allowed attackers to take control of vulnerable machines and launch distributed denial-of-service attacks. Cloud providers should inform customers when they become aware of vulnerable instances, and customers, in turn, should patch such vulnerabilities. If patches are not applied, all users of the cloud become potential victims. Applying patches is somewhat analogous to receiving a vaccination to prevent the spread of an infectious disease; those not vaccinated are at risk and enhance the risk of infection in others.

Yes, customers should be concerned about providers shutting down their cloud accounts. If the cloud provider is threatening to block the account of a paying customer then chances are that customer is a potential threat to others and possibly itself. There is the potential for many unknown threats to information systems that information security is a perpetual task. When someone identifies one of those threats for us, we should pay attention.

Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Explore why collaboration between providers and customers is critical to cloud security

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices