I now officially declare cloud computing a mainstream trend. I say that not just because corporate America is embracing cloud computing; Agatha Poon’s and Gary Chen’s June 2008 report, Is Cloud Computing a New Force to Disrupt the Telcos’ Business? says it is. But the data point that put me over the top was this Washington Post article noting that email SPAM-generating companies are now avid users of Cloud Computing.

Websense Security Labs issued an alert about the spam attacks on Monday, but it didn’t name Amazon as the source. The advisory rightly noted that it had discovered “a substantial number of spam messages utilizing a reliable social engineering trick.” The junk mail claims to have been sent from Microsoft, and urges the recipient to install an attached security update.

….

But the most interesting aspect of this attack (at least to me) was left out of the Websense advisory: All of the spam came from Amazon’s Elastic Compute Cloud (EC2) servers, which are marketed to companies — mainly small to mid-sized businesses — that want to purchase access to any number of computer applications hosted on the Internet, from data crunching and storage to on-demand computer processing power. These so-called “cloud computing” services potentially put the strength of massive computer arrays in the hands of the average user, and the service is “pay-as-you-go,” so customers only pay for the resources and services they consume.

I see this somewhat nefarious use of cloud computing as important because it:

• Proves clouds have real-world utility. Because yields on SPAM are low, spam merchants migrate toward technologies that are cheap and with broad reach. If spammers are using Amazon EC2, it demonstrates that there’s real utility gold in those clouds.
• Will prod cloud providers to think beyond technological security measures. Amazon’s EC2 registration and provisioning is completely automated. That automation that anyone with a credit card can use their facility, including regardless of whether their activities are legal and above board or not. Amazon will have to insert some human vetting of customers and applications into its system, if only to stave off legal liability should someone decide to push the envelope by running truly illegal services such as a distributed denial of service controller.
• Will sharpen the cloud service targeting. The temptation to date has been for infrastructure as a service providers to sell generic and undifferentiated CPU cycles to anyone with a credit rating. But legitimate businesses won’t want to be tainted by sharing IP addresses and domains with bulk mailers. That means that cloud providers will have to decide and target who they will sell to and who they won’t — and how to tell the difference.

If Paypal could figure out how to deal with credit card fraud and liability online, surely Amazon can figure out how to deal with shady customers wanting to exploit Anywhere cloud services. And if Amazon doesn’t figure it out, one of their cloud competitors will. But in the end, Paul Vixie, founder and chairman of the Internet Software Consortium, said it best in the Washington Post article: “Security is the natural prey of scale. You can’t make something safe if everyone is supposed to be able to use it.”