Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

Determining Cloud Service Provider property values using real estate economic models and the exposed attack surface area of neighboring guest instances

"Is my provider a slum lord and am I surrounded by dangerous tenants"

Date: Sunday, November 24th, 2013
Author: Andrew Hay

The economic models used to derive real estate property values can be adjusted and applied to Cloud Service Providers (CSP) pricing to help determine more accurate valuation of guest instances and the region in which they operate.

At what point is $0.06 per compute hour really worth $0.06 per compute hour? CSPs are actively engaged in a global competitive pricing war. In an attempt to lure customers away from traditional on-premises and self-managed datacenters, CSPs are actively positioning Infrastructure-as-a-Service (IaaS) cloud architectures as the heir apparent.

Citing a shared-responsibility model, the CSP accepts security responsibility for the physical compute infrastructure up-to and including the virtualization hypervisor. The security of the individual cloud server guest instances, however, are ultimately pushed down to the end user.

The CSP region (e.g. neighborhood) valuation can be affected by the presence of technical controls (e.g. a large gate protecting the community), security and operational monitoring (e.g. community patrol force or security guards), and even attested-to third-party validation of policies, procedures and guidelines such as ISO 27001, PCI DSS, or others.

A CSPs neglect of responsible security practices for its infrastructure adversely impacts the valuation of the provider’s neighborhood and lowers the individual user’s cloud instance property value.

Technical security controls such as host-based firewalls, software defined network access controls (e.g. AWS security groups), or data encryption positively affect the neighborhood valuation, whether provided directly by the CSP or not. In some cases, these controls are included by the CSP as part of its base compute pricing. More often, the CSP requires end users to make an additional investment in responsibly employing these security controls. In the latter case, the hourly base rate of the guest instance increases.

If a CSP suffers frequent, lengthy, and customer disrupting outages, the property values of the entire compute neighborhood are adversely affected, thus over-valuing the price-per-hour rate for its services.

A user’s neglect of responsible security practices for their guest instances adversely impacts the valuation of the entire CSP region in which it operates.

Likewise, guest instances (e.g. individual properties) and properly employed security controls (e.g. fences, locks, and alarm systems) can affect the valuation of the CSP neighborhood. As with housing models (barring other economic influencers) owner neglect negatively affects the valuation of not only the owner’s property but all of the other properties in the neighborhood. To contrast, when homeowners maintain or improve their property, the valuation of the entire neighborhood is positively affected.

The true valuation of CSP pricing can be determined by taking into account external data using the real estate property value model.

In order to determine the true valuation of a CSPs hourly per-instance pricing, additional inputs must be gathered and a new cloud valuation model created to derive the positive and negative affectations of operating in a particular CSPs architecture and/or geographic region.

A number of external data points exist as possible inputs for the valuation model. Data including provider mitigating technical controls, vulnerabilities of neighboring guest instances, outage frequency, impact, and duration, and compute per-hour pricing trends, among others, establish a more realistic valuation of CSP properties.

Using the model, an end user can determine if a $0.06 per-compute-hour cost is an undervaluation or overvaluation of a guest property for a particular CSP neighborhood and geographic region.

Andrew Hay can be reached via Twitter at @andrewsmhay