Security Blog

Your source for information security news and views.
Tags >> risk

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.


The chaos resulting from the economic disaster in our financial system and the ensuing rush to spend money to stimulate economic growth has left information assurance and IT security side-lined. 

Most organizations are trying to understand the new business conditions before they allocate budgets for IT. At the same time, an increased focus on risk management, is tying up critical management resources. Much of the current work will prove to be tedious bureaucratic processes with little true economic impact. There is simply too much focus on "grand unifying methodologies".

In the midst of these conflicting initiatives, there are several clear key critical points on which new strategies must be built. 

First, the economic collapse was rooted in information assurance. The failure to have transparency in derivative contracts was an information integrity failure. Alan Greenspan and both political parties along with our major regulatories all put phenomenal faith in counter-party surveillance. The idea was that the financial system could not load up with lousy or fraudulent transactions because there is always a counter party to every sale. Somebody is putting money at risk, and they're the most obvious party to regulate the risks they accept. The buyer and seller had strong vested interests in making sure that their contracts were secured. What lender would want to expose their money to investments that were likely to fail? 

However, they did make these investments and they did lose billions of dollars. The failures were systemic. That is, the overall processes and governance failed us. Systemic failures always require systemic solutions, and it is inevitable that a new array of government regulations and oversight will be applied to the financial industry. To this, we can add the auto industry with billions of unfunded pension liabilities and the accountants who missed all of this. So, our first guiding principle is that every organization should be preparing itself for a vast new array of regulations that will have profound impact on the enterprise. This means substantially more information processing for everything from car loans and mortgages to operational accounting and reporting. 

Mark-to-market as an accounting principle suggests that financial assets be adjusted to reflect their current market value. This can only be done through a massive amount of readily available economic information. What we should think about is Sarbanes-Oxley on steroids. We should also realize that with all this new regulation there will be more vital and strategic information to be protected, so we might think of it as Sarbanes-Oxley² plus a healthy dose of PCI and HIPAA, more data with more data loss protection. 

The winners will be companies that design, develop and deploy appropriate information processing systems with adequate security and risk analysis so that they can be both more secure and more compliant. That's a big upside opportunity for information security.
It's funny that over the last year in our surveys of executives from our flagship seminar series, Strategy to Reality, regulatory compliance was consistently listed as one of the serious risks confronting an enterprise. While compliance is meant to provide assurance that we are mitigating risks, it has become a threat in itself. Healthy organizations must begin now to harmonize their compliance processes with actual threat mitigation. This is the second principle we'll talk about in another posting. 

Third, an economic stimulus for the enterprise will likely include investment incentives. The Obama administration has already outlined that improved information technology in healthcare will be one of the targeted infrastructures. We're seeing a more generalized theme emerging where the stimulus package for infrastructure is not our old conservation corps building parks and planting trees but, more likely, a modern cyber structure providing greater information technology resources to schools, hospitals and governments. While there certainly is far more we'll be discussing in these areas, the key point is that the last thing a troubled economy needs is more risk and uncertainty. Winners and losers are always pronounced during periods of economic volatility, and we can be certain that this period will be no exception. 

We believe information assurance and IT security will be vital industries in the new economic order!

Tell us what you think.


Topics