Security Blog

Your source for information security news and views.
Tags >> risk management

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters that would results damages and minimal disruption has been reported among data centers within range of the quake, however, the most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.


It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.


 

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief Information Officer, Vivek Kundra, federal organizations have been urged to transition three services over to the cloud within the next year. Many have been transitioning their low hanging fruit and resources of minimal importance which has taken some weight off of the organizations but still does not offer the benefits that the mandate aims to succeed. Other organizations that have gone for broke have done exactly that, gone broke. Data has shown that 79% of federal organizations are complaining of a lack of funds. If only these organizations would have planned on reinvesting in auditing and risk management they would have been able to report financial gains instead of money woes.

“The policy and risk assessment work just hasn’t been done.” said Paul Sand, Vice President of IP3 Inc. A transition to the cloud takes planning, auditing, research, and careful budgeting. If you are smart about it, and take note of hidden factors, your organization has the potential to gain great success by joining the cloud movement. This methodology reminds me of an old proverb, “Those who fail to plan should plan to fail.”

While we are on the topic of cloud transition it is also important to note the consequences of a failure to budget properly.  On top of those with funding concerns,  71% of organizations reported having fears regarding cloud security. The mindset that the cloud should just be secure is only a fallacy. A secure cloud takes initiative and constant monitoring and measuring by all responsible parties. This includes doing your homework and researching proper security controls, configuring SLAs to ensure proper controls  are implemented by cloud service providers, and also auditing those controls. But without a budget these tasks may go unmarked on the security checklist.

The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security.

A transition to the cloud is not something that will happen overnight. It will take planning, budgeting, risk assessment and plenty of audits along the way. Be sure you know what your organization is getting into before you decide to take off into the clouds.

 


Topics