un-earthed

I continue to be amazed at how it takes a catastrophe of epic proportions before many organisations realise just how important good information security is. I say this in reference to an article published in the Sydney Morning Herald on 21^st June titled “4800 Aussie sites evaporate after hack ”. This article makes reference to a web hosting organisation by the name of Distribute IT being responsible for the 4,800 small Australian businesses, which had come to rely on an online presence, now facing ruin, contemplating the loss of data with no hope of recovery.

Whilst I do empathise with those who have faced losses, I have no empathy at all for the owners and operators of Distribute IT. earthwave, when discussing the security coverage model – the infamous protect, detect and respond concept that we have discussed in other blog posts, we often delve into the need to have administrative, technical and physical controls. One of the key administrative controls within responding to security incidents is business continuity planning (BCP) and disaster recovery planning (DRP) and what’s the golden rule of BCP and DRP – make sure you have backups that are stored in a remote location that can be used for recovery should needs arise.

Whilst I may come across as cruel and heartless having no empathy for Distribute IT I have to say that the blame should not entirely rest with them. Any organisation that chooses a hosting company or cloud service provider ought to do a little more due diligence before making a leap of faith. If you are either considering, or already, hosting or using services in a public or private cloud have you addressed the following seven areas of risk of moving to the cloud as defined by well-known industry analyst, Gartner?

1. Privileged user: service providers should have a combination of adequate training plans, character assessments and stringent hiring processes with employee background checks before granting staff access to privileged systems and data
2. Regulatory compliance: if you are hosting/using cloud services to gain regulatory compliance, and are under the impression you can handball the hard work and all the risk over to your service provider, remember that it is your data and you are ultimately responsible for it. Check to ensure that your service provider has a good understanding of the compliance you are trying to achieve.
3. Data location: do you know where your service provider is storing the data, and its backup data? Do you require that data resides within Australia? Don’t assume that just because your service provider has a presence in Australia, that the data will also live in Australia.
4. Data segregation: as service providers capitalise on virtualised and shared infrastructure to deliver services, make sure that your data is not being shared with other customers. Don’t assume that data segregation is included – ask for an explanation from your service provider as to how each customer’s data is segregated.
5. Recovery: can you service provider recover from loss of a file, a disk drive, computer system, network outage, power outage, or loss of an entire data centre? If your business must survive you need to ask your service provider about its ability to recover and the service levels applied to its recovery.
6. Investigative support: if and when things do go wrong, does your service provider have the visibility to detect problems with availability, performance of security? More importantly does it have the ability to respond and remediate? Make sure that you have visibility of your service provider’s incident detection and response procedures.
7. Long term viability: I am sure the 4,800 customers impacted by Distribute IT’s failure didn’t contemplate this. Nothing lasts forever, so make sure that your service provider is financially stable, not going to be swallowed up by or merged into a bigger organisation, or not about to be split off into a subsidiary that is poorly funded. These are questions that need to be asked.

If you have not done your due diligence when choosing your service provider get started now – doing so late is better than never. If you don’t like the answers you receive then it may be time to look for a new service provider who has already addressed all seven areas of risk.