Today we're starting a new series that should be interesting to companies that care about eneterprise security management solutions and services. This series- Tales from the Cloud - is from the desk of Warren Axelrod. Warren's written several time for this blog on PCI DSS Compliance solutions, security issues with virtualization, cloud computing and other topics related to protecting information assets. He's worked in several financial services companies protecting information assets. His experience has been strategic and tactical; he's been in operations and on the compliance and risk side of the business. I think you'll find this series on cloud computing to be thought provoking. Let us know what you think!
Tales from the Cloud – Part 1: A Kick in the Side
Oops! SideKick users were subjected to the “Men In Black” memory eraser or “Neuralizer” … and they weren’t protected by their Ray-Bans.
The T-Mobile’s SideKick outage, which occurred as a result of a server failure in early October 2009, essentially wiped out users’ stored contact lists. At first, it was feared that the data was lost forever; subsequent reports indicated that the data was recoverable. Whether the data was recoverable or not, there was clearly a period during which customers did not have access to their data, causing great inconvenience and anxiety.
This incident and others involving Gmail and other service outages should raise a red flag as we continue to increase our dependency on cloud services. Which presents a greater issue to users: cloud security or cloud services?
I have felt for some time that availability is the greater issue. We have ways of securing our sessions on the Web, even though they offer limited effectiveness in the face of ever-evolving threats. But, when there is no service available at all, the impact can be immediate and devastating. It is true that outages can result from bad guys launching denial-of-service attacks, but the impact is generally focused and usually affects a limited number of websites. The big headline grabbing service interruptions, at least to date, have originated from networks and servers out of service due to a break in undersea cables or failures of servers or other equipment and software due to some error or other. Seldom are these outages due to intentional attacks, except perhaps for the recent politically motivated attacks on Estonia and Georgia.
So where does this leave us? Just as you have defensive driving rules, you should operate under defensive computing rules. I recall in the early days of timesharing, one would store their work every five or ten minutes because you expected to lose the connection and any work done since last time you saved it would be lost! So it is with cloud computing:
- Back up your data onto media under your direct control
- Have an established means of continuing to conduct business even when your cloud services are not available.
It might just be a matter of maintaining a list of your contacts’ telephone numbers so that you can call them up or text them if you can’t reach them via email or instant messaging. It is true that it is easier to send a single email out to 20 recipients than calling up all 20 colleagues separately, but the latter is better than nothing. If you operate with the expectation of system and network failures, chances are that you will fare better than most when those inevitable outages and data losses occur.
Powered by Compendium Blogware
Comments for NEW Series: Tales from the Cloud