Business continuity and disaster recovery is important for any SMB customer, and it needs to be addressed especially carefully when it comes to clouds, whether private or public. A cloud outage can mean extensive downtime, which can cripple a small business. Your customers need you to have a contingency plan in place.
In this excerpt from Chapter 3 of †Securing the Cloud: Cloud Computer Security Techniques and Tactics by J.R. “Vic” Winkler, the author examines the importance of disaster recovery in the case of natual disaster or security breaches. The discussion turns to litigation issues, as well. As an IT service provider, it’s up to you to be able to guide your customers through a disaster or security breach and be able to provide data in the case of litigation.
By J.R. “Vic” Winkler
The importance of the issue of business continuity and disaster recovery needs to be stressed. In terms of disaster recovery, you need to consider some possible scenarios: a provider may go out of business or their data center may become inoperable. The main issues with the first scenario is getting your data back and relocating your cloud applications to another supplier. These should be thought out before deploying to the cloud and further protecting your interests by ensuring regular backups of your data. Some form of plan should be set out when you move to the cloud and that plan should be revisited on a regular basis as the market and circumstances may change quite rapidly.
There have been a number of instances where a data center has suffered a catastrophic outage, and consequently loss or disruption to many websites and businesses, such as:
- Fire in a data center in Green Bay, Wisconsin in 2009 with up to 10 days of outages for some hosted websites.
- Fisher Plaza (Seattle) outage in July 2009. Bing Travel being one of the affected sites.
- An explosion in The Plant data center in Houston in 2008 took nearly 9,000 customers offline, some for a few days.
- Rackspace had an outage in their Dallas center in 2009, which lasted just under an hour.
- In 2007, the 365 Main data center had outages, which affected Craigslist and Yelp among others.
- Google suffered a data center rolling blackout during February of 2009, causing the loss of mail service for many customers. This was due to software upgrade error.
Depending on your level of preparedness, any of these could be an inconvenience or a threat to your business. While smaller companies are more likely to be hit harder as they will have less expertise to call upon, an outage could seriously disrupt any business. As can be seen from the list above, it is not just physical issues due to power or cooling failures but also software errors that can take a data center down. Hackers have used denial of service attacks against Web sites which if located in the same data center, may also affect your site by virtue of bandwidth issues.
Breaches of Security
The security of your application may be breached, or your data compromised, while it is in the cloud. Initially, however, you have to be notified of the breach through the cloud provider’s systems or other means (hopefully not by a customer complaining their identity has been stolen). You need to be clear about the disclosure policy of the cloud provider and understand how quickly they will disclose the breach to you. The majority of U.S. states have security breach disclosure laws in place that require the data owner to notify individuals if their personal data has been compromised in any way. These laws will therefore require you to ensure that you are informed promptly of any breach, preferably defined in the initial contract.
Alternatively, if you find that your data has been breached, you may need to inform the cloud provider of the breach in case this has implications for its other clients. You are likely to be sharing an environment with one or more enterprises, and depending on the breach, this may affect some of them. Having defined mea- sures in place in the contract or an agreed incident response plan will ensure that both parties have defined actions that will help mitigate the consequences of the breach.
Litigation may affect either the cloud service provider or client, where your data needs to be accessed or given to a government agency or a lawyer. You will need to be satisfied that if you are asked to deliver specific data, your cloud provider can access and deliver the necessary data to the depth required. As the data owner, you will be held responsible if you cannot deliver it. If you, as the cloud service client, are in litigation with a third party, you must know how your cloud provider will react to requests for data, and in what timeframe. There are a number of compliance regulations related to e-discovery that will need to be met and will apply to both the provider and client.
There may be occasions when a cloud provider is contacted directly to provide data to a third party, via a court order or subpoena. The cloud provider needs to be made aware of, preferably in the contract, what actions to take in this event. You may well want to contest the request due to the confidentiality of the data or due to the unreasonable request. You will therefore need to be assured that the cloud service provider informs you in a timely manner and before it complies with the request.
©2011 Elsevier, Inc. All rights reserved. Printed with permission from Syngress, a division of Elsevier. Copyright 2011. “Securing the Cloud: Cloud Computer Security Techniques and Tactics” by J.R. “Vic” Winkler. For more information on this title and other similar books, please visit elsevierdirect.com.