Is a Cloud Server the best solution to decrease the time to recovery for small and medium businesses? How reliable a solution is the cloud?
With so many people working from home due to the coronavirus pandemic, many companies will be moving their data onto a cloud server. From a security, operational and legal perspective – what issues does the cloud raise?
Feeback from BCP Builder Community on LinkedIn:
Data in Triplicate
- If your data is not in 3 places then it doesn’t exist. This is true for local and cloud computing.
- IT service continuity management is an essential element in your solution considerations. A Cloud server in essence is just your data on a longer wire and as with local computing good configuration can improve the hardware fault tolerance, providing a highly available processing environment.
- The accidental or malicious theft, deletion or corruption of your data is still as possible, if not more possible, depending on the service you purchase from your cloud provider. One example is remote physical and technical administration. Also service levels alone are not an indicator of capability. You must test the service for its fault tolerance and recoverability should your data become permanently unavailable. Finally the migration to a cloud server, as with every IT change should be challenged. Roll back options should be considered at multiple points during and after deployment. Using a Cloud server is not a universal panacea. Therefore, it should be scrutinized to understand the risks up front before deploying it as a solution.
Governance and SLAs
- It is important to remember that governance and due diligence is still yours (the company). A direct Business Continuity and Crisis Management Plan should be in place for issues from the providers end and from the company which must include Service Level Agreements for response.
- Never assume that “it’s in the cloud” means that your data is backed up, your retention policies are automatically reflected in the service and that you have the redundancy you think you have. Make sure you understand your contract and in the words of Ronald Reagan “trust but verify”.
- Service providers cannot restore all servers/datasets at the same time. Where does your company fall on the priority list?
- If a company subscribes to another countries cloud service provider, you should be aware of the regulatory requirements. It might be different depending in which country the cloud server resides.
- Ask your provider for their certifications.
- ISO 27001 (for information security – basically to make sure they are doing their utmost to keep your data and information safe).
- ISO22301 (for Business Continuity – basically to make sure they are doing their utmost to make sure the service is there when you need it) then you are on the right track.
- If you find a good provider then they should be experts on all of this as it is their business. And you can keep the focus on your business, knowing this has been taken care of.
Somebody else’s computer
- Remember that a cloud server is just someone else’s computer. The cloud can go down (and has), accessibility from the area of impact may be diminished, and data sovereignty may be an issue. You also need to purchase the disaster recovery replication option in whatever form that appears — and you need to test that. Data latency and deterministic computing may also be an issue in ICS applications such as process or transport control systems.
- If the risk assessments and checks have all been done, the cloud is a great way to provide resiliency for file systems and applications. Resiliency is always better than recovery if it is fit for the business purpose and budget. Even large organizations can benefit from cloud based solutions for many parts of their application portfolio. Just remember to keep your access credentials available, and not on a bookmark on your work PC!
Reputable service providers
- The cloud is definitely a viable option for Small and Medium businesses. However, caution must still be taken. The recent news about 20 VPS providers that ended operations with 48 hours notice is a perfect example.
- Choosing reputable providers is important. On the security front, we will likely see many more destructive attacks against cloud infrastructure. In the past attackers attacked individuals, then companies, now we see them focusing on MSPs and SaaS providers. It’s only a matter of time before cloud providers are the target. Even so, organizations must still consider resiliency within the cloud.
- Always work with reputable service providers. 20+ (at least) VPS providers are bolting with customer’s money (and data?) https://www.zdnet.com/article/20-vps-providers-to-shut-down-on-monday-giving-customers-two-days-to-save-their-data/
Security and Vulnerability Concerns
- In some ways the cloud makes organizations more vulnerable. This is because cloud providers may be super secure and nearly invincible. But when you think about it, most of these applications are accessed with a username and password. Now, the attackers don’t need to get access to your network infrastructure. They just need your username and password. And we know that’s not hard to get. We regularly get passwords and bypass 2 factor authentication on penetration tests. The attackers do too. All things that must be considered when considering cloud.
- The “Cloud” still exists in physical form someplace. As such that location is subject to all natural and man-made threats.
A hybrid approach
- You should consider a hybrid approach which finds the middle ground between storing all of your data with a cloud provider and an on premise approach. There is no cloud without internet and no data if your on premise infrastructure fails for any reason.
- The Cloud should be more reliable than on premise because cloud providers dedicate their profession to IT. Whereas a car dealership or other small/ medium business could not afford the infrastructure and operation, such as a Tier IV Data Center.
- Cloud may not be the perfect solution. While still flawed, it’s much better than on-premise in the long run. The main reason is that for 99% of small and medium businesses building their own data center with this level of security, availability, replication options etc. is impossible.
- I never met anyone who had too many backups when disaster struck.
- Cloud is a good way of transforming costs and ensuring better up-time, but on its own it’s not the a great control. This is because the risk of data loss is still present if there is no backup solution. Moving to the cloud just means someone else is responsible for the hardware/utilities. You are still accountable for the data. Which is why if you have cloud hosting and no backup solution, you are still at risk.
Any move to cloud is a transformation project, the drivers might be continuity and resilience but it’s still a project:
- 1. Scope and responsibilities: I/PaaS Cloud is just “someone else infrastructure”. Who has what responsibilities? Does the client party have the skills and expertise to fulfill their side of the bargain in the new Meta. Is retraining needed? Is the SLA good? How about knowledge cascade and documentation? There are plenty of horror stories around unsecured AWS buckets resulting in terrifying data leaks.
- 2. Design and desired outcomes: SaaS Cloud isn’t always continuity centric. Office 365 is definitely resilient but it doesn’t have point in time restore capabilities for example.
- 3. Legacy systems: Can you port everything?
- 4. Risk Shift: You’ll need to evaluate any “to be” with a new RIM project.
- 5. Cost: What kind of data and user growth do you expect? What risk of provider lock in do you run? How agile is the pricing model? Is there scope change if you need to restructure the business somehow or are we signing a potential financial anchor?
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.