Today I would like to share a few thoughts about the hidden risks there are when we make decisions or choose new types of technology. Technology by itself is not risky (cloud, replication, snapshots, backup,...) but each kind offers some functionalities but also has some limitations.
Risks usually come when technology is chosen without taking into consideration its limitations and, even more importantly, without understanding that the ultimate responsability lies with organitzation that adopts the new technology and it is also this company which is the most affected when something goes wrong. So, these companies must undestand and try to mitigate these risks everytime they choose a new technology because most of the time SLAs and penalities are meaningless and useless when it comes to a major issue in a critical environment.
To exemplify this point, I'll share the CODESPACES case.
Last month (June 2014), a company called CODESPACES.COM (http://www.codespaces.com/) had to close its business. They used to provide cloud services (code hosting) to 3rd party organitzations, however:
- They were targeted by a cyber attack they couldn't detect and stop
- They didn't have a right-for-me Disaster Recovery Plan with backups totally independent of production environments
As you can read on their own website: "Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility."
Examining in more detail as to what happened:
- They had their production environments in Amazon cloud platform and the whole DRP was based on Amazon snapshots and backups (instead of having independent backup images outside the Amazon platform).
- They suffered a DDoS attack on the 17th of June and the hackers gained access to their Amazon admin console. Then, they erased all production enviroments and also all their snapshots and backup images.
- When CODESPACES.COM recovered access to their Amazon admin console they didn't have any system or application to recover the service from but even more importantly anywhere to recovery their data from, so they folded.
With new kind of technology coming up more and more frequently (like snapshots, cloud, and others), some customers are adopting some risky strategies like:
- "I stopped using traditional backup softwares because I think snapshoting tools are good enough"
- "I don't care about DRP and BCP for these environments as I moved them to the cloud"
Taking this case as an example, customers should be aware of the following:
- You should be prepared against cyber attacks
- Sending your production environments to the cloud doesn’t mean you shouldn’t protect them
- Snapshots are a good complement to backups but NEVER a replacement
Symantec, as the woldwide leader in information management and security, can help its customers to be better prepared to avoid these kind of situations by:
- Helping the customers to detect and stop highly sophisticated and targetted cyber attacks faster
- Offering external and independent backup and disaster recovery tools in order to be able to recover your data and systems even in the case that your whole data center (on-premises or cloud) has gone.
The following links contain additional information and interesting debates that came up after CODESPACES was attacked:
Joan García Sánchez
Information Management SE