Your Cloud Held Hostage – Could It Happen?

  • Comments posted to this topic are about the item Your Cloud Held Hostage – Could It Happen?

  • Thanks Andy for the nice read, certainly a point worth highlighting!

    Guess you missed the most dangerous type of threat which are the Administration Lawyers, they have already claimed few victims.

    😎

  • And when someone does successfully attack one of these places I wonder how many companies will get screwed when they finally read the T&Cs with a lawyer?

    I don't doubt for one minute that on paper these installations are secure. The "all eggs in one basket" is okay when you can afford the geo-replication etc but not if you are a SME who will get pushed to the back of the queue when something goes drastically wrong.

  • Steve JP (4/6/2015)


    And when someone does successfully attack one of these places I wonder how many companies will get screwed when they finally read the T&Cs with a lawyer?

    I don't doubt for one minute that on paper these installations are secure. The "all eggs in one basket" is okay when you can afford the geo-replication etc but not if you are a SME who will get pushed to the back of the queue when something goes drastically wrong.

    There is quite a lot of talk going on in this space and Cloud clients are waking up slowly, it will still take a while until they realise the full potential threat.

    😎

  • While I served in the US Air Force we trained for a variety of contingencies such as a mass casualty, Hostage events and terrorist attacks on an Air Force base. The practice exercises ran base personnel ragged but the practice worked to train people how to react to complex situations. This was all done prior to the internet as we know it today. FWIW, I retired from the Air Force 28 years ago. The problems we face today are significantly more complex than those we faced 30 years ago. Businesses need to practice handling situations such as Andy described until handling the problem becomes second nature. This practice needs to go beyond basic DR exercises because there are many more situations that could impact the enterprise than inaccessible data.

    I would go a step further and recommend businesses considering going to a cloud configuration practice what they would do if the worst possible event occurred before they moved to the cloud. The results of such an exercise might cause management to rethink what they are planning.

  • Andy, you raise some excellent points. While I don't know, my guess would also be that the facilities are not ready for a military-style attack. As we've seen throughout the world, you don't need a government military to carry out a military-style attack. Another valid point is that because of the scale of these facilities, they are much more of a high-value target than most companies. Attacks on infrastructure aren't unheard of in the world today, and this falls into that category. This type of target also has the potential to impact a large number of companies all at once. I don't claim to understand the many different goals of terrorism in the world, but these large and valuable facilities would seem to fit the bill.

    Of course, an event like this would likely be categorized as an "act of war", which brings me to another type of terrorism - the lawyers. The terms and conditions documents and contracts are unbelievable. The essentially exist to indemnify the host corporation and absolve them of any and all responsibility for anything. I understand the overly-litigious nature of business today makes things ridiculous for anyone to do business, but denying responsibility for absolutely everything makes it a hard pill to swallow when you're asked to spend so much for a service. Most companies act well, but by the time the bad ones are discovered, how many people have lost their data and have no hope of recovery because they thought it was being taken are of?

    Great article, Andy.

  • I'll bring it up at our next IT meeting.

  • I loved Clancy's first nine books, but Red Storm Rising was my favorite. After the first nine they all seemed to be about the same thing with slightly different details.

    Be still, and know that I am God - Psalm 46:10

  • •A physical assault on the facility by an armed team to breach and then hold or destroy the facility

    •Car/truck bomb

    •Plane crash

    •Bio/chemical attack

    You left out lions, tigers, and bears.

    Oh, my ...

  • Amen. While I believe hosting can serve a purpose, I tend to be viewed as a naysayer due to my bringing up concerns about letting someone else own your data.

    While your examples may be extreme, they are by no means the only risks.

    Dave

  • Lots of subtle changes to the cloud. If we own the hardware and something goes wrong, we can prioritize what systems go back online first and we can always send drives out to a recovery service. If the "cloud" crashes we're just going to sit and watch until it comes back up, or not, if we're solely dependent on the cloud provider for recovery. Our answer to just about every question would be "don't know".

  • djackson 22568 (4/6/2015)


    Amen. While I believe hosting can serve a purpose, I tend to be viewed as a naysayer due to my bringing up concerns about letting someone else own your data.

    It's a good idea, of course to read any contract before potentially signing away one's rights. However, this article indicates three major cloud providers don't own your data - you do.

    At present, the relevant parts of the terms and conditions of leading hosted service providers are as follows:

    • Amazon Web Services

    'Your Applications, Data and Content. Other than the rights and interests expressly set forth in this Agreement, and excluding Amazon Properties and works derived from Amazon Properties you reserve all right, title and interest (including all intellectual property and proprietary rights) in and to Your Content.'

    • Google

    'It is important that you can access your Google data when you want it, where you want it - whether is it to import it into another service or just create your own copy for your archives.'

    • Microsoft Office 365

    'You own your data and retain all rights, title, and interest in the data you store with Office 365. You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.'

  • GoofyGuy (4/6/2015)


    djackson 22568 (4/6/2015)


    Amen. While I believe hosting can serve a purpose, I tend to be viewed as a naysayer due to my bringing up concerns about letting someone else own your data.

    It's a good idea, of course to read any contract before potentially signing away one's rights. However, this article indicates three major cloud providers don't own your data - you do.

    Not to argue with you, but I was not speaking about legal ownership. The "possession is nine tenths" saying has merit here.

    If you host my data, and your building burns down, including all backups, I don't have any data. Therefore I don't own anything, you do, even if you only own the responsibility.

    Legally I won it, practically you do.

    Dave

  • If you host my data, and your building burns down, including all backups, I don't have any data. Therefore I don't own anything, you do, even if you only own the responsibility.

    I would imagine the host would make regular backups and store them offsite.

    I'd also think the host would have hot sites ready to go in case the building burnt down. (Hey ... if it burnt down, would that make it a hot site?)

  • GoofyGuy (4/6/2015)


    If you host my data, and your building burns down, including all backups, I don't have any data. Therefore I don't own anything, you do, even if you only own the responsibility.

    I would imagine the host would make regular backups and store them offsite.

    I'd also think the host would have hot sites ready to go in case the building burnt down. (Hey ... if it burnt down, would that make it a hot site?)

    And that is part of the problem. If you're hosting my data and your building burns down, the data is gone. If you don't have it backed up and recoverable, it's gone forever. I lose.

    If you do have it backed up and it's recoverable, I have to wait for you to recover it and make it available to me again. When will that get done? Who knows? Again, I lose.

    Cool play on words with the "hot site". 😉

Viewing 15 posts - 1 through 15 (of 66 total)

You must be logged in to reply to this topic. Login to reply