Information: not always secure and not always available? Some simple solutions
- Published: Thursday, 09 March 2017 09:15
Availability and security are crucial and interconnected when it comes to business continuity management. Charles Boffin looks at the questions that organizations should ask their suppliers about both these areas and provides some useful tips.
The subjects of data availability and security have never been far from the headlines in recent months, with many reports of high profile cyber-security issues and downtime incidents. In the past few days, Amazon’s claim of nigh on 100% availability for its Amazon S3 cloud service lay in tatters after its largest US cloud region suffered an outage for over four hours.
The two subjects of availability and security are inextricably linked. For effective recovery, we need access to information and we need to know that it is accurate, up-to-date and secure. These are fundamentals. Now, the good news is that there is undoubtedly a growing focus (quite rightly) on these issues, but why does the pace of change seem at times to be so slow and why the inconsistency across different markets?
Whilst some businesses tend to cling to their own data, batten down the hatches and erect virtual barbed-wire fences, this is not always a practical approach when dealing with issues where data needs to be accessible from a range of external locations, particularly when internal systems suffer outages. Thus, information security and availability is very much a supply chain issue for most large organizations with both integrated third-party systems and/or trusted external suppliers providing crucial components in the end-to-end process. But remember, it’s your data and your responsibility. As in all ‘best practice’ arrangements, success depends upon mutual collaboration, understanding and taking a ‘reasonable’ commercial view leading to robust solutions. And, fundamentally, the answer is working with suppliers who can demonstrate that they are as scrupulous as you (if not more so) in their handling of your data; suppliers who have the right controls, processes and understanding of requirements.
At ClearView, we find that many RFP responses and contracts are now driven by the information security management (ISM) team. It is a long, complicated process that is often very time consuming. That’s good news. I would expect the same and am disappointed if it doesn’t happen, as is occasionally the case. Of course, this forensic investigation needs to be tinged with commercial realism.
So, where to focus on these two related issues?
Data – where maintained
The growth of ‘cloud’. It’s a much-abused term. Public cloud, private cloud. To cloud or not to cloud? It remains a hot topic but one where we are seeing changes in the global landscape as there is growing acknowledgement that cloud does not automatically lead to a lowering of security standards. The real question is appropriateness. If challenged by the board, can the resilience team demonstrate that they took appropriate measures to safeguard information. Now, what is ‘appropriate’? For a small business maintaining a website that is principally brochure-ware, resilience may not be a primary concern. Lose the site for a few hours and no major damage to brand or business occurs. But for a critical process in a major global organization, appropriateness means different and better solutions. Redundant solutions and near always-on is the key. For business continuity, this doesn’t rule out cloud-based solutions, indeed we have seen a growing recognition that such arrangements can provide the level of resilience and security that are appropriate for the purpose and offers the benefit that your business continuity solution is not dependent on internal infrastructure. Private clouds, discrete databases for each client, and full disaster recovery arrangements can provide solutions that equal (and in some cases, exceed) the levels of availability of internal systems whilst maintaining segregation and security. This is a changing market and we see more aggressive adoption of ‘cloud’ in the US in particular with, on the counter-side, a corporate aversion to all things cloud in other parts of the world, most notably the Middle East.
The other factor driving appropriateness is the ability to handle the data privacy requirements in different countries and how this impacts on data management. Some global organizations take a commercial view that, in operating in a large number of regions, the commercial imperative to manage information in a central repository is justified. But, for many others, due recognition of local data privacy rules is the driver. For suppliers, such as my own, who work with large multi-nationals, this means multiple hosting environments globally to ensure that each client meets its local requirements. And issues such as Brexit will only add further complexity in this area. The world will undoubtedly change but, for the time being, we are where we are and it is important for businesses to ensure that due process is followed at all times.
Tip: be scrupulous but realistic in your expectations of availability. Are there single points of failure? What levels of redundancy and resilience feature in your supplier’s processes/environments? Worst cases do happen, thankfully rarely, but does your supplier take as much care and responsibility as you would expect if you were in their shoes, providing the service. If you’re not sure then ask before you sign on the dotted line, not after.
Tip: ask your provider not just where their data centres / centers are located, but does your data cross borders in any processes e.g. to DR centres or other sub-contract supplier locations, possibly in other countries?
Data – security
Availability is key, but how secure is the environment? There will, inevitably, be the yin and yang relationship between internal risk/information security departments and their ‘business’ counterparts. Again, the keys are appropriateness and a degree of compromise. ISM departments will start from a base point of everything internal and business continuity teams will start from the polar opposite – the need for availability and accessibility for effective business continuity processes dictates that a SaaS/external solution is the preferred start point. Inevitably this compromise is driven by some key principles when looking at external providers or hosted solutions. These include:
- Does your supplier have the credentials to effectively manage your data?
- Are they ISO 27001 accredited (or the North American equivalent SOC2 Type II) and, if yes, is this across their entire organization, not just selected parts, remembering that information security is as much about people and process as it is about technology.
- Answers such as ‘Well, our data centres are accredited’ or ‘We follow ISO 27001 principles’ are just not good enough. When/if you have to explain a data security incident to the board, how credible will your story be if your key supplier is not formally accredited? Accreditation is a demonstration of independently audited quality.
- Where is the specific hosting environment? What security controls do they have in place and do these extend to subcontractors? Intruder detection systems? Log monitoring? No single points of failure? What are their BC and DR structures? What are their guaranteed RTOs? Has the environment been penetration tested by third parties and is this undertaken on an ongoing basis? Will they allow you to pen test? Do you have specific SLAs for both availability and issues management/reporting?
Tip: make sure that your suppliers are ISO 27001 accredited across their entire organization and all of their key suppliers if they are involved. Merely stating that a data centre is ISO 27001 accredited is NOT good enough, if they have access to your data from other locations.
So, where now?
Most organizations understand and accept that choosing the right system to help manage business continuity activity should not be taken lightly and that due diligence should form part of the selection process. But due diligence is not just functional or system, but also supplier. Ask your existing or proposed supplier the key questions above and be ready to push further. If your supplier does not actively welcome the opportunity to demonstrate their security and availability credentials, experience, capabilities and accreditations, ask yourself why? Come the time that a major incident occurs (and it will!), the board’s focus will inevitably and understandably be on the business continuity and resilience teams to demonstrate that they took reasonable and appropriate security and availability measures at all times, including all trusted partners and suppliers.