Security and Business Continuity – Where are your weak links?

Written By:
Content Copyright © 2015 Bloor. All Rights Reserved.
Also posted on: IT Infrastructure
Photo: Dean Souglass

It’s been a trying couple of weeks for data centre operations managers. Google had the indignity of seeing some customer data completely wiped by multiple lightning strikes at its Belgian Data Centre. China’s National Supercomputing Centre was shut down temporarily in response the huge chemical explosion in Tianjin. An electricity generator explosion in Los Angeles took out the power to 12 city blocks severely disrupting Level 3 communications in the area, which had knock-on effects for Internap and Equinix. The aftermath of the hacking of the Ashley Madison site rumbles on awkwardly, and the Co-op Bank in the UK, after all its recent woes, had to admit that it “does not have a proven end-to-end capability to recover from a significant and prolonged data centre outage.”

It is perhaps tempting to see some of the problems mentioned above as business continuity issues rather than security. The reality however is that all those incidents posed a threat to the security of systems and data, and ultimately the security or perhaps more accurately, secure future of the companies involved. Don’t get me wrong, I know that all the companies involved take security very seriously but in the complex supply chain of technical relationships and arrangements that is the norm in IT in the 21st Century there are any number of potential weak links.

More often than not we have found that those weak links manifest themselves at the interface between different companies, or even between different departments. There is often an assumption that the other party has it covered. A few years ago, as virtualisation was taking hold, there was a yawning gap between hosting companies and their customers over data security. The hosters secured the external perimeter, both physical and network, but left the securing of virtual instances to their customers. The customers meanwhile didn’t realise that this was their responsibility. With a range of different threats to face you have to ask yourself if that particular hand-off point between provider and customer is being better handled today.

Nowadays with hosters and MSPs using the facilities of a retail co-location provider, who might be housed in the building of a wholesale co-location provider who isn’t actually the building’s owner, an end customer has to ask some pretty searching questions about security to gain assurance that the weak links have been identified and mitigated.

The network issues are no less complicated. Internet Exchanges and Peering have changed the ways network traffic gets moved about and radically reduced networking costs for most enterprises. But these exchanges have become pinch-points, and problems there can take out fairly significant geographic areas from a networking perspective. When was the last time you looked at your disaster recovery and backup strategies? Does that back-up site 20 miles from the primary site not look quite such a good idea?

Which brings me finally to the Co-op; for them to admit to the threat from a data centre outage you can only hope that they have a clear understanding of their risk appetite AND a robust risk analysis assessment. Ultimately there are so many threats to security and business continuity, so many potential weak links that it may not be practical to cover them all. However you do need to take a holistic view, have a robust risk assessment strategy in place and understand what your risk appetite truly is.

This post first appeared on the old Cassini Reviews website.