These days we're probably all aware of the cloud
. Recent announcements from Microsoft and Amazon which show an ever growing customer base for both their cloud platforms (Azure
respectively) prove cloud services are growing ever more popular.
You will find the advantages of cloud services are touted by many. Shouted about less often are some of the potential downsides involved in offloading your business IT to the cloud. The following are two such downsides.
Last week one of our customers asked us to investigate a problem. They were having trouble accessing quickfile.co.uk. We quickly confirmed the issue lay with the site hosts and found tweets
from the company explaining they were experiencing a DDoS attack. This particular site is a cloud-based accounting platform and quite likely business critical for their customers.
Later in the week another cloud service supplier, the DNS platform Dyn DNS, also had a service outage in some locations. The outage appears to have caused large-scale problems accessing some of the busiest sites in the world
. Again a DDoS attack was attributed as the cause
These are just two recent examples of cloud service outages that our customers have encountered.
The news over the past several years has been full of reports of security breaches affecting well-known companies.
One such breach, that of leading cloud storage provider Dropbox, back in 2012 has only recently come to light
. The breach lead to the email addresses and passwords of some 68 million users making their way online.
The Glo team can rely on hearing one thing from one of our colleagues whenever news of such cloud service issues reaches us: "It never rains in the cloud." It's become a bit of a catchphrase of our technical lead Karl.
Unfortunately, cloud services aren't as impeccably reliable as Karl's sarcasm. Here's the thing: you should expect and plan for them not to be!
Glo enthusiastically promotes using cloud services; we even provide some ourselves. However, we always make it clear to our customers that the cloud is not
the absolute answer to all their IT needs.
Cloud providers are not infallible.
Wherever possible we ensure cloud solutions our customers implement have a backup in some shape or form. We encourage our customers to encrypt all data stored in the cloud and also encourage the use of two-factor authentication for access. We also suggest the most sensitive data may be best kept out of the cloud entirely.*
The way we typically put these two points across to customers is something like this:
"Whatever portion of your business is in the cloud, you need to assume that portion will be unavailable for a period. This period is entirely beyond your control."
"You should assume all data stored in the cloud may someday be accessible to people other than those authorised."
While this may seem a little drastic, we've found it's the best way to get customers to think about this in the right way. We then go on to explain:
"For most services, there are acceptable levels of downtime. You should have a plan for moving the service to a backup solution if you know about downtime in advance. In the event of unexpected downtime above the acceptable level, you should be able to move the service to your backup solution quickly."
"You should be aware of the location of any data you hold that is of a sensitive nature. You must consider the worst-case consequences should any data be leaked before moving any data to cloud storage."
Be very wary of putting all your metaphorical eggs in the cloud basket. You should plan for all cloud services to be unavailable, sometimes suddenly and for extended periods. You should also be aware that the security of these services is not guaranteed. Unfortunately, it does sometimes rain in the cloud!
If you would like advice on cloud services and how to mitigate the security risks and possible downtime for your business, the Glo team would love to help. You can find our contact info here
*Storing your data onsite has it's own risks and ways to mitigate them. We work with customers to ensure data they hold themselves meets their security requirements.