Most IT people have a worry about having critical systems and operational data offsite and under the control of a third party, especially now that the hosted Cloud is a realty for many. If they are running on a hosted platform, they were sure to have an Online Backup clause in the service level agreement with the hosting organisation, but that nagging fear is still there. The prudent take a belt and braces approach and backup their Cloud Storage independently. Even when running an inhouse private Cloud Storage environment, Online Backup is still a priority.
Ways to Lose Data
In 2015 MWeb Business in South Africa had a major systems failure in its Business Hosting service. Their systems were down for three days and resulted in a total data loss for all their business clients. Basically, if the client didn’t have an independent backup, all their data was lost.
Malicious Cyber Attack
A second and obvious way to lose data is a malicious cyber-attack to steal or destroy data held on hosted or private systems. Again, this has happened. One of the best-known was only disclosed publicly in 2014 despite being known about for at least two years – the Heatbleed vulnerability. User access to websites is secured by the Secure Sockets Layer (“SSL”) technology. Version 1 of the Open SSL implementation was rendered vulnerable to attack by a bug allowing theft of user-ids and passwords.
Despite it affecting only one implementation of SSL, and only one version of the Open SSL software, it caused world-wide panic, even to the extent of a British Cabinet Minister advising users to change their passwords on all the websites they use.
User error – Mistake or Deliberate
Another way is users, both end-users or support staff accidentally or maliciously stealing or destroying data.
Weather can also play its part. In 2012, a major storm took out an Amazon Web Services site. All AWS services, including Netflix and Instagram were down for about six hours.
What to Do
The current recommended approach is to prepare a Data Loss Prevention (“DLP”) systems plan. Not all installations have one, but they should. As Data Centre Knowledge point out, up to 2015 data breaches and their costs in money and the loss of privacy in the US Healthcare industry have been staggering:
- Total Breaches: 495
- Total Records: 21.12 million
- Total Cost: $4.1 billion
- Average Size: 42,659 records
- Average Cost: $8.27 million
- Average Time to Identify: 84.78 days
- Average Time to Notify: 68.31 days
And those are only the ones we know about.
We need to make some assumptions about what DLP is there to do. These generally revolve around management of data:
Ensure Cloud Data Backup Systems are Enforced
MOST IMPORTANT. Make sure that your Cloud Data Backup systems are enforced, checked regularly and the backed-up data is restorable. It wouldn’t be the first time that supposedly secure backups don’t actually work.
Implement Security Policy
Make sure sensitive or critical data does not leave the corporate network. It can exit in emails, be uploaded to customer cloud services like OneDrive and DropBox, and on portable media like flash drives, smartphones and removable hard drives.
To manage this, prepare business rules to classify and protect confidential, sensitive and critical data. Many malware protection software applications, including Symantec and McAfee have a DLP component that uses rules to prevent sensitive information leaving the corporate environment. For example, an email classified as confidential can’t be forwarded outside the corporate domain, a sensitive file can’t be uploaded to external Cloud Services like Dropbox or OneDrive.
Ensure Environment is Safe
Digital Transformation, especially Bring Your Own Device (“BYOD”) and mobile computing can drive a coach and horses through the rules you have carefully developed in step 2. You need to ensure that the Cloud DLP environment you are implementing can monitor and control all user activity, irrespective of their location, systems environment they are using and whether they are using the corporate network or not, perhaps logging in from a WiFi service at their local shopping mall. Stopping users from working anytime and from anywhere will not be popular.
As more and more organisations move towards the Cloud, a DLP is no longer an option. Prepare one now.