Another unpleasant aspect of our new “information economy”.
A promising young start-up (Code Spaces) was held up for ransom by an intruder who broke into their AWS account and took control. The digital kidnapper wanted a payoff, or else …
A sad posting says that — basically — all their customer’s data is gone, and they’re done for. That’s it. There’s no coming back for them. Not to mention the pain inflicted on their trusting customers.
In a not entirely-unrelated story, in the US, the IRS (the tax agency) is in serious hot water because they can’t produce emails in the context of a congressional investigation. The excuse? The emails were on a personal hard drive (??), which failed, and has long been disposed of.
While the IRS is not out of business (after all, they’re a government agency), they’re certainly seriously impacted by the incident, making doing business more difficult. No, I’m not going to try and claim the same with my personal tax records …
And with every tragedy, there are lessons to learn.
Do You Have A REAL Backup?
IT professionals know that a REAL backup is one that’s completely separate and isolated from the original data source as many ways as possible: separated logically, separated physically, stored on different media technology, different access credentials, etc.
The more kinds of separation, the better the protection.
I have taken ridicule for this position before (e.g. people who consider a simple snap a backup), but I’ll stand my ground. All those snapshots aren't doing Code Spaces much good now, are they?
If losing data permanently and irretrievably would be an unmitigated disaster, then extra precautions are needed.
What’s Changing
What’s become popular recently is a new breed of “digital kidnapper” — someone who extorts ransom to avoid the loss of your data.
We all know (or should know) about the recent spate of malware that encrypts your personal hard drive. If you derive your livelihood from your personal computer (as many of us do), this can be a life-altering experience.
If you didn’t have religion about real backups before, you’ll certainly have it now.
The Cloud Angle
Code Spaces appears to have run entirely on Amazon’s AWS — primary data, backups, etc. In my book, that’s dangerous — if AWS has a bad day, you have an even worse day. And everyone has a bad day, sooner or later.
All access was through their control panel. The bad guy got access, and he was in business. Not being deeply familiar with AWS, I’m now very curious about how access control is set up for AWS’ control panel.
An awful lot of valuable data is stored there — think of it as a huge bank — and one now has to ask questions to see if it could happen again, and what steps would be necessary to prevent that.
A related question: was there anyone at AWS they could have contacted to help out? Amazon’s model is highly automated; when a customer has a crisis of this magnitude, I would guess they’re not set up to respond quickly, if at all. The service did what it was designed to do.
In hindsight, if Code Spaces had been making simple lazy copies to anything else — a home computer, a server elsewhere, etc. — the effects of the attack could be somewhat mitigated. They’d be in business, after a stretch.
That’s the value of a real backup: when something bad happens, you’re injured, but you’re not dead.
Shifting Tides
Not all that long ago, most business processes ran on a combination of paper and digital. If the computer lost data, you could always go back to paper records, and attempt to recreate things.
Not anymore. There’s no paper trail. Lose the data, it’s gone. Although, in the case of the IRS, I bet those emails are somewhere :)
Information is the new wealth, the new repository of value. That’s going to attract bad guys — if not for IP theft, then for ransom attempts.
Just like you can get your bank account cleaned out, you can get your cloud account cleaned out — with similar disastrous impacts.
This is not a criticism of clouds, or AWS, or anything else — just that the world has changed, and we must think and act differently to protect our information.
No comments:
Post a Comment