Let’s set the stage for a potential downpour – Operation Trident Tribunal, an ongoing operation conducted by the Federal Bureau of Investigation (FBI) from the United States in conjunction with law enforcement officials from Canada, Cyprus, France, Germany, Great Britain, Lithuania, the Netherlands, Romania, and Sweden (citation). The purpose for this operation is to identify and shut down Scareware rings. Scareware by definition is any application that simulates a virus and causes anxiety or panic. So, considering the fact that the Federal Governments are actively monitoring and looking for Scareware and potential threats, how could this affect your organization’s processing move to the cloud? Are you going to be caught out in the rain?
To illustrate what the downpour can look like, on June 23rd, 2011 the FBI along with Ukrainian and Latvian officials shut down two illegal Scareware organizations. Together scamming over $74 million USD, these scams pose a significant problem to the internet community as a whole. To shut down the operations, law enforcement officials seized entire server racks from the hosting organization which in turn knocked several legitimate businesses offline through their search and seizure efforts – sounds like a storm brewing to me.
Wait…Entire server racks? Legitimate businesses offline? The FBI seized information that wasn’t entirely tied to the Scareware rings? Is this a scenario that could impact your organization because of your cloud vendor?
Let’s take a look at how this occurred here in the U.S. and why. By the letter of the law, the FBI was within their rights to seize all electronic material (data and devices) that is potentially suspected of being involved in illegal activity. The fact that legitimate businesses were hosted on those servers is normally of no concern to their investigation. Therefore, those legitimate businesses hypothetically just “went down” or lost access to their websites or CRM. Regardless of the items hosted, even with a backup plan, disruption and a potential hail storm could be on the horizon because of this unexpected and unplanned for action.
So, how do you as an organization protect yourself from this? As IAITAM stresses in all their courseware, “is it in your contract and have you done your due diligence on your chosen vendor?”
One key item in any business relationship of course is the contract. Doing your due diligence and verifying that the vendor is living up to their agreed upon terms and conditions is a start, but in cases such as this Scareware ring bust, that is not something that an organization would possibly consider remotely imaginable, but there are ways to safeguard the organization in case such an instance occurs.
With a standard contract in place, under this scenario, the hosting service did not deny service or cut access. The point-of-failure was not because of failure on one part or another, but instead because of an external interrupt of sorts – a federally orchestrated seizure.
So what is the proverbial “point-of-failure”? Generally speaking, a point of failure within a contract is where an obligation is not upheld by one of the parties and therefore the contract goes into default. As an observer to this happening, one cannot determine whether or not this occurred, but another thought does come to mind which may have short circuited any long term downtime for those legitimate organizations caught up in the confiscation.
As mentioned above, as the customer, it is imperative that you conduct your due diligence when entering into hosting, SaaS or Cloud-type agreements. Inadequate contractual language can lead to this lesser known point-of-failure such as incomplete clauses, shared server environments, a lack of understanding as to how your data is stored or backed up and what recourse you have at your avail if a failure such as this occurs in the first place. These are just a few items that should be on your checklist before you enter into a binding agreement.
With cloud computing becoming a viable option in today’s businesses model, understanding and planning for server space and security of your data is a must. IAITAM has advocated that whenever any sort of data storage, including cloud computing and SaaS is used, that a dedicated server be strongly considered. This often comes with an additional or more expensive monthly payment but you have to consider the alternative – this being only one possibility. The fact is that from a compliance and risk mitigation standpoint, the added expense is justifiable when considering avoiding a catastrophic event such as the seizing of a server with your data on it by the FBI.
Disaster recovery, risk mitigation such as this and eventual data recovery and backup options should be thoroughly researched and discussed both within your internal ITAM program as well as with those vendors that you consider mission critical to your operations. New challenges present themselves for organizations every day along with new risks when technology enhancements cause the organization to change the way they incorporate IT into their environments such as exists with cloud computing models. Because of these new methods of operating, it is apparent that the organization must be even more meticulous when reviewing contract language and migrating their internal processing to external resources. You don’t want to move to the cloud with high hopes of reducing costs and support and instead find yourself in a whirlwind of activity trying to recover your data and unable stop the looming tempest about to hit.