The Internet Service Provider (ISP) where our website is hosted was hacked today, along with many other corporate websites the ISP hosts. Our index files representing our main website pages were defaced and replaced with the web page above, and access to our content was significantly restricted.
Apart from a public embarrassment the inconvenience of having to fix it, the event made me think about the implications of offloading and trusting more pertinent data to the cloud:
- Most ISPs have no disaster recovery plan in place to deal with security breaches. They lack instant resources to help every customer regain access to their data quickly. Our ISP blocked administration access to the websites to deter further vulnerabilities which kept our website in an unstable state for more than six hours.
- Most ISPs have backup mechanisms but lack the knowledge (and resources) to reload and restore a consistent state-specific to each client. As a result, clients should always rely on their local data store, to rebuild quickly and with the most recent and consistent state. We made conscious decision years back not to host our blogs in the cloud but to use desktop software (that we can back up ourselves), for precisely those reasons. We could not imagine waiting in line with hundreds of other distraught customers to retrieve a unique, consistent state of information from the last generic backup.
- Security vulnerabilities remain rampant, and the technology provided to fix these are highly fragmented and far from waterproof. Physical, perimeter, viruses, logical and application security technology desperately keep trailing the latest tricks deployed by hackers, with concentrated cloud attacks providing a more considerable destructive impact than the simple defacement of a few web pages. The fragmented technology security industry is poorly aligned with the encompassing security needs of the emerging cloud.
- Few companies have a well-defined security strategy, and little transparency in the breadth of their security capabilities. Even fewer ISPs have addressed logical application vulnerabilities, which is equal to securing the front door of your house while leaving the windows open. And the number of applications, protocols, and services that will exhibit vulnerabilities will increase dramatically.
There are significant advantages to entrusting your data to the cloud (for one a single point of truth), but with many underfunded (or “capital efficient”) companies struggling to escape commoditization making wonderful promises, the chance of someone else gaining access or destroying years of valuable work is extremely high.
So, before you entrust your data and applications to the cloud, ensure you have the backups to switch at a moments notice and stay in control of your mission-critical processes and information. We did, and in less than 5 minutes after a six-hour irritating wait for the ISP, we were back online.