The Internet Service Provider (ISP) where our website is hosted was hacked today, along with many other corporate websites the ISP hosts. Our index files representing our main website pages were defaced and replaced with the web page above, and access to our content was significantly restricted.
Apart from the public embarrassment of the inconvenience of having to fix it, the event made me think about the implications of offloading and trusting more pertinent data to the cloud:
- Most ISPs have no disaster recovery plan to deal with security breaches. They lack instant resources to help customers regain data access quickly. Our ISP blocked administration access to the websites to deter further vulnerabilities, which kept our website unstable for more than six hours.
- Most ISPs have backup mechanisms but lack the knowledge (and resources) to reload and restore a consistent state specific to each client. As a result, clients should always rely on their local data store to rebuild quickly and with the most recent and consistent state. For precisely those reasons, we consciously decided not to host our blogs in the cloud but to use desktop software (that we can back up ourselves). We could not imagine waiting in line with hundreds of other distraught customers to retrieve a unique, consistent state of information from the last generic backup.
- Security vulnerabilities remain rampant, and the technology provided to fix these are highly fragmented and far from waterproof. Physical, perimeter, viruses, logical, and application security technology desperately keep trailing the latest tricks deployed by hackers, with concentrated cloud attacks providing a more considerable destructive impact than the simple defacement of a few web pages. The fragmented technology security industry is poorly aligned with the encompassing security needs of the emerging cloud.
- Few companies have a well-defined security strategy and little transparency in the breadth of their security capabilities. Even fewer ISPs have addressed logical application vulnerabilities, which is equal to securing the front door of your house while leaving the windows open. And the number of applications, protocols, and services exhibiting vulnerabilities will increase dramatically.
There are significant advantages to entrusting your data to the cloud (for one, a single point of truth). Still, with many underfunded (or “capital efficient”) companies struggling to escape commoditization and making wonderful promises, the chance of someone else gaining access or destroying years of valuable work is exceptionally high.
So, before you entrust your data and applications to the cloud, ensure you have the backups to switch immediately and stay in control of your mission-critical processes and information. We did, and in less than 5 minutes after a six-hour irritating wait for the ISP, we were back online.
