Monday, November 19, 2012

Hurricane Sandy and Disaster Recovery: Cloud to the rescue?

When looking at the aftermath of hurricane Sandy, the most important aspect of the event is the toll it has had on the people. The Atlantic puts the total impact in terms of dollars at $60 billion, with death toll at 123 people. However, those that survived face the challenges brought about by the flooding and living without power for weeks. For example, 4 million remained without power for extended period of time. This of course challenged individuals to keep their frozen food cold and live without technology for that period of time. As for companies, their disaster recovery plans were put to the test. Perhaps the most poignant example was the New York University Langone Medical Center who had to evacuate patients because their backup generators because they were located in the basements, which got flooded. Hospital officials defended their preparedness  but critics pointed out that the backup power generators "are not state-of-the-art".

Samara Lynn of PC Magazine published an article on how Sandy taught organizations valuable lessons from a Disaster Recovery (DR) perspective (she previously painstakingly put together a 4 part series for small and medium sized businesses on DR planning; see here, here, here, and here). Before I read the article, I was expecting a bulleted list of dos and don'ts when it comes DR planning. But what I was surprised to find is that companies are relying on cloud computing service providers to make up for the unavailability of local processing. Examples include:
  • A New York Architectural firm Diller Scofidio + Renfro used Amazon Web Services (AWS) to relocate the company's core applications, enabling users with the proper license configuration to access these applications right from their laptops. Also, the IT Manager, Chris Donnell, used AWS as a remote desktop during the disaster. (I encourage you to read the whole article as it details how Chris was in the middle of an email migration from Outlook to Gmail when Sandy hit; poor guy!). The company also used Panzura to store the data temporarily in the cloud.
  • Ring Central, a cloud-based pbx hosting service, (they sponsor TWIET and other podcasts on the TWIT network) was able to relocate their operations away from the storm. More importantly, they offer near instant recovery of phone support by plugging in a piece of hardware they can "bring in a live extension under 10 minutes". Naturally, there is an increased interest in Ring Central by those that were satisfied with the lengthy recovery times of their providers. 
The article also discusses how a service provider made DR as part of IT outsourcing service and how the key to DR is backup power. 

Although not related directly to cloud, one of the most amazing story that I've heard is how SquareSpace (SQS) kept it's platform up and running. Like the hospital, SQS had its back up generator in the basement and that got flooded. It published this blog post to inform customers of what was happening. However, the real interesting story is the lengths that team went to ensure the site stayed up and running. The team physically took fuel from the basement to the generator of the roof going up 17 flights of stair

Even more amazing was that the founder and CEO, Anthony Casalena, personally helped in this effort. Talk about Tone at the Top

Saturday, November 3, 2012

Can we live in the cloud? Prof Jeff Jarvis intends to find out

On This Week in Google (TWIG) episode 169, Jeff Jarvis, professor of journalism at CUNY, announced that he will be attempting to live only in the cloud and abandoning the comforts of offline desktops.  He recently moved to the Android eco-system (i.e. for his mobile device and tablet), which he accredits to Google's wide range of services from maps to Google Docs. Taking it to "whole nother level", Jeff is planning to live only in the cloud once he gets his hands on Samsung's ultra-cheap Chromebook, which is expected to retail for $249. The Chromebook (as its names suggests) is based on Google's Chrome OS, where the OS is basically the Chrome browser. Here's the ad in case you missed it:

As illustrated in the ad, the concept is that the Chromebook is something that everyone and anyone can use. The premise is: if you primarily do everything in the browser, then you really don't need a full laptop. A few years ago, as Leo Laporte pointed out in the episode, this experiment by the way of netbooks failed. Does Jeff have a fighting chance or will Leo tell Jeff "I-told-you-so" after Jeff experiment ends? Well, I think Jeff does have a fighting chance. Firstly, cloud computing has matured significantly since netbooks have hit the scene. Secondly, people are now accustomed to using tablets and smartphones as a way to get things done.

In a way the Chromebook represents an intersection between the trend of cloud computing and thin client devices and taking technology back to the early years of computing, where users had to "dial-in" from their "dumb terminals" into powerful mainframes. Except the Chromebook,smartphones, and tablets are replacing the dumb terminals, while the cloud computing service providers are replacing the mainframe.

Why should information security & privacy professionals care about this?

It is really about the price point. If Jeff Jarvis can successfully move to the cloud with this device, it means that the economics of the consumerization of IT has arrived. Think of a 10-person small business that is starting up. It really just needs email and office productivity apps for their clients. The IT cost would be $2500 for the hardware and then recurring cost of $500 a year for the Google Apps. The traditional  Dell laptop + MS Office license would cost about $6480 upfront + the cost of an email server + the IT resources an effort to maintain/patch the laptops and the server.

In terms of data redundancy, one could argue that all the data is on the cloud so it's actually safer. Theoretically, if the owner loses their Chromebook, they can just change their password and then the Chromebook is essentially just a "dumb" piece of hardware with no data. And as illustrated by these stats, this is no small benefit. Of course, cloud computing does have its risks as mentioned on a previous blog post and this publication (which I co-authored for the CICA). It's not that the risks in the cloud are insurmountable, but they are different then the ones we are accustomed to dealing with.

From a usability and information risk perspective I would ask these questions to Jeff Jarvis about his experiment:

  • Printing: What are the hiccups in terms of producing and printing formatted documents? What I am thinking about are the mundane things like resumes, reports and the like. 
  • Working with Luddites: How do you work with others that are not in the cloud? Sometimes working with a colleague the most efficient way to transfer a number of documents is via USB, especially when the other party does not have Internet access (e.g. think of locked down company laptops). 
  • Handling Sensitive Data: What is the sensitivity of the data that is being on the cloud? For example, we keep private things like tax files that contain SSNs, SINs, income, etc offline. So how would one keep such things private or is it matter of just living in public? For readers that are unfamiliar with Jeff Jarvis, he takes "what's the harm approach and has written two books (click here and here) on the topic of being more open and social with one's information. But I hope he can appreciate not everyone uses his "privacy settings" :)
  • Trusting cloud providers: What due diligence does someone do before trusting a cloud provider? I suppose this is a "leading question".  Accounting associations in Canada (i.e. the CICA) and the US (AICPA) have established Service Organization Control (SOC) Reports. These reports replaced the SAS 70 Type II reports in the US and Section 5970 Reports in Canada. So do you need this type of assurance before dealing with companies? Going back to the tax return example, one solution would be to use cloud-based tax services. But how do you establish trust that this information is appropriately. One may attribute my repetitive use of the tax return info to the fact that I am an accountant. However, to be fair Gina Trapani on a previous episode of TWIG did point out an accountant should not be putting tax info on the cloud unless it was encrypted. 
  • Securing data on the lost Chromebook. If the Chromebook is lost, what are the precautionary measures the person has to take? In other words, the theory meet reality. 
  • Making local backups:  Currently, we back from offline to the cloud, but how does this work in reverse? The reason this is important is illustrated by Mat Honan's Apple iCloud account getting hacked and watching helplessly as his data got deleted
  • Working without internet access: How many times does the lack of internet access due to being in a subway or non-WiFi become an obstacle to being productive?
  • Working through cloud outages: What happens if there is a disruption at the cloud provider or underlying infrastructure? Jeff lives in NY (and judging by his tweets; he's doing okay), so he does have some experience dealing with such a scenario given the disaster brought to his area by Hurricane Sandy. 

Assuming Jeff actually does gets his Samsung Chromebook and goes through with this experiment, I will post an update to this post.