A couple of weeks ago, I got caught in the Porter Airlines network outage. I was heading back from a meeting from Ottawa and we had managed to get the airport on time, only to find that we could not get our flight because the "system was down". Although I was scrambling to figure out how to get back to Toronto, my colleague had it much worse as she had a connecting flight back to Windsor! For me it was one of those "check out" moments. You know when you are at the grocery store and the guy ahead of you is haggling with the attendant, and you think to yourself: "Should I wait for this situation to resolve itself or move to the next line?" As the Porter folks informed us that they will give us a refund, I decided to book the next Air Canada flight back to Pearson (instead of the Billy Bishop airport - where I had parked at. Although I was supposed to fly out at 9:20 PM, they managed to put me on the 7:30 flight. A number of us at the back were "refugees" from the Porter flight. It is tempting to get exasperated and complain in these situations, but one of my fellow refugees pointed out how this is essentially "first world problem": we only ended up waiting about an hour and we had all the amenities (food, water, shelter, etc) waiting for us when we got back to Toronto!
As reported in the Toronto Star, the source of the outage was due to a failure at Navitaire: the "reservation and flight planning system" that Porter outsourced to. It turns out that other airline companies, such as Air Tran, were also affected by the outage.
Surprisingly, this is not the first time that Navitaire has experienced an outage: the company also had an outage in 2010 that affected Virgin Blue airlines. As would be expected, Virgin sued Navitaire. The case was settled out of court. As noted by the Register (who commented on the 2010 outage):
"It is becoming more and more obvious that Navitaire's business continuance and disaster recovery provisions failed completely in this outage. There should have been standby systems ready to take on the load of any failed system or system component, but there weren't any. That is a blunder of the first magnitude by whoever designed, implemented and ran the system."
Well, it seems that the "blunder of the first magnitude" has repeated itself only 3 years later.
As you know from my previous posts, that I have written about the cloud from a CPA perspective, so the logical question is: where is the SysTrust or other third party review of their IT controls to ensure that this type of thing doesn't happen?
Well, I could not find it. The brochure for the services offered by Navitaire, does not make mention of the third party audit report. However, it is possible (although unlikely due to the cost) that Navitaire allows its customers to send in their own auditors.
Regardless, the incident illustrates the need for customers who outsource their operations to third parties to get an assurance report (e.g. Trust Services) that ensures that such controls (e.g. disaster recovery) are in place.
To Porter's credit they gave me a refund and they also gave a free flight to anywhere they fly. So from their end they did their best to make amends due to the fiasco.
Showing posts with label Outsourcing. Show all posts
Showing posts with label Outsourcing. Show all posts
Monday, September 30, 2013
Sunday, January 20, 2013
Unauthorized Access to China? Value of IT Audits and Control Frameworks
Various media sites and blogs, including the BBC, picked up on the story reported by this blog about one enterprising individual who decided to apply what all the major manufacturing companies and service companies are doing: outsource work to cheap labour pools in China (and also India). According to the Verizon post, the individual would basically show his face to work and surf the Internet, while the developers in China were doing all the hard work. Although many have attacked him as being lazy and "scamming" the system, the reality is that many enterprises, such as Apple, depend on such strategies for their profitability. Regardless of this debate, it ultimately the individual violated his agreement with the company. (I am assuming that he had a standard terms of employment that required him to do the work assigned to him and not to provide his credentials to unauthorized users).
From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access. COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:
DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."
Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
"The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."
ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.
The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.
Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.
From Information Security Risk and Control perspective, this story is a good one for IT Audit and Security practitioners to highlight the importance of IT control framework, risk analysis and audits. The company that discovered the issue was reviewing the security logs. As Andrew Valentine notes in the original Verizon security blog post that noted the incident: "In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review)." Effectively, the DBIR acted a control framework. It illustrated the importance of best practices to those that read it. And this is ultimately the role of IT Control Frameworks. COBIT, Trust Services and ISO 27001/2, all identify the need to log access and review such access. COBIT 4.1, published by the Information Systems Audit and Control Association (ISACA), identifies the following control in their framework:
DS5.5 Security Testing, Surveillance and Monitoring
"Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed."
Trust Services, jointly published by AICPA and the CICA, requires the following (See the Security Principle, 3.2(g) on page 10):
"The information security team, under the direction of the CIO, maintains access to firewall and other logs, as well as access to any storage media. Any access is logged and reviewed in accordance with the company’s IT policies."
ISO 27001/2 requires "Audit logging" under 10.10.1 See page 5 of this sales document from Splunk, a big data company that analyzes logs. ISO keeps this document confidential and so no direct link to the control could be provided.
The other important aspect of this story is that the individuals who read Verizon's DBIR understood how the control related to a specific risk (if you read the report the information security controls identified are linked to the risks they manage). Consequently, to get buy in, IS assurance professionals need to link the IT controls or frameworks. Presenting controls in isolation fails to illustrate the importance of such controls. It would be interesting if ISACA could either team with Verizon to publish the next report or actually map the report to its framework.
Finally, Verizon's work illustrates the importance of IT audit. Organizations that want to keep on top of security threats and risks need to have competent security and risk professionals that can investigate and analyze risks when the are identified.
Sunday, September 30, 2012
MS Office goes Cloud: Quick overview of benefits and things to watch out for
Earlier this month, CNET's Mary Jo Foley reported on Microsoft's move to Office 2013. As noted on a previous blog post, this is a huge year for Microsoft as it moves to the tablet-centric Windows 8 operating system. Well, they seem to be doubling down on dramatic shifts as they launch a SaaS offering of their infamous Office productivity suite; Office 365. Mary Jo reports that Microsoft will be giving a choice between purchasing Office 2013 as "normal" or as a subscription to its cloud version of the software. To sweeten the offer Microsoft is offering the following extras (credits: Mary Jo and Paul Thurrott):
- Ability to log-in to 5 different PCs or Macs
- Access to Word, Excel, Powerpoint, OneNote, as well Access, Publisher and Outlook
- 60 Skype World Minutes a month
- 20 GB of SkyDrive storage
- Update on security and other patches
- Access to new functions through the subscription period (i.e. you don't need to wait for the next version)
In contrast, the standard PC-installed version of Office 2013 can only be installed on one machine. Also, to get access to Access, Publisher and Outlook you need to Professional version (Mary Jo has a great table here that explains the different options).
Office 365 Home Premium is $99.99/year, which
covers an "entire household" (i.e. Paul Thurrott explains that it is not tied
to a single individual, but can be used any person located at that address).
Assuming that this will be same price in Canada, this would amount to $9.42/month
(including HST) which is cheaper than two venti lattes at Starbucks. This is in contrast to
However, the big story here is that Microsoft
getting the average user - to the Cloud!
(Oh, yes – it was Microsoft that came up with those terrific ads didn't they?). Some may say that this is yesterday's news because Google Docs has already brought cloud-based office productivity. Although that may be true, if you ask my students they're using Google Docs to collaborate but still rely on MS Office to print a report or assignment. And of course when they go on their work terms, the firms are still using MS Office (so they need to know how it works and be able to use it well).
In other words: Is the world ready for moving their recipes, financial budgets, and other personal documents to the cloud?
For those that want the full low down on cloud, they can download this whitepaper from the CICA, which I wrote with Yvon Audette of KPMG. Alternatively, here is a short list of things that you can talk to your friends or whoever that are wondering what happens if they decide to go to go with Office 365 or another cloud based app.
Pay for what you use: In terms of benefits, MS has really sweetened the pie with the extras they noted above. The other implicit benefit is that you are not paying for a static piece hardware upfront. Furthermore, if you decide to change your mind later on you will be out only $100 instead of $400. For example, to buy Office Professional you have to fork over $400 on the spot, where as with Office 365 you pay as you go (i.e. $100 per year). So if you decide a year from now that you don't use all the extras that Office 365 comes up (i.e. let's say you are not using the extra software, such as Publisher, Access, Skype, etc) you can buy the Starter version or switch to an open source alternative.
The Cloud Can Go Down, but so can your laptop: There have been cases of cloud outages, as I noted in my last post. Consequently, you should create a local backup of your files from Office 365, so that they are accessible off of the cloud (I am hoping Microsoft will make this easy) and won't get corrupted if there is a problem at Microsoft. However, let's be honest - what's more likely to go down Microsoft or your own laptop? The advantage of Office 365 is that if your laptop goes down, you can always access it from another laptop. In other words, your data is no longer tied to your machine.
You have less control, but you've handed it over to Microsoft (who should know a little bit about good computing practices): It should be clear that you are handing over your files to Microsoft to manage for you. But this may be a good thing, as they may do a better job than you. For example, if you don't do local backups (as you should), then Microsoft likely does. According to this link, they perform an ISO 27001 audit (click here to see what that covers) as well as HIPAA, FISMA, and EU Model Clauses. The certification that is absent is the new SOC 2 (see here for the difference between SOC 2 and SOC1. SOC 1 replaced the SAS 70 Type II reports, which outsourcers previously used and abused).
Terms of service (ToS), assume nothing: In general, cloud service providers have an army of lawyers to indemnify them from pretty much everything. So you should assume if anything goes wrong it's tough luck for you. Also, beware on what they say in terms of who owns the data (ZDNet did an analysis last year for online storage, we hope they update it for the new Office 365). According to this post, Microsoft pays back money for downtime for the Office 365 they were offering to businesses - but it is unclear whether they would do the same for consumers.
Is a hacker also using Office 365? Amazon's cloud service, EC2, was used by hackers to launch the infamous attack on Sony's PSN. Security researchers were also able to spy on fellow "tenants". So what do these two facts add up to? Hackers will try to see what vulnerabilities exist in Office 365 to exploit to get data from other users. That being said, hackers are mostly after credit card data and it may be more trouble than it's worth to mine terabytes of cake recipes and essays on Shakespeare to find what they are looking for (but 'big data tools' do make this easier).
Privacy: accidental disclosures and the reality of law enforcement. In addition to nefarious individuals lurking on the internet, there is a risk that something will go wrong and the wrong user will get access to your documents. For example, Microsoft's precursor to Office 365 (known excitingly as BPOS) experienced precisely this kind of breach (to be fair here is MS's defense). In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it.
With Microsoft's push to the cloud, it will be interesting to "consumer outsourcing" works out. For example, how will the masses react to an outage? Will grade school teachers accept the excuse that the "cloud ate my homework"? Or will we be surprised at how adept people are to the new realities of the cloud? For example, people nowadays have camera free parties to manage the risk of the 24-7 surveillance world we live in due to social networks. Practically, consumers can use free open source alternatives to keep their personal documents offline and use Office 365 for things that they don't consider sensitive or to meet the demands of employers/customers and some of these providers are keenly working to make their offerings interact with Office 365. However, the problem is that if they are used to using Excel offline to keep their budgets are they really going to switch to the open source alternative? I guess we will wait and see what happens.
Pay for what you use: In terms of benefits, MS has really sweetened the pie with the extras they noted above. The other implicit benefit is that you are not paying for a static piece hardware upfront. Furthermore, if you decide to change your mind later on you will be out only $100 instead of $400. For example, to buy Office Professional you have to fork over $400 on the spot, where as with Office 365 you pay as you go (i.e. $100 per year). So if you decide a year from now that you don't use all the extras that Office 365 comes up (i.e. let's say you are not using the extra software, such as Publisher, Access, Skype, etc) you can buy the Starter version or switch to an open source alternative.
The Cloud Can Go Down, but so can your laptop: There have been cases of cloud outages, as I noted in my last post. Consequently, you should create a local backup of your files from Office 365, so that they are accessible off of the cloud (I am hoping Microsoft will make this easy) and won't get corrupted if there is a problem at Microsoft. However, let's be honest - what's more likely to go down Microsoft or your own laptop? The advantage of Office 365 is that if your laptop goes down, you can always access it from another laptop. In other words, your data is no longer tied to your machine.
You have less control, but you've handed it over to Microsoft (who should know a little bit about good computing practices): It should be clear that you are handing over your files to Microsoft to manage for you. But this may be a good thing, as they may do a better job than you. For example, if you don't do local backups (as you should), then Microsoft likely does. According to this link, they perform an ISO 27001 audit (click here to see what that covers) as well as HIPAA, FISMA, and EU Model Clauses. The certification that is absent is the new SOC 2 (see here for the difference between SOC 2 and SOC1. SOC 1 replaced the SAS 70 Type II reports, which outsourcers previously used and abused).
Terms of service (ToS), assume nothing: In general, cloud service providers have an army of lawyers to indemnify them from pretty much everything. So you should assume if anything goes wrong it's tough luck for you. Also, beware on what they say in terms of who owns the data (ZDNet did an analysis last year for online storage, we hope they update it for the new Office 365). According to this post, Microsoft pays back money for downtime for the Office 365 they were offering to businesses - but it is unclear whether they would do the same for consumers.
Is a hacker also using Office 365? Amazon's cloud service, EC2, was used by hackers to launch the infamous attack on Sony's PSN. Security researchers were also able to spy on fellow "tenants". So what do these two facts add up to? Hackers will try to see what vulnerabilities exist in Office 365 to exploit to get data from other users. That being said, hackers are mostly after credit card data and it may be more trouble than it's worth to mine terabytes of cake recipes and essays on Shakespeare to find what they are looking for (but 'big data tools' do make this easier).
Privacy: accidental disclosures and the reality of law enforcement. In addition to nefarious individuals lurking on the internet, there is a risk that something will go wrong and the wrong user will get access to your documents. For example, Microsoft's precursor to Office 365 (known excitingly as BPOS) experienced precisely this kind of breach (to be fair here is MS's defense). In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it.
With Microsoft's push to the cloud, it will be interesting to "consumer outsourcing" works out. For example, how will the masses react to an outage? Will grade school teachers accept the excuse that the "cloud ate my homework"? Or will we be surprised at how adept people are to the new realities of the cloud? For example, people nowadays have camera free parties to manage the risk of the 24-7 surveillance world we live in due to social networks. Practically, consumers can use free open source alternatives to keep their personal documents offline and use Office 365 for things that they don't consider sensitive or to meet the demands of employers/customers and some of these providers are keenly working to make their offerings interact with Office 365. However, the problem is that if they are used to using Excel offline to keep their budgets are they really going to switch to the open source alternative? I guess we will wait and see what happens.
Subscribe to:
Posts (Atom)