(c)iStock.com/Big_Ryan

With researchers seeing a 3500% increase in the use of net infrastructure which criminals use to run ransomware campaigns, it’s not surprising that ransomware has been making big headlines.

The media laments the growing rings of cyber criminals that launch ransomware threats, but there’s another culprit that tends to slip under the radar: people like you and me. Sure, we’re not instigating the campaign – that’s on the hacker – but employees often let the bad actor through the front door, so to speak. Employees access an insecure web page, download infected software or click a phishing link in an email. In fact, of all the data breaches reported in the UK during Q1 2016, ICO data reveals that 62% were caused by human error.

Worse, ransomware and other incidents related to human error are putting businesses at a greater risk of data loss. In a Foursys survey of 400 UK-based IT managers, 11% of those that had reported security breaches caused by threats such as ransomware said they had experienced data loss as a result. According to research by the University of Portsmouth, fraud and human error are costing UK organisations £98.6 billion a year. Unfortunately, that number is likely even larger, as it doesn’t include instances that have gone undiscovered or unreported.

And while some might think that storing data in the cloud puts it out of reach of ransomware, they’re wrong. Ransomware has the ability to encrypt files on hardware and cloud services alike. And, of course, data in the cloud is always susceptible to human error.

If despite your best efforts, an employee or vendor deletes your data, having current backups is the key to restoring the files without a severe impact on your business. If your systems are taken hostage by ransomware, data backups are the key to being able to recover access to your files without paying the ransom (which is never recommended, as it only encourages hackers).

This two-part series will discuss some of the common ways human error can lead to data loss or ransomware infections and address how your business can prepare for these threats.

Cloud provider risks

Under the EU’s General Data Protection Regulation (GDPR), all organisations handling personal data will be responsible for ensuring that information is protected and are responsible for breaches of this data. This responsibility extends to third-party cloud providers, which is why vendor due diligence is critical.

Non-compliance can result in fines of as much as 5% of annual worldwide turnover or €1 million, whichever is greater. With such high stakes, it’s important to ensure vendors have proper policies and procedures in place to ensure the availability and security of any data they process.

You might find that the vendor’s terms of service meet your needs, but be aware that terms of service can change without notice. That’s what happened to one man, a distinguished lecturer for a content network, who woke up one day to discover that his cloud vendor had deleted more than five years of archives for 15 retired machines. After lengthy back-and-forth discussions with the vendor’s tech support, he discovered that a change in the corporation’s retention policy – of which he’d been unaware – had allowed the backups to be deleted. They were eventually restored, but if he hadn’t been vigilant, he very well could have lost his backups permanently.

Shadow IT

Human error and ransomware alone are enough of a risk to put businesses on high alert, but shadow IT exacerbates this threat. Research from Cisco reveals that CIOs estimate that their organisation has 51 public cloud applications in use, but the actual number is more like 730. What happens if employees upload restricted data to an unauthorised cloud application – such as Google Drive, Dropbox and Evernote –  and that application experiences a breach or the proper encryption is not used?

If your employees are uploading files to an unauthorised cloud or using software as a service (SaaS), that not only increases your security risk; it also increases your risk of data loss, as that data isn’t being backed up.

SaaS, in fact, is one of the most prevalent threats to data loss in the cloud. A recent study found that almost 80% of respondents had lost data in their organisations’ SaaS deployments. The top causes were accidental deletion (41%), migration errors (31%) and accidental overwrites (26%).

Lack of internal awareness of security best practices

One of the major culprits of human error is sheer carelessness or ignorance of how data should be handled. In the ICO data mentioned above, the majority of incidents attributable to human error included security gaffes such as posting, emailing or faxing data to the wrong recipient. Additionally, a disturbing number of employees are falling victim to phishing attempts. According to research from Verizon, people opened 30% of phishing messages – that’s 7% greater than last year – and of those, 13% also opened the attachment, introducing the malware to the network.

Many instances of cloud data loss and ransomware infections can be classified into one of the above human error-related categories. But simply being aware of these threats isn’t enough.

This is one of a two part series: the second piece next week will examine mitigating cloud vendor risks, shadow IT and lack of cybersecurity awareness.

(c)iStock.com/livecal

Software as a service (SaaS) and cloud delivery models are disrupting the world of traditional enterprise software.  As IT organisations embrace agile infrastructure strategies to keep pace with the rapid change of the businesses they support, SaaS delivered applications have a clear advantage over traditional on-premises enterprise apps.  As the forces of digital transformation reshape enterprise IT for the on-demand world, SaaS applications will be a driving force in reshaping how modern businesses function.

Choosing SaaS

SaaS is a more efficient way to deliver powerful functionality and positive experiences to business users, as well as radically simplifies deployment. Users of SaaS solutions also don’t have to install and maintain servers, databases or scale data center infrastructure to add more storage or compute power – the SaaS vendors handle all of this for them. The SaaS model collapses the entire application delivery infrastructure into the software being delivered, which is why SaaS is so appealing to CIOs and line of business executives.

Some SaaS providers turn to public cloud vendors, though others may choose to build their own cloud infrastructure to optimise application delivery infrastructure as part of their core competence. Furthermore, providers want to optimise this to ensure seamless delivery when it comes to issues around customer experience, real-time analytics or privacy safeguards. For SaaS vendors, solid, flexible infrastructure can be a competitive advantage in delivering mixed workloads.

The four keys to success

In order for SaaS vendors’ infrastructure strategies to differ from enterprise IT and ensure it impacts the effectiveness of the service – the application “experience” they offer to end users –vendors should consider these four SaaS business drivers when it comes to impacting application infrastructure decisions:

• Customer retention is as important as a new customer acquisition – Because SaaS users aren’t invested in infrastructure and perpetual license outlays, the “switching cost” is low. As a result, SaaS vendors must provide consistently high customer experience in every area, including great uptime, superior application performance and general account management.
• SaaS vendors most grow to succeed – Vendors’ business models are based on low barriers to start (e.g. free trials) and network effects that deliver more value as user base grows. This means that SaaS companies need infrastructure that scales easily as they add customers, users, devices and data growth.
• Deliver real time analytics and decision support – SaaS solutions today are doing far more than just transactions—they need to manage real-time analytics. The era when online analytic processing (OLAP) was a batch function performed by specialists with niche data warehouse tools is now giving way to SaaS solutions that embed personalisation, intelligence and other analytics as part of the user experience. This requires infrastructure that can deliver consistently high performance and user experience under dynamic workload environments.
• Ability to scale – The cost of application delivery infrastructure is effectively the cost of goods sold (COGS) for a SaaS company. As a result, the ability to scale infrastructure in a cost efficient way is vital to profitability.

These four key business drivers map back to capabilities needed from cloud infrastructure. Scalability is table stakes – any SaaS vendor that chooses to build out its own infrastructure must ensure it can quickly scale its application and performance needs, even as its application workload profile evolves to include more rapid analytics and personalisation.

The infrastructure stack for any vendor building its own cloud has multiple layers – from virtualisation to security and disaster recovery capabilities – but at the end of the day, its foundation is storage. As a result, SaaS providers must consider these infrastructure requirements when it comes to choosing a storage technology approach.

The shift to all flash storage?

To power the high performance needs of the modern SaaS business, all flash storage is the natural technology selection. However, beyond choosing all flash, SaaS providers also need agile storage solutions that can seamlessly manage growth in data and users with a cost model that supports their business. Furthermore, storage solutions must evolve with the constantly shifting requirements of the applications they support.

The ability of a storage platform to handle SaaS solutions with real time analytics is the biggest concern. The platform will need an architecture that performs at the highest level for both transactional and analytics workloads. Not every storage array can deliver consistently high performance under both types of workloads. In order to deliver consistently high user experience in a cost effective manner, it’s essential that the entire infrastructure stack – from the bottom storage layer up – is tuned for real-time analysis, as well as transaction processing.

Conclusion

While much has been made of the SaaS business model – subscription-based solutions that offload the infrastructure concerns for users – the future for what will set one SaaS solution ahead of its competitors is likely to be how well it can deliver differentiated functionality like advanced analytics. Most SaaS providers have adopted agile development practices and incorporated DevOps into their thinking to stay responsive to customer needs and maintain a competitive advantage. At the same time, deploying an agile infrastructure strategy that incorporates flexible storage solutions is essential, so that it can evolve with changing demands of the application and market.

SaaS is already eating up the traditional software delivery model, and in order to succeed, vendors must focus on embedding real-time analytics to deliver a strong user experience. At the end of day, this means SaaS infrastructure not only has to scale, it must also handle complex workloads in a way that will support the most competitive end-user experience. The winners in the age of SaaS will make strategic infrastructure choices that best support their fundamental offering and business model. 

Karen Field, Penton Communications’ IoT Institute director, in her article “Start Small to Gain Big,” postulated an oil drilling platform with 30,000 sensors would generate about 1 Terabyte of data per day. She also stressed that only 1% of that data would likely be used. From a systems engineering point of view this data flow is multiplied by the trillions of other IoT sensors in the cloud, introducing unprecedented data processing and data transport stress. Industries and competing companies within those industries will also be forced to weigh the economic impact of paying for this transport and processing.

read more

Security is one of the most controversial topics in the software industry. How do you measure security? Is your favorite software fundamentally insecure? Are Docker containers secure?
Dan Walsh, SELinux architect, wrote: “Some people make the mistake of thinking of containers as a better and faster way of running virtual machines. From a security point of view, containers are much weaker.” Meanwhile, James Bottomley, Linux Maintainer and former Parallels CTO, wrote: “There’s contentions all over the place that containers are not actually as secure as hypervisors. This is not really true. Parallels and Virtuozo, we’ve been running secure containers for at least 10 years.” To add to the mix, Theo de Raadt, OpenBSD project lead, wrote back in 2007: “You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.”

read more

“SpeedyCloud’s specialty lies in providing cloud services – we provide IaaS for Internet and enterprises companies,” explained Hao Yu, CEO and co-founder of SpeedyCloud, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.

read more