Avoiding mishaps with Data in the Cloud

What might happen to your data while it is in the cloud?  In the last article, we discussed why you might want to have software and data in the cloud.  In this article, I list 9 things you can do to keep your data safe

What can happen to my data when it is in the cloud?

Most of these things can also happen to your data while it is on your desk or in your own data center.  It’s not necessarily the fault of the cloud that mishaps occur.  The focus of the following is choosing the best countermeasures to cloud-based data mishaps.

Here is a list of things that could happen to your data while it is in the cloud:

Mishap #1: My data is temporarily inaccessible

When your data is in the cloud, you may not be able to access it.  This can also happen when your data is in your own data center.  The reasons for inaccessibility can be any of these:

  1. Scheduled maintenance (downtime) — The system is offline for maintenance that was planned & scheduled.
  2. Unscheduled maintenance (outage recovery time) — The system is offline while recovery is performed for an unscheduled outage.
  3. Administrator error (system offline) — The system is offline because an administrator of the system made a mistake.  The specific causes range from configuration errors to improper responses to simple failures that would normally be recovered quickly.
  4. Failure of a storage system (but there is a backup copy) — Your data is temporarily inaccessible while the system switches over to the backup copy.
  5. Loss of internet access — You can’t get to your data because you have no access to the Internet.
  6. Overload on a cloud server.  Causes of this (overload) mishap can be any of the following: (a) Inadequate resource planning at cloud vendor; (b) The storage servers ran out of capacity (for storage or for accesses) due to inadequate planning for growth; (c) Denial of service attack (general) — A malicious person or entity has created excess demand for service from the servers your data is stored on.  The attack is aimed at the service provider or one of the provider’s other customers, without regard for the fact that you and your business are affected; (d) Denial of service attack (specific to me and my data) — A malicious person or entity created excess demand for service from servers your data is stored on, and the purpose is specifically aimed at disabling your business.

Mishap #2: My data is lost forever

  1. There was a failure in a storage system and the data was not backed up.
  2. There were multiple failures, and both the primary copy and the backup copy are gone.  This very unlikely, except when there was an administrator error after a storage system failure.

Mishap #3: Accessed by unauthorized person

  1. Accidental access from within the cloud vendor’s domain. — Someone in the cloud vendor’s data center accessed the data by accident.  Typically, this does not result in any loss, but the event should be reported so that it can be avoided in the future.
  2. Malicious attack — Someone outside of your company and your cloud vendor accessed your data, usually with the intention of misusing it.  This is a serious breach that may have to be reported to state or federal authorities.

Mishap #4: Data was corrupted by storing the wrong information

This can be caused by human error or by software error.  Human error may be as simple as someone entering the wrong data into a form, or by someone misunderstanding the meaning of some data.  It can also be caused by software error, either by some sort of error termination, or by a database transaction that fails to complete and leaves the data in an inconsistent internal state.

Things to do to prevent or minimize losses

Here are 9 things you can do to help your organization keep your data safe.

Understand how data is stored in virtual environments

Be sure your IT people know what sort of storage is provided in the virtual machines and cloud-based storage that your organization is using.

Plan for failures

Follow the rule that everything that can fail will fail.  Use regular disaster drills, including actually taking live data offline to see how the systems and people react.

Know your SLAs

Understand the implications of your service-level agreements in your cloud vendor’s contract.  Make sure that you are not putting critical data in a storage system that has only “normal” uptime commitments, such as you might get with a single disk drive.

And read the fine print of your contract.  Is an “outage” defined as more than 10 minutes of unavailability?  Can your business stand to have multiple outages that are 9 minutes long?

Know where your data is

Be aware of your cloud data storage vendor’s locations, levels of redundancy, and what the backup and recovery procedures are.

Also, since data is often corrupted by human error, it’s not enough simply to have backup copies – they will all be wrong if someone has entered the wrong information.  You also need checkpoints where the whole consistent set of data was backed up and can be retrieved after something has gone wrong.

Data recovery service

Since many cloud and virtual storage vendors don’t include recovery from software or human-caused data corruption, add a data recovery service provider in your contingency plans.

Arrange for education & education

Ask your cloud storage vendor to train or educate your staff on how to recover from a data disaster or handle data recovery in the cloud.

Prepare for vendor switching

Make sure that you have a plan for moving your data from one cloud vendor to another.  This includes knowing what it takes to download your data from the current vendor (or your backups) and then to upload it to a different vendor.  Anything less than this will leave you locked in to the current vendor and vulnerable to their shortcomings.

Implement stringent system access controls

While you want everyone who needs it to have access to data, you should restrict access to the data center systems, software and applications to the few people who need to manage those systems.

Don’t underestimate the cost of cleanup

After you suffer a security breach in your data, you have a lot of things to do to clean up and re-secure your data.  There may also be reporting to be done.  A recent survey found the cost of this kind of cleanup to be over $200 per data record.  Take this into account when you are justifying training and/or other security measures for your data storage.

Don’t let all of these potential disasters keep you from storing data in the cloud.  You can count on cloud vendors to be highly motivated to keep your data safe, and often they will spend much more on security than you would in your own data center.  But arm yourself with information, so you know what could happen and what to do about it when it does.

My data in the cloud?

What’s the Cloud?

“The Cloud” refers to computers, storage and software connected to the Internet and accessible via the World Wide Web.  The first question you may have about the cloud is whether your data is safe there.

To answer that question, let’s have a look at how access to data has changed over the past couple of decades.  When the Internet and the World Wide Web (the Web) first became widely available in the 1990s, we were accustomed to the Desktop model:

I’m sitting at a desk with the computer, the software, and the data storage on disk all within reach.  If I have Internet access, it’s probably a wired connection over Ethernet to a cable or DSL modem; I can interact with servers on the Web using my browser, and some of these servers may keep some data that I put into them.

By the mid-2000s, most of us were using the Laptop model:

My laptop computer is with me wherever I am, and the software and storage are inside the laptop.  Storage may be on a disk or a solid-state disk (SSD).  I’m connected to servers on the Web using a wireless (WiFi) connection or a wired (Ethernet) connection.

These days, many people are using the Smartphone model:

The smartphone is in my pocket when I’m not using it.  When I use it, software is running both in the phone (an App) and in the cloud (on a server somewhere).  My data is in the cloud (on a server somewhere).  I’m connected to the Web using a wireless connection (WiFi or the cellphone network).

Software in the cloud

Why would we put software in the cloud?  There are several reasons for this trend.  The main advantages are:

I can rent the software rather than buying it.  This could save me money in the short run.

I don’t have to keep the software up to date – the vendor I rent from does that for me.

I don’t have to configure the software in my computer.

When I want someone else in my company to have access to the same data and use the same software, it’s easy to do – I just add them to the list of users of the software service (and pay the rent for them).

The disadvantages of software in the cloud are:

If I lose my Web connection, I can’t use the software or access my data.

I can’t customize the software very much – I have to use the same features that are available to everyone.

Data in the cloud

Why should I put my data in the cloud?  There are some advantages:

There’s no limit on how much data I can store in the cloud, and the cost of renting space for it is relatively low (if I shop around). I don’t have to buy a new disk to store more data.

The storage vendor does automatic backup of my data (and replication – that is, storing a copy at another site, if I want them to).

The storage vendor typically uses privacy and security measures that I couldn’t afford on my own.

The disadvantages of data in the cloud are:

If I lose my Web connection, I can’t get to my data.

At the beginning of using cloud storage, I have to upload all of my data.

There is always the possibility that someone will break into my data (a data breach).  But then, isn’t that possible even when the data is in my computer?

The storage vendor could go out of business or fail to protect my data. That’s why I should be sure that the vendor is reliable, reputable and stable.

I should probably keep a copy of my data somewhere else as well.  But I had offsite backup copies before, didn’t I?

If my data is in the cloud, do I still own it?

If you’re concerned about ownership of your data, make sure you have a contract with the storage vendor that specifies not only who owns the data, but also how how easily you can copy your data and move it somewhere else.

Check the regulations in your state and your country with regard to data.  When you have customer’s personal information as part of your data, you have legal obligations.  You may be obligated to keep the data in the country, for example.  You also need to have a policy for dealing with data security.  If you do suffer a data breach, you may be obligated to report it.

For example, “California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))”  (from the Attorney General of California website at http://oag.ca.gov/ecrime/databreach/reporting)

There are other resources that may be useful to you if you’re concerned about malware (software that invades your systems or your data with malicious intent) and cybercrime.  Visit some of these websites:

http://www.rsa.com/rsalabs/

http://www.cylab.cmu.edu/

http://www.us-cert.gov/

I hope this answers some of your questions about data and the cloud.  If you have other questions, please add your comments to the blog.

Bring your own device (BYOD)

The 10 Danger Signs of a Failing IT Project – webinar on Oct. 30

Learn the red flags you should watch for in major IT projects.  I’ll share with you insights about identifying and responding to problems in management of IT projects.

Join me in this free one-hour webinar on October 30 at 10 AM Pacific time.

Register here

 

“Bring your own device” (BYOD) is the latest watchword in corporate IT.  For mid-sized companies and organizations, how should we think about mobile Apps?  Are we ready to embrace them?

Back in the good old days (before the iPhone, for example), companies only worried about laptops and their applications, and about lost BlackBerrys.  Applications did not change more than once every 3 to 6 months at the most frequent, so IT departments could spend a fair amount of time vetting the applications before deploying them for use at the office and away from the office.

Now, everyone has a smartphone and everyone wants to use one for access to the company’s databases.  This opens up a lot of security and usability issues.  Here are some of them:

SecurityCan unauthorized people get access to the databases?

PortabilityWill access from a smartphone compromise the effectiveness of the data because input is less reliable?

AccessibilityWill access from a smartphone make it difficult for the user to read or use the information?

Now that the Apps are in a small portable device, we have to worry about both old and new threats to security:

Spam – unwanted messages coming into our network

Phishing – malware injected into portable devices and crooks getting access to valuable data or login information

Data leaks – loss of valuable data by accident

Lost devices –  loss of the mobile device itself, together with its data and login information

Should I try to control the Apps?  The answer is yes and no.  Yes, make sure that you thoroughly test Apps that are to be used to access corporate data.   And no, don’t prevent people from downloading what works for them.  If and when you run into problems with a particular App, you can always ban its use.  Of course, this means that you should monitor which Apps are being used.

How can I avoid disaster?  Here are a few general principles:

Develop a list of trusted partners & suppliers for mobile Apps.  Also develop an in-house capability for testing and verification of operation (and problems).

Also develop a program of training for everyone who uses a mobile device for accessing corporate databases.  Make sure they understand the company policies about access and sharing of data.

Perform regular review of security policies and procedures.  The policies don’t have to be extensive, but they should be clear and enforceable.  Don’t try to enforce policies related to activities that you can’t monitor.

When introducing new capabilities, start by rolling out a new App on a small group first.  Monitor the new App more closely than you do for mature Apps, and make quick corrections when there are problems.

We are at the beginning of the mobile device era. PCs will have less and less influence on the future of IT interactions, while mobile devices will have more and more influence.  There is no way to stem this tide, so you may as well embrace the mobile devices and their Apps.

Eliminate your IT department?

Cloud-based services are transforming business IT in major ways.  What does this mean for the structure and mission of the enterprise’s IT department?  Is there anything left that can’t be done by the cloud and by cloud service vendors?

Yes!  There are three major areas in which every enterprise still needs a collection of people who focus on IT.  And it is best to have them gathered in a department where they are able to exchange information at high bandwidth – in other words, in an IT department.

1.    Expertise

While it can be advantageous to place IT specialists inside of business departments where they can advise their business counterparts on specifics of applications, data and cloud services, keeping up with the range of IT offerings is a job best done at a central location.

Building a center of expertise will enable IT specialists to respond to requests from business units for recommendations and advice on cloud vendors, facilities and functions of various IT packages, and general information on what solutions are now available.  In addition, the experts can create informative newsletters and workshops on what’s around the corner, the progress of corporate IT initiatives, and other current IT topics.

This type of dissemination of information cannot typically be done as well by department-captive IT specialists.

2.    Strategy

Your business has a business strategy.  Almost certainly, that strategy depends on certain IT initiatives.  Defining, aligning, and guiding those initiatives must be done by people who understand the business strategy and also understand IT deeply.  These people should be IT experts who also are involved in strategic planning for the business.

As a result, they are strategists for IT as well as for the business.  So they need to keep up with the latest trends and possibilities in IT as well as know a lot about all of the enterprise’s current IT implementations.  These people are natural members of a central IT department.

3.    Management

IT management involves several different perspectives.

First is managing the IT-business interface across all IT initiatives and across the functional components of the business.

Second is managing the IT department and its initiatives, including developing, training and promoting IT specialists.

Finally, there is management of vendors, including cloud service vendors – and increasingly crucial portion of the management workload.

All three of these aspects of IT require an IT department – or an equivalent – that concentrates IT expertise and IT-related missions into a place where communications are very frequent and easy.

Don’t eliminate IT, transform it

As cloud-based services begin to transform the way in which IT functions are accomplished, the IT department should concentrate on developing its expertise in the following areas:

Cross-connecting siloed business functions and helping to eliminate duplication in IT activities and services.

Teaching, training and informing business leaders about IT, including which cloud-based services can best help get their jobs done.

Monitoring, measuring and rewarding vendors who are supporting business functions in the enterprise.  This includes setting standards for performance, helping with contractual arrangements with vendors, and monitoring both positive performance and negative incidents surrounding IT vendors.

Creating IT strategic plans, including corroborating those plans with enterprise strategies and plans.  And finally, adapting the enterprise to the rapidly-shifting cloud services environment.

In other words, there’s plenty left to do in an IT department.  Don’t eliminate it.

John’s webinar titled will be held on September 25 at 10:00 AM Pacific time.

Designing, implementing and integrating major IT systems has numerous pitfalls that don’t appear, for example, in building construction. If you’re responsible for delivering a major IT project – or if you are paying for one – you need to be aware of what indicators are red flags for possible failure of the project.

See more information and register at 

SUBSCRIBE FREE: https://johnlevyconsulting.com/blog

Just complete the simple form. Takes about 10 seconds. And you’ll also get a free copy of my report, “9 Mistakes That Lead to IT Project Failure.”

John Levy Consulting

Deliver the promise of technology to business


https://johnlevyconsulting.com

PO Box 1419, Point Reyes Station, CA 94956    415 663-1818

Is your software stable or static?

In most professions, it’s good to have stability in the things you work with.  With software, stability is good, but often we confuse static with stable.  They are not the same.

Static software decays and becomes useless.

In a previous article, Why does it cost so much to maintain systems? I explained how software updates are critical to keep it alive:

Software by its nature is constantly evolving.  Not only do users ask for new and modified features, but the systems on which the software runs keep changing, so the software has to be modified to fit new environments.  These factors guarantee that updates have to be released several times a year to keep things current.

Here are some indicators that software is stable:

• Updates are regular but not urgent

• The list of bug fixes in each release is not excessively long

• You don’t experience crashes & freezes on the system

• The software “plays well with others” – there are no negative interactions with other software packages

• It scales up smoothly – there are no abrupt limits as the data size or workload increases, only a gradual slowing of response time

• The vendor’s support is consistently accessible and useful

On the other hand, static software is an entirely different thing.  If software is static it means that there are no updates, changes or evolutionary steps being taken to keep the software current.  As a result, some or all of the following will happen:

• The software will not run in new environments, such as latest release of the operating system

• The files being used with the software do not evolve with changing data formats, file systems and storage media.  Compatibility is lost with other software that begin using new data and file formats.  Old backup copies of data may not be readable on new storage devices.

• The software will not communicate using new network interfaces.  When it does communicate, it may be using old protocols that slow down the speed of transfers and do not use new features available in the network.

• The software may not be able to interact with cloud-based applications and databases that have been added since the software was released.

Stable software requires constant attention by the people who are maintaining it.  They should be in regular dialogue with the users of the software, have a list of issues they are investigating and correcting, and be using a set of maintenance tools that allow consistent and stable releases.

Strive to have stable, but not static software. 

Why is software maintenance so expensive?

When we purchase a piece of software – even as a service – we tend to think that the major expense is finished with the purchase price.  But it’s not true.  Whether you buy, build your own, or rent software, it always costs more in ongoing expenses than the initial price.  Why?

Developing software is an expensive proposition.  Not only do the people cost a lot, but they use expensive tools, and they always seem to need more time than was estimated at the front end of the project.  So we should not be surprised that software sells for a lot of money, even when the vendor is selling a lot of copies.

But why does maintaining that software cost so much?  Here are some of the reasons:

Software by its nature is constantly evolving.  Not only do users ask for new and modified features, but the systems on which the software runs keep changing, so the software has to be modified to fit new environments.  These factors guarantee that updates have to be released several times a year to keep things current.

Just because you bought the software doesn’t mean you – or the rest of your staff – know how to use it well.  So you need people to study up on the software’s functions and then teach others how to make the best use of it.  If you don’t, you won’t realize the full benefit that the software offers.

The worst thing that can happen to a software user is to learn that the vendor has gone out of business.  So you want the vendor to do what it takes to keep making those updates and upgrades available.  This means that the vendor also has to keep a stable of specialists assigned to the software product, even if it is no longer the mainstay of the vendor’s business.  And those specialists have to aware of how customers are using the product, and what kind of support they need.  So you’re willing to pay for that support, if the product is of great value to you.

When things go wrong, you need someone to call.  If you’re a big enterprise and the software is integral to your operations, you’ll want that someone to be nearby – and on your own payroll.  Otherwise, the person will not feel the urgency that you do when there’s a failure.  So you, too, have to maintain a staff of specialists who keep up to date with the software’s features and failings, and know how to work around any problem that comes up.

Furthermore, when something fails, you typically don’t know whether it was caused by a software bug in the application, a system failure or something gone haywire in the infrastructure (such as the network).  So you need IT specialists who can diagnose failures and then pursue the solutions no matter where the failure originated.

Can you avoid all of these expenses by using software in the cloud?  Not so fast.  You may save money by renting software that runs in the cloud, but you have to be ready to accept a standardized version of the software that everyone else is running, too.  Or you’ll have to pay extra for customization, which leads you right back into the ongoing costs of maintenance.

You’ll also have to endure the changes that come when the cloud-based software vendor decides to upgrade the system – on the vendor’s timetable, not yours.  So maybe you need those specialists in IT after all?  And the cost savings of the cloud are not completely one-sided.