Cloud services as part of a BC/DR plan after a terror attack

Even SMBs need to think about the repercussions of a terror attack. Machler outlines how the cloud can keep business running.

I was talking to a friend about data security over lunch today and we discussed 'dirty bombs' and a what-if scenario for small-and-medium sized businesses.

If there was a catastrophe like a dirty bomb, many of the affected small-and-medium-sized businesses would go out of business. Many large businesses, like banks or healthcare firms, have extensive disaster recovery plans. A large terrorist attack would lead to many problems, but they could scramble services to various data centers around the country and select new suppliers to keep them running.

But, for example, I have a good friend that has a small business selling performance shoes. He markets the shoes in a geographic location within our metro that doesn't have many close competitors. A dirty bomb would have a disastrous effect on him. If he physically survives, he would have the following problems: Would his supply chain be intact? He could be disconnected from his suppliers and the outside world.

[See also: Business continuity and disaster recovery: The basics]

His phone and internet access come over a cable line which must be working in order to track product orders via emails with suppliers. The EMP (electromagnetic pulse) from the bomb could destroy his cable connection or cable head-end. Even more importantly, he could be missing power due to the EMP. The loss of a critical infrastructure would lead to a need to relocate elsewhere, because it is very likely that the cable and power companies could not restore power and cable services quickly enough.

This type of bomb would have repercussions throughout the country and some parts of the world. Businesses would have difficulty finding suppliers of goods that were provided by affected businesses. Affected businesses would need to move, potentially reacquire their goods, and restart. The lack of product supplies and proper business data (tracking goods, sales, and taxes) would drive many out of business.

The issues associated with business data can be addressed by cloud services. Many small businesses, like my friend's performance shoe business use email providers (like Gmail or Yahoo) to order goods such as shoes. My friend has a POS (Point-of-Sale) machine that runs a common business-accounting package that saves sales data on the server's hard drive and also backs it up to network NAS (Network Attached Storage) drive. So this covers goods (email provider), sales and taxes (business accounting), and backup. But, a dirty bomb's EMP (electromagnetic pulse) could blow out the POS machines and the NAS backup drive.

How do cloud services help?

The small business could have backup within the cloud. Backing up the business data for sales and taxes would enable a move to some other location and a quicker restart of the business. All sales order information would also be in the email provider's cloud. What about the POS machine? This is currently a technology reach, but a POS machine could be designed to run in the cloud via a browser with a credit card swipe on iPad-like large screen tablet to collect payment. Lastly, sales information is kept in the email cloud.

There are some drawbacks. In this scenario email providers, the cloud backup provider, and the cloud POS application all have access to your critical business information. There could be tens of thousands or more businesses that share the same cloud offerings. A compromise of data on one or more storage subsystems could lead to millions of compromised credit cards. Internal threats within a corporation (like Google) could be significant, even encouraging criminal forces to try to compromise a worker inside a cloud provider.

Hence there are three cloud relationships to manage: email provider, backup provider, and POS application provider. The POS cloud application must be checked to see if it properly protects (encrypt) credit card information meeting thereby meeting PCI compliance standards. The browser based POS application must also be checked for application vulnerabilities.

Separately, the cloud backup provider must encrypt sensitive backup information. Lastly, the cloud email provider must protect the all emails, thereby protecting those related to shoe orders. There may also be a need to certify cloud solution providers, proving that they are protecting data adequately. So once my friend moves to another city or unaffected location, he can quickly retrieve critical data and applications. He would have power, communications (internet and phone) and applications that run on the internet (email, POS, and backup).

In what other ways does cloud computing help businesses worldwide. It's simple really: There are many businesses that have access to power and the internet especially in the capitals of countries around the world. They only need iPad-like tablet with a browser and a credit card swipe on the tablet to conduct business. No infrastructure is necessary. It is better than the 'laptop per child' initiative because browsers running on tablets are cheaper that laptops.

In conclusion, in a disaster the cloud protects a businesses' information. But, it does not address the product supply issues or potential relocation. It does make business easier to restart, track supplies, and conduct ongoing business. It is an enabler of business. Lastly, the browser on a tablet connecting to cloud services enables profits for emerging small businesses worldwide and that is a good thing.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregory Machler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place