Revisiting The Concepts of Disaster Recovery and Risk as Organizations Move Their Infrastructure To The Cloud

10/30/2019

Cybersecurity Association of Maryland, Inc.
The calculus for disaster recovery and risk management is changing. Most small businesses within the past decade would often keep many of their critical technology assets locally, perhaps in a server closet, or a centralized data center for multiple offices. They built their own “vault” of applications, databases, email, files, etc., often on a few physical servers they would be wholly responsible for maintaining and eventually upgrading or replacing. Most of them would care enough about these technology and data assets to invest significant sums in redundant servers, quick recovery backups and imaging solutions, security hardware/software as well as the physical infrastructure to support these products like power and air conditioning.

While there is still need for these physical solutions locally, it’s no surprise that from a return on investment perspective, moving these systems off to the cloud where the economy of scale for managing technology risks can often be simpler and cheaper. Why deal with the technical complexity and multiple investments of protecting, say, financial records locally when you can essentially outsource that hosting to a bigger company that can take on many of those responsibilities for you?

Concerns for Small Businesses

But the key phrase here is “many of those responsibilities.” We are making a trade here when we move to the cloud. There are new factors for protecting data and keeping our important technology available to us. Consider the example of financial records and a small business that uses this data as part of day-to-day operations. I would typically expect, before the adoption of the cloud (let’s say 2009), these kinds of systems locally, and for this exercise, I’ll list out a few potential concerns with the technology:

  • Some kind of file server, with user authentication and management – Those files likely have at least some sensitivity or value, so we will need to invest in security, user right management, monitoring, backup and so on.
  • Email – Office 365 and other cloud email has been around for a while now, but it wasn’t that long ago that Microsoft Exchange servers were the primary way businesses utilized professional, corporate email. There are similar concerns here that we would have with the file server, but usually, email has even less tolerance for downtime. Additionally, since the office was the “post office,” we were opening up a path for cyber-attacks by having a server grab all of that mail directly in our office.
  • Databases and Application Servers – Certainly, a business working with financial records would have something like this, such as a CRM/ERP or other systems where they work on and process client and internal information not to mention accounting. When these systems are down, you are out of production for the core value proposition for your business. Plus, the information in these systems is often the target for data breaches, fraud and ransomware attacks on the servers that host them.
  • Client-facing web portals – Often an extension of database systems, client-facing web portals will allow the client themselves to go in and look at their transaction history, bills, records, etc. Usually this calls for a different server or some other bolt on technology solution. This has several concerns. While downtime is one, the bigger risk is the potential for a web-facing portal to be attacked as well as the need to encrypt sensitive data from the client to the back-end system so that it can be safely transferred.
  • Remote access or terminal solutions – There are many use cases for this, but often businesses utilize things like Citrix or Microsoft Terminal Services to allow staff to either work remotely or ease the deployment of server-based applications from either a processing or cost perspective. As you might imagine, controlling access to these “remote desktop” environments is a key security concern.

This is certainly not exhaustive, but for the purposes of this exercise, we’ll stick with these core technology functions.

Disaster Recovery Solutions to Consider

In 2019, I think it’s safe to say that the business functions represented here haven’t changed too much. Just because the technology around it has changed, it doesn’t mean we don’t need a CRM, for example.

So what kind of cloud-based infrastructure would I imagine being in place now for this scenario? Let’s come up with another list that runs in parallel to the previous points, but this time, we’ll discuss the changes in risk to consider to the small business. We’ll assume for this example we can move everything to the cloud even though that’s not always the case. Afterwards, we’ll revisit these infrastructure changes and how they changed our mindset on disaster recovery and risk management.

  • Files and User Rights Management – A general solution to this for most small businesses now is the Microsoft hosted services offerings, either just through the Microsoft Office 365 suite of products or perhaps hosted Microsoft Azure servers. To the end-user, this likely won’t be apparent because the changes are usually on the back end rather than changes to workflow. But now every time we save a file, that goes off to the Internet, and now our rights management runs through a 3rd party solution that could be subject to fraud from someone abusing the client’s administrative credentials.
  • Email – This almost certainly would be with Office 365 or something similar. We basically don’t need to worry about uptime, storage and backup on a physical server anymore, but we do have to worry about credential abuse, fraud/phishing/social engineering, end-user device access and security management as well as Data Loss Prevention in the event information is sent out of the email system that should not be shared.
  • Databases and Applications – This change will probably be the most unique with options varying based on the application and the business utilizing it, but in this space, most business application providers have been building cloud-hosting applications or Software-as-a-Service (SaaS) solutions. Even if they don’t, you can usually spin up a server hosted elsewhere that can run the application in a “terminal” type mode. This reduces the risk of hardware downtime and improves continuity but does make us rely on the host to be stable and reliable, not to mention the fact that we require a stable connection just to access this hosted application quickly and effectively over a long distance.
  • Web portals – Along with the fact that the core application moved to the cloud, it also means you don’t have to be a web-facing point of entry. Either the application provider themselves will provide the portal, or you can build one in someone else’s data center. For most small businesses, this can be a huge upside of moving core applications to the cloud.
  • Remote access – For one thing, you might not even need a dedicated remote access solution because everyone is a remote user when you are hosted elsewhere in the cloud, technically speaking. What you may need to concern yourself with is the user access control. Now that everyone is remote, how can we be sure that the people connecting are who they say they are? We made it easy to work remotely, but we may be making our assets too visible to the outside world.

Evaluate Risk Management Plans

If it is not already obvious, when we made the changes to utilize the cloud for this example, it’s not that our risks were eliminated by getting rid of the onsite servers but rather that our risks changed. So when we make the move to the cloud, it is a good time to evaluate our risk management plans. Here are a few things that I would recommend this small business do after they moved to the cloud to deal with new risks.

  • Authentication and User Access Control – Bad guys on the Internet probably won’t be doing things to take down your infrastructure quite as easily in the cloud with perhaps something like a ransomware attack, but if they are able to log into your Office 365 portal as an administrator, they can create fake users, access payment information, and commit other acts of criminality. We need to look at tools like multi-factor authentication, limiting points of entry into cloud systems and perhaps even utilizing monitoring tools to ensure that those who access our system are who they say they are.
  • Data management – One tendency users sometimes have is to NOT utilize their new cloud solutions and instead fall back on saving important files locally instead of our new hosted file server. This kind of data sprawl can lead to data breaches, loss of non-centralized data in the event of device failure and other consequences. We need to make sure that our important data is protected, whether it is stored on a local device or in the cloud, and we will have to educate our users on the proper handling of data.
  • Device management – We’ve made the server infrastructure more stable by moving to the cloud, but we may not have the same governance over devices, both for PCs and Mobile Devices accessing our cloud assets. Before moving to the cloud, we must determine what we can do to protect those devices and more importantly the data that flows through them.
  • Connectivity – If your office’s Internet connection goes down and your core systems are hosted elsewhere, now your data is inaccessible from the office by the entire staff. It’s often a good idea to either have redundant Internet connections or alternative work locations once you leverage the cloud to avoid these connectivity risks.
  • Training – This really would apply to any environment but is especially relevant to the cloud. Users are now the primary targets of cyber-attacks. I can’t stress that enough. We need to communicate and get sign off on new expectations when it comes to acceptable use, incident response, data sharing and other policies related to the safe use of computing technology. Many training plans created by organizations utilize outdated ways of thinking about cyber-security for the end-user, so now that we are in the cloud, we should revisit how we train our team.

Final Thoughts

Obviously, this is a huge oversimplification of the thought process behind a move from a traditional on-site environment to one in the cloud, but I wanted to use this blog as an opportunity to stress that changes in your IT infrastructure or other business changes are the time to revisit things like disaster recovery and other technology risks.

If you are concerned that maybe now is the time to change your environment, or if you feel like your risk management plans aren’t necessarily aligned with the way you work today, feel free to contact us to discuss the matter further. Thanks for taking the time to read and consider my thoughts on the matter!


Ben Schmerler

About the Author: Ben Schmerler is the Director of Strategic Operations at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns.

You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc