As our thoughts and prayers go out to those affected by Super Storm Sandy and the many who continue to deal with the aftermath of the storm, it seems timely to also reflect on the lessons learned from this natural disaster. What can we glean from Sandy that will help us deal with security events as disruptive in nature as Super Storm Sandy? Do we need a strategic shift in how we respond to incidents? What are key security observations from this storm? Consider these three key learnings:
Plan for All Disasters, Not Just Natural Ones
Disaster recovery is about preparing and recovering from any event that impacts business and infrastructure continuity. In this case, it was super size storm, but it could have been any event –power failure, floods, earthquakes or a targeted attack. Disaster recovery is not only about preparing for something that may happen to your business at some point (the disaster), but also the ability to safeguard and restore the data (recovery) so you can get back to business as usual.
The best practice for disaster recovery involves adequate planning and investment to ensure every potential disaster has an appropriate solution. This can range from what to do due to loss of electricity or lack of fuel needed to power backup generators, to the operational aspect of disaster recovery such as operating procedures, staffing support plans and backup communications. Because disaster recovery is a continual process of analysis and improvement, frequent drills must be held to instill processes and procedures. It’s very similar to what we incorporate in training for other activities – for example, the key part of pilot training isn’t just how to fly an airplane, but how to react when something goes wrong with the plane or engine.
But, it’s important that this planning extend to network security as well. If Mother Nature can deliver so much havoc, then can your IT infrastructure, electric utilities and water systems withstand intentional modern attacks? Homeland Security Secretary Janet Napolitano said after Sandy, "If you think a control-system attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities." How will your team handle a breach in the network in a way that mitigates and minimizes downtime for the network, and protects other critical data? There is no guarantee of 100 percent security for your network, therefore a good security architecture must be balanced with preparations for network breaches, however infrequently they may occur.
The proper network security plan can accomplish a number of key goals - minimize loss of data, address regulatory compliance issues and preserve appropriate information so that your forensics team and/or law enforcement has enough information to identify the attackers and prevent attacks from occurring in future.
Consumerization is Alive and Thriving
In the aftermath of Sandy, a key portion of the East Coast population either lost access to applications (email servers etc), or were unable to physically get to their offices. Many defaulted towards using consumer applications for business – Google Mail, Skype, Dropbox.
The behavior of leveraging personal technology and applications isn’t new. How many of you have sent documents to co-workers via Dropbox because you didn’t want to send huge files via email and crash a co-worker’s inbox? We’ve been seeing this dissolution of traditional distinction between business and personal use within the enterprise, and this behavior will continue. In this case, the ability to utilize these applications during the storm actually enhanced business productivity. At the same time, it does stress the need for network security that can safely enable applications based on users, applications and content. For example, the Dropbox application should have been enabled only for the right filetypes and functions (i.e. no uploads of sensitive corporate information), whether during sunny or stormy days.
After Sandy dissipated, many who didn’t have power or Internet access also favored mobile devices like phones and tablets to communicate and work, charging these devices using their car chargers. This brings the concept of working from “anywhere, anytime, from any device” to a whole new level. In fact, what we traditionally may consider an endpoint problem is clearly also a network and data center problem, as appropriate access to applications should be enforced depending on what types of devices are used (sanctioned IT devices versus personal devices). Clearly, businesses with a more open culture that embraced consumerization, and had developed the proper security policies to be consistently enforced, continued to be productive in the aftermath of the storm.
Select the Right Partner and Architecture
Finally, I think we can agree that selecting the right partner is important, and this is most obvious during a crisis. Businesses that picked the right data center provider with the proper scalability and redundancy architecture, were able to withstand challenges from the storm. Others such as Huffington Post, Gawker, and Buzzfeed were unfortunate enough to have the data center that hosted their web services flooded, and without proper geographically dispersed redundant sites, incurred some significant down time. The right security architecture goes hand-in-hand with any data center architecture, and the simplest design wins. The simplest designs succeed at being highly available, while more complex and over-engineered designs introduce more variables, human error, and risk that can even reduce uptime if not properly designed.
The ability for anyone to be completely prepared for a storm the magnitude of Sandy is unlikely. What we can do is move forward, learn and deal with future disasters. Similarly, on the security side, it is about understanding the trends with modern attacks, consumerization, and mobile devices, and learning to plan and design for them from a security perspective so that few surprises will occur. And if surprises do occur, then hopefully your disaster recovery plans are in place to deal with them.
Related Reading: Business Continuity Planning in a Cloud Enabled World