The Internet is a wonderful tool when it works, but we are increasingly at a loss when it encounters problems. Steve Durbin, Global VP at ISF (Information Security Forum) looks at what organisations should do to minimise the risks.
Server outages at global ISPs may be an extreme case, but they illustrate the challenge faced by businesses that are shifting a growing proportion of their information and transaction infrastructure online – often to cloud-based computing.
The growth in cloud computing is one example of the trend towards ever-greater reliance on the Internet. Moving to the cloud and making use of virtualised servers makes sense financially, but organisations need to be aware of the inherent risks, and ensure they are prepared for infrastructure failure when it comes.
Threat of infrastructure failure
ISF’s Threat Horizon 2012 report highlighted infrastructure failure as one of its top 10 threat scenarios. The report highlights how companies have come to rely on Internet-only sales channels and mechanisms, to the extent that most people only have one way to perform their day-to-day transactions. Poor Internet resilience, especially at ‘pinch-points’ in the network, results in frequent and sustained regional Internet outages and prolonged loss of service.
The threats to business come from loss or damage to communications links or services – often as a result of under-investment in infrastructure – and from malfunctioning equipment, associated with a lack of resilience.
The impact of such outages is a direct loss of business, and increased costs to provide work-arounds, potentially leading to reduced transaction integrity and associated fraud. In addition, there may be a loss of trust in the Internet, and customers moving to competitors able to offer an easy alternative.
While the threat of infrastructure failure is a future scenario, there are very real issues confronting organisations that want to move to cloud and Internet-based sales channels today.
Organisations that increasingly rely on the Internet to conduct business, or serve the public, will require some kind of quality of service (QoS) guarantees – which will add cost, as well as run into issues over net neutrality. Also, who is going to fund the necessary investment in Internet infrastructure to deliver the capacity and ‘intelligence’ it needs, and what is the payback for anyone who does?
Another issue for Internet-based critical communications and online transactions is that networks are always susceptible to physical damage. Internet channels are only as resilient as their weakest link.
Wireless Internet access has got people used to the idea of ‘always-on’ connectivity. While this helps staff work more efficiently off-site, few consider how secure these connections are, so organisations need to ensure security is made easy for staff.
Finally, a vital element in the successful deployment of cloud computing and Internet-based services is supplier trust. Buying cloud computing is just like buying any other service, and organisations must ensure they research and question potential suppliers thoroughly.
What can companies do?
Having established where the critical parts of IT infrastructure lie, and the risks associated with their loss or degradation, organisations should put in place a framework of controls for securing it, recognised at a senior level and based on the participation of critical infrastructure stakeholders – including information security practitioners.
Organisations should give special attention to the selection and application of a balanced set of controls to protect systems that support critical infrastructure. Where it is not possible to apply a balanced set of controls, alternative measures should be used.
In selecting controls, organisations should adopt security architecture principles, such as: ‘defence in depth’; ‘least privilege’ (granting minimum possible privileges to users); ‘default deny’ (denying access to information systems by default to prevent unauthorised access).
Another important aspect to ensuring the resilience of critical infrastructure is to reduce single points of failure. To ensure that critical infrastructure is available when required, supporting information systems should run on robust, reliable hardware and software, and supported by alternative or duplicate facilities.
When it comes to outsourced cloud computing services, it is crucial that third parties are well managed. Measures that help reduce the information risks associated with using third parties include reviewing and, where necessary, updating contracts and agreements to include statements regarding security requirements, roles and responsibilities, the right to audit and incident reporting.
Organisations should consider the use of an internationally recognised information security standard, such as ISF’s Standard of Good Practice for Information Security.
While the Internet does have a high degree of resilience, experience shows that we cannot expect 100% uptime. Overall, the Internet is only as good as its weakest link, and preparing contingency plans to operate businesses in the event of failed or reduced Internet service should be a priority.
ABOUT STEVE DURBIN
Steve Durbin is Global Vice President of the Information Security Forum (ISF). He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors. He was latterly Ernst & Young’s sales and marketing director, focusing on the fast-growth entrepreneurial sector of the market across Northern Europe, the Middle East, India and Africa.
Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business, he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets.
Steve has been involved with mergers and acquisitions of fast-growth companies across Europe and the USA, and has also advised a number of global technology companies on IPOs both on NASDAQ and NYSE. He has worked strategically with clients in the pre/post sales environment and has developed and directed strategy to achieve rapid market share and profitable growth