WHAT ARE MY RISKS?

With computer systems there are many risks. Hardware failures, software bugs, internal users, physical security, power outages, Internet outages, hackers, viruses, mal- ware, outdated software, lost or forgotten passwords,

and out-of-date backups. In Figure 9.1, we see internal

users and malicious employees lead the way. More risks include cost increases, deferred maintenance by your provider, and weather-related risks to the hosting site

or sites. Managing these risks has become important to most businesses, and utilizing technology and third- party partners to reduce your risk and increase your uptime is a shared goal among all providers and clients. 9.2.1 Hardware

One of the most important risks to consider is hardware

failure. As shown in Figure 9.2, redundancy in hardware

is important, having duplicate servers acting in concert will allow for protection against a full server failure. You should ask the questions, what is the hosting com- pany doing to mitigate the possibility for hardware fail- ures? What kind of monitoring of their infrastructure is being done? Do they have the ability to move you off hardware that is sending out signals that it is failing? Do they even have signals that their hardware is failing? High-end cloud hosting sites will give you a detailed description of how they mitigate the risks to hardware failures. Server monitoring of the “health” of hardware is a key component in minimizing a hardware failure. Typically a disk drive does not fail in a nanosecond, there are signs that the drive is failing. More read errors, slower access speeds, and the age of the hardware all play a role. Using predictive and monitoring tools, you can replace hardware before it fails. Redundant hard- ware is also recommended. Is there a mirror image of

9.4.1.3 Password Chances 110

9.4.1.4 Data Leaks 111

9.5 What are the Rewards? 111

9.6 Summary 111

References 111

Biggest security risks

Internal users–spam, phone calls, posting online, bad websites Physical security–stolen laptops, phones, tablets

Outdated software Hackers

FIGURE 9.1 Who is the biggest security risk?

Redundant!

your system in another data center? Are the drives in use RAID (redundant arrays of inexpensive disks)? Ask the questions. Redundancy is a must if you do not know where the hardware is.

9.2.2 Software

Infrastructure software needs to be kept up to date. This is not about the applications and server software managed by the end user, it is about the infrastructure management by the cloud service provider. If the plat- form is not being maintained properly, hackers and crackers may be able to get at your data. A good question to ask is, how does the service provider handle updates to the BIOS? When a bug fix comes out for the vir- tual server software, is it installed in a timely manner? Ask about the age of the software running the virtual machines and what the planned life cycle of the soft- ware is. Three years is a lifetime in the computer cloud business.

9.2.3 Internet Outages

Is there a fail over plan for the Internet? How about the domain name system (DNS)? Will your site be live if one of your service providers’ Internet access points becomes unavailable? Having an outside DNS provider that monitors the status of your website and allows you to switch to a new DNS is a must for protecting your high availability sites.

Do not forget about the local Internet as well. There are now options to have multiple Internet lines into your office with a load balanced router. If all of your applica- tions and data are in the cloud and you have an Internet outage at your office, you will lose time and money. Think about having dual lines at your office with auto- matic switching or load balancing in order to eliminate a single point of failure at your office.

9.2.4 Denial-of-Service Attacks

One way to bring a site down is through remote com- puter networks sending requests to your service pro- vider. This is sometimes referred to as a robot or bot attack. Will they be successful? Is the service provider ready for external attacks? There are high-end routers that can handle and turn away denial of service (DoS) attacks, is it included in your monthly fees or do you have to purchase one? Most large firewalls at cloud ser- vice vendors will identify a DoS attack and turn it away before it reaches your site, but it is best to check with

the vendor to make sure this is the case. For level one hosting providers, the DoS attack should never get close to your hosted system, unless the attack is coming from within your network.

9.2.5 Hackers

Hackers are typically searching for easy prey. You may want to find out who else is managed by your service provider. Are there any high profile companies on the same systems you will be renting? Checking who is in your data center or what types of businesses are in the data center may give you some idea if the vendor or their clients will be a target. There is a whole computer underworld that searches the web for the weakest link and then takes advantage of it for as long as they can. Limiting user rights and access will limit what a hacker has access to as well. Be careful about giving out system rights or access to lots of sensitive data.

9.2.6 Password Chances

How many chances do you get to login with a bad pass- word into your infrastructure management? Is it an easy target? How about your own users, is there a limit set and a waiting period? One example of cloud services being hacked is Apple’s iCloud picture storage. Famous people with iPhones were targeted and passwords were guessed to get into their private photo streams. There were no limits on password guesses, so the thieves guessed common passwords and came up with the abil- ity to get pictures and information from their iCloud accounts.

A good rule is after three to five bad passwords the system will lock you out for 15–30 minutes. You may be able to choose the number of incorrect logins and the number of minutes to lock you out depending upon your service provider and operating system. In addi- tion to the lockout period, an e-mail alert is usually sent to the user and an administrator notifying the invalid password attempts and the IP address of origin. When this happens the system administrator should e-mail or call the user and make sure they were the one who typed in the wrong password. Maybe the CAPS lock key was on or they just forgot. If the user was not the culprit, then the administrator may want to block the IP address from ever getting into the network again. Black listing IP addresses that generate invalid passwords that can- not be traced to a person is a good practice for the secu- rity of your network.

9.2.7 Passwords

If your only access is through the cloud, then how strong is your password? Where is it kept? Do you have a pol- icy about passwords and how often you must change them? Using a long password with upper/lower case, numbers, along with special characters can slow down and in most cases prevent a hacker from guessing your password. More and more, the use of online password management systems may be an option for most users. Some popular examples are Password Genie, Sticky Password  Premium, Keeper Password Manager and Last Pass Premium. Most come with the apps to work on your phone, tablet, and desktop system.

9.2.8 Performance

Are you getting what you paid for? Do you have the access speeds, processing power, memory usage and CPUs you are paying for? Make sure there is a way to monitor and test your cloud equipment. If a service pro- vider is oversold, you may have great response times apart from peak times of the day. Be careful to make sure it is an issue with the service provider and not your local Internet speed; making sure the performance met- rics measure the correct items is critical in correcting any potential problems.

9.2.9 Reliability

How old is the hardware? Will you be informed if you are moved to different hardware? How reliable is the system? How reliable is the power? How reliable is the weather?

9.2.10 Data Leaks

Do you have any fear of data access from the provider? Who has access to your information? Is there any way to tell if your data are accessed from outside your virtual machine?

9.2.11 Vendor Viability

Be careful who you jump in bed with. Is the vendor able to meet their income requirements to stay in business? Are they solvent? Are there pending lawsuits?

9.2.12 Level of Support

What level of support can you count on in case of a problem with the entire system? Are you high enough on the food chain to warrant immediate response or are there bigger fish that put you at the bottom of the list?