request a demo

Contact us today to sign up for a demonstration.


09 March 2017

BC Information - Not always secure and Not always on? Some simple solutions

BC Information - Not always secure and Not always on? Some simple solutions

A number of recent incidents have highlighted issue of data management and the media is awash with high profile commentaries on this subject.

In recent months we have seen stories of cyber-issues with the alleged email hacking of the Clinton camp during the election and external interference in the democratic process. And even in the past few days, Amazon's claim of nigh on 100% availability from its cloud infra lay in tatters after its largest US cloud region suffered an outage for over 4 hours.

Security and Availability

The two subjects of availability and security are inextricably linked. For effective recovery I need access to information and know that it is accurate, up-to-date and secure. These are fundamentals. Now, the good news is that there is undoubtedly a growing focus (quite rightly) on these issues, but why does the pace of change seem at times to be so slow and why the inconsistency across different markets?

Whilst some businesses tend to cling to their own data, batten down the hatches and erect virtual barbed-wire fences, this is not always a practical approach when dealing with issues where data needs to be accessible from a range of external locations, particularly when internal systems suffer outages. Thus, Information security and availability is very much a supply chain issue for most large organisations with both integrated third-party systems and/or trusted external suppliers providing crucial components in the end-to-end process. But remember, it's your data and your responsibility. As in all 'best practice' arrangements, success depends upon mutual collaboration, understanding and taking a 'reasonable' commercial view leading to robust solutions. And, fundamentally, the answer is working with suppliers who can demonstrate that they are as scrupulous as you (if not more so) in their handling of your data. Suppliers who have the right controls, processes and understanding of requirements

We find that many RFP responses and contracts are now driven by the Information Security Management (ISM) team. It is a long, complicated process that is often very time consuming. That's good news. I would expect the same and disappointed if it doesn't happen, as is occasionally the case. Of course, this forensic investigation needs to be tinged with commercial realism.

So, where to focus on these two related issues?

Maintaining security and availability in a global market
Maintaining security and availability in a global market

Data - where maintained

The growth of 'cloud'. It's a much abused term. Public cloud, private cloud. To cloud or not to cloud? It remains a hot topic but one where we are seeing changes in the global landscape as there is growing acknowledgement that cloud does not automatically lead to a lowering of security standards. The real question is appropriateness. If challenged by the Board, can the resilience team demonstrate that they took appropriate measures to safeguard information. Now, what is 'appropriate'? For a small business maintaining a web site that is principally brochure-ware, resilience may not be a primary concern. Lose the site for a few hours and no major damage to brand or business. But for a critical process in a major global organisation, appropriateness means a different and better solutions. Redundant solutions and near always-on is the key. For BC this doesn't rule out cloud-based solutions, indeed we have seen a growing recognition that such arrangements can provide the level of resilience and security that are appropriate for the purpose and offers the benefit that your BC solution is not dependent on internal infrastructure. Private clouds, discrete data-bases for each client, full DR arrangements can provide solutions that equal (and in some cases exceed) the levels of availability of internal systems whilst maintaining segregation and security. This is a changing market and we see more aggressive adoption of 'cloud' in the US in particular with, on the counter-side, a corporate aversion to all things cloud in other parts of the world, most notably the Middle East.

The other driving appropriateness is the ability to handle the data privacy requirements in different countries and how this impacts on data management. Some global organisations take a commercial view that in operating in a large number of regions, the commercial imperative to manage information in a central repository is justified. But, for many others, due recognition of local data privacy rules is the driver. For suppliers, such as my own, who work with large multi-nationals, this means multiple hosting environments globally to ensure that each client meets its local requirements. And issues such as Brexit will only add further complexity in this area. The world will undoubtedly change but for the time being, we are where we are and it is important for businesses to ensure that due process is followed at all times.

  • Tip: be scrupulous but realistic in your expectations of availability. Are there single points of failure? What levels of redundancy and resilience feature in their processes/environments? Worst cases do happen, thankfully rarely, but does your supplier take as much care and responsibility as you would expect if you were in their shoes, providing the service. If you're not sure then ask before you sign on the dotted line, not after.
  • Tip: ask your provider not just where there data centres are located, but does your data cross borders in any processes e.g. to DR centres or other sub-contract supplier locations, possibly in other countries?

Data - security

Availability is key, but how secure is the environment? There will, inevitably, be the yin and yang relationship between internal risk/information security departments and their 'business' counterparts. Again, the keys are appropriateness and a degree of compromise. ISM departments will start from a base point of everything internal and BC teams will start from the polar opposite - the need for availability and accessibility for effective BC processes dictates that a SaaS/external solution is the referred start point. Inevitably this compromise is driven by some key principles when looking at external providers or hosted solutions:

Does your supplier have the credentials to effectively manage your data?

  • Are they ISO27001 accredited (or the North American equivalent SOC2 Type II) and, if yes, is this across their entire organisation, not just selected parts, remembering that Information security is as much about people and process as it is about technology.
  • Answers such as 'Well, our data centres are accredited' or 'We follow ISO27001 principles' are just not good enough. When/if you have to explain a data security incident to the Board, how credible will your story be if your key supplier is not formally accredited - a demonstration of independently audited quality.

Where is the specific hosting environment? What security controls do they have in place and do these extend to subcontractors? Intruder detection systems? Log monitoring? No single points of failure? What are their BC and DR structures? What are their guaranteed RTOs? Has the environment been penetration tested by third parties and is this undertaken on an ongoing basis? Will they allow you to pen test? Do you have specific SLAs for both availability and issues management/reporting?

  • Tip: make sure that your suppliers are ISO27001 accredited across their entire organisation and all of their key suppliers if they are involved. Merely stating that a data centre is ISO27001 accredited is NOT good enough, if they have access to your data from other locations.

So, where now?

Accessibility is fundamental to effective Business Continuity

Most organisations understand and accept that choosing the right system to help manage BC activity should not be taken lightly and that due diligence should form part of the selection process. But due diligence is not just functional or system, but also supplier. Ask your existing or proposed supplier the key questions above and be ready to push further. If your supplier does not actively welcome the opportunity to demonstrate their security and availability credentials, experience, capabilities and accreditations, ask yourself why? Come the time that a major incident occurs (and it will!), the Board focus will inevitably and understandably be on the BC/resilience teams to demonstrate that they took reasonable and appropriate security and availability measures at all times, including all trusted partners and suppliers.

Article by Charles Boffin CEO ClearView Continuity


Contact details

Company: ClearView
Name: David Honour
Title: Head of Marketing
Address: Astral House, Granville Way, Bicester, Oxfordshire, OX26 4JT
Telephone: +44 (0) 7999 334364


<< Back to News