Tag Archives: Cloud

Cloud Service Providers Are Not Immune from Ransomware

You moved your applications to the cloud.  Now you don’t have to worry about managing IT systems.  The headaches are someone else’s.

Well sort of.

Here is what customers of Quickbooks cloud hosting provider iNSYNNQ are seeing when they try to log on:

This is what they have been seeing for the last three days.

The hosting provider experienced the ransomware attack on July 16.

The company’s web site says that they are now beginning to restore user’s data but the process will take a while.

They are saying that some files (they are not saying how many) were encrypted and they hope that you made your own backups.  They are trying to figure out how to deal with those encrypted files.

And, oh yeah, from now on you should probably make your own backups.

And what, exactly, am I paying you for?

So what does this mean for you?

Lets assume for the moment that you are not an iNSYNQ customer, since most of the planet is not.  And, I suspect, many of their current customers will not be their current customers for long.

First, DO NOT assume that because you moved something to the cloud, things are not your responsibility any more.  Kind of like your self driving car. You better be ready to stomp on the brakes in case your car makes a mistake.

Check your cloud service provider’s TERMS OF SERVICE.  Likely it says that they are not responsible for many things.  Make sure that, for those things, you have a plan.

Many cloud service providers have a “shared responsibility” model at the core of their offerings.  That means that they acknowledge that they are responsible for some things, but you are responsible for others.  Make sure that you know who is responsible for what.

Understand what the provider’s guarantee is regarding uptime.  iNSYNQ has been down for 7 days and says that it will be more days before they are back up – possibly minus your data.   Most of the time it says that they will get things working again as best they can, but with no time frame.  Is that going to work for your business.  In this case, it is the client’s accounting software.  Is not being able to write checks a problem?  Is not being able to run payroll going to bother anyone?  Is losing years worth of financial data going to upset your investors, your regulators and your customers?

DO YOU HAVE A PLAN FOR WHAT TO DO IN A CASE LIKE THIS?

Lastly, does the provider offer a guarantee?  Often they will not charge you for the time they were down.  Lets say they charge you $200 a month for their service and they are down for two weeks.  Likely that means that they want you to pay your bill for the month, but they will very generously give you a $100 credit on that bill.

DOES THAT COVER YOUR PAIN?  I DIDN’T THINK SO.

Maybe your accounting software is not terribly important you?

What about your web site?

Or your manufacturing software?

Or whatever else you moved to the cloud.

Understanding the risk is a good thing.  I strongly recommend it.

Source:  The iNSYNQ website, here and here.

 

Credit Cards in the Cloud, Oh My!

Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud.  It was 52 pages.

This month the PCI SSC released a new version of that same document.  It is now 83 pages.

This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.

Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”.  For a copy of the new standard, click here.

Information for this post came from The Register.

What does this mean for you?

Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.

Some companies have outsourced payment cards to companies like Paypal or Square.  That used to mean that you weren’t accountable for security, but that changed a couple of years ago.  The requirements are simpler, but you still are responsible.

But lets say you are a company that does e-commerce and the servers run in the cloud.  You may collect the credit card info and hand it off to a gateway.  This applies to you.

In general, all companies that accept credit cards are required to complete an assessment at least once a year.  The PCI Council has created over a dozen different assessments, depending your configuration.

For everyone but the largest players, you can do the assessment yourself.  You can also get an outside provider to help you complete the assessment.  We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.

Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.

Also, the assessment is pass-fail.  Either you answer all the questions correctly, or your fail.  One NO is a fail.

If you have questions, please give us a call.