The Cloud is not a Miracle – Do Your Homework

As more people and more businesses embrace the cloud, the opportunity for disaster goes up.

For example, we have seen companies move to the Amazon cloud and then be surprised when their web sites go dark (see this example).

There are no silver bullets when it comes to data center availability and the cloud is not one.

The cloud can both help you and hurt you; good design and architecture still “rules”.

Here is a recent example.

MJ Freeway makes marijuana grow and dispensary software that helps businesses comply with the law and manage their businesses.  They claim to have processed $5 billion in transactions for the MJ industry,

Their solution is cloud based, making it easy for businesses to use their software.  Until they have a problem.

MJ Freeway’s cloud  based solution was hacked, blinding a thousand dispensaries – unable to track sales and manage inventories.  For many of these stores, that means closing the doors until they can get the problem resolved.

But the attack was interesting.  All the data was encrypted, so the hacker could not use the data.  That however, does not appear to be the hacker’s objective.  The attackers targeted live production servers and backup servers at the same time.

Because it took MJ Freeway several hours to discover the attack, the attackers had a head start and because they attacked the primary and backup sites, clients had an outage.

Some customers maintained their own personal, offline backups of their data.  Those customers were able to restore their data as soon as MJ Freeway had a stable web site.  While it was wonderful that these users did not lose any data, they were still down until their vendor could create a stable operating environment.

For users that depended on their cloud service provider to backup their data, they had a bigger problem.  Since the primary and backup web sites were attacked at the same time, no online copies of the data were usable.

The “seed to sale” data was, apparently, corrupted and may not ever be recoverable.  What that means to those dispensaries from a legal standpoint is not clear, but can’t be good.

If the hacker’s objective was to ruin these companies – to bankrupt them – to run them out of business – that may be a great way to do that.

If their objective is just to cause the dispensaries pain – including lost sales, lost customers forever (to competitors), lost business to MJ Freeway, fines for regulatory failures and a host of other costs, the hackers may well have succeeded.

However, this is a great lesson for all businesses – whether you are in a semi-legal business like marijuana or a totally mainstream business like retail or services – the cloud is a wonderful tool.  It is not, however, a silver bullet.

Cloud services go down.  They lose data.  Sometimes they go out of business unexpectedly.  Who is liable typically depends on the terms in the contract.  If the contract was written by the online service provider, you can count on the contract saying that the provider is not responsible for anything.

Plan for a disaster.  Plan for a cyber incident.  WHEN something unexpected happens (notice I said when and not if), you will be in a much better position to deal with it.

Two terms in the disaster recovery business should be in every business that uses cloud services (and others too) lexicon:

RTO – Recovery Time Objective – How long are you willing to be down for.  If the answer is a day or a week, how you prepare for a disaster is different than if the answer is 5 minutes or an hour.

RPO – Recovery Point Objective – How much data are you willing to lose (or how far back in time are you willing to restart at).  If you can lose (and I assume, recreate) a day’s worth of data, it is easier and cheaper to build a disaster recovery plan than if the answer is 15 minutes.

So everyone who signs up for a cloud solution, keep in mind that sometimes, where it is cloudy, it rains and when it does, if you have an umbrella (aka a disaster recovery plan) then you are likely OK;  however, if you don’t have that disaster umbrella, you are going to get wet;  possibly very wet.

As those dispensaries discovered; your profit can go up in smoke and not in a good way.

Information for this post came from Network World.

Leave a Reply

Your email address will not be published.