Pratum Blog

Take any group of 100 people and you’ll have two camps. Those that have experienced the pain and suffering of warfare and those who have not. The same goes for cyber warfare. Those who have been through it have a much different perspective than those who haven’t.

Organizations have two choices. One, they can assess the risk and likelihood of being drawn into the battle based on their size, industry, affiliations, nationality or a hundred other socio-economic factors that could make them a target. Or they can stick their head in their head in the sand and ignore the harsh reality of the world around them.

The biggest difference between cyber warfare and physical warfare is that most of us are far more likely to personally experience the effects of a cyber-attack. The attacks are getting more sophisticated. The losses from a single attack are growing. The pool of targets is ever increasing. It’s really just a matter of time before your organization is the target of a cyber-attack.

The question is, will you face reality and plan for it or be surprised by what most of us consider an inevitability?

Newton’s Law of Motion says that for every action there is an equal and opposite reaction. I feel like this is sometimes our approach to information security. An incident occurs and we feel the need to take immediate action to counteract what just occurred. If you’re a science buff, take a deep breath. I know I’m misapplying Newton’s law here. But seriously, how many times have you thrown some people, money or other resources at a problem without fully thinking through the issue? It’s natural to have somewhat of a knee jerk reaction in the wake of an information security breach.

Sometimes though, our best course of action is to take no action at all. Things are going to happen. Sometimes they hurt. Bad. That doesn’t always necessitate a full-on response though. Sure, sometimes we have to put on some window dressing for management, investors, clients or the media to placate them. However, as information security professionals we have a duty to assess risk and mitigate it with a proportional response.  We need to take a deep breath and think through our response. Take the emotion out of it and base your decisions on risk and reward.

I’m not advocating for you to cover up and ignore an incident that needs attention. I’m saying take a deep breath and respond appropriately. The one who rushes into battle is likely fighting in his last.

Moving to the cloud has many advantages. Spreading the capital costs of hardware and software across multiple organizations saves money. Having system maintained by experts who focus on those systems 24x7 can improve availability. The list goes on and on.

One big question is what happens when the vendor of a critical cloud application goes belly up? Will you see it coming with enough time to plan for and execute a smooth migration to a new cloud provider? Will your business be able to handle the downtime associated with the cloud computing vendor’s demise? Source code escrow is a way to help insure you against a cloud provider going out of business.

Source code escrow forces a cloud application provider to provide copies of their source code to a neutral 3rd party on your behalf. In the event the cloud provider is unable to meet their contractual obligations, you will be given a license and access to the source code to ensure you can continue to run the application in your own environment.

Just having access to the source code isn’t enough though. Here are some tips to consider when using code escrow services for cloud computing providers.

  1. Make sure the code base also has a current executable copy. Having to figure out all the steps needed to compile code in a pinch may not be feasible.

  2. Check with the escrow company on a periodic basis to ensure the vendor is actually putting new code in the vault.

  3. Ensure you have ready access to your data. Having a functioning system is great. Having your data in that system is even better.  Ensure that regular backups of your data are going into the vault along with the source code.

  4. Keep a couple of good contacts at the cloud provider. If the company has gone under, those people will be looking for work and you’ll be looking for someone to help run the system in your data center.

  5. Getting code out of escrow typically involves lawyers and possibly the courts. Don’t expect this to be a quick and tidy process.

Even with taking these precautions, having a cloud application provider go out of business will cause serious headaches. Source code escrow services can minimize the long term impact to your business but it won’t help you in the short term. If you’re using cloud computing, part of your operations strategy should be how to deal with short term outages. Be ready to put this plan in motion as you get your code out of escrow and build out the new system.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.