IS IT A CLOUD? IS IT A HACKER? NO, IT’S A SPOF!
In insight / By Charles Christian / 16 March 2017
At the beginning of March this year, Amazon Web Services suffered a spectacular outage that not only brought down a sizeable chunk of the public cloud in the United States but also, with it, a substantial number of online services hosted on AWS.
Unlike some of the other internet and online service outages we’ve seen in recent months, what is now known as the Amazon S3 incident was not the result of a hackers, a cybersecurity breach or even a denial of service (DDoS) attack. Instead, it was down to good old fashioned human error.
It arose because one individual, who was carrying out scheduled maintenance work on some servers, entered a routine command to shut down one server. Unfortunately one of the digits he typed in was incorrect, so instead of shutting down one server, he inadvertently shut down a whole network of servers, which in turn set off a domino effect that cascaded throughout the internet.
It was the typo that nearly broke the internet.
Not surprisingly, many people were quick to point out that this is a classic reason why, if you are running a business, “the Cloud” is an inherently dangerous platform to rely upon. Well, “up to a point Lord Copper”…
It is certainly true that if you are running a law firm and have ALL your data stored in the “public cloud” and ONLY in the cloud – say on Dropbox or Google Drive – and, for whatever reason, you are unable to access them, your practice administration is in trouble and going to grind to a halt. (You are also going to be in breach of, among other things, Principle 8 of the current SRA Code of Conduct that requires you to “run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles.” But let’s not get into that!)
However, nobody in their right mind should store their data in such a fashion, not because it is the cloud but because it exposes you the risk of what is known as a single point of failure (or SPOF – of course there’s an acronym) where the failure of just one element can stop an entire system from operating properly.
Back in the early days of legal technology, it was not unusual to hear of law firm computer networks crashing because some cleaner had inadvertently unplugged the server so they could free up a socket to plug in a vacuum cleaner. We’ve moved on a bit further since then (but only a little bit) however the Amazon S3 experience highlights the continuing risk of SPOF, particularly with such things as online and cloud services.
The problem is there are so many potential SPOFs.
Is it a firm’s own routers and/or the way its PCs and network are configured? Is it the firm’s access to its internet/broadband services providers. For example there was a major outage in central London a couple of years caused by a fire in some underground conduits in Holborn carrying broadband and telecommunications cabling. (In fact people digging holes in the road and cutting through cables are an ongoing risk.) Is it a local problem with one of the online services you rely on – over the past year various UK banks have suffered system failures and been unable process online banking transactions. Is it a more widespread internet/world wide web problem, such as the Amazon incident. Or, has your cloud services provider gone out of business? And that is a very real risk that has hit a number of firms over the years.
The dilemma is these services are all so convenient when they actually work, that it is no longer a viable option to totally avoid them. Instead, firms need a Plan B: contingency planning involving some form of backup/system level redundancy, so if a key component or service fails, it doesn’t bring the business to a grinding halt. You don’t just have one hard drive that all data is saved to, you have multiple drives that data can be saved to. In fact many firms will now have (or should have) either their own or subscribe to an external disaster recovery (DR) facility that replicates/mirrors their entire network and data in a secure secondary location.
This is also the reason why many cloud services are now bundled in with DR and business continuity services to provide an essential element of resilience. This is sometimes called a hybrid cloud solution, offering a mixture of public cloud services (such as Dropbox), a private cloud services, and on-premise technology. And your hybrid solutions are not just limited to three options: one cybersecurity vendor I met with recently can offer its software in a total of 18 different permutations, ranging from all inhouse to all in the cloud.
This way, you get all the flexibility of the cloud when you need it but, if there is a problem with the cloud, you can still access your data. Similarly, if there is a problem accessing your on-premise technology – and it could be something as mundane as a power cut or a train strike so you can’t reach the office – you can access it via the cloud.
The obvious downside is all this DR/backup/redundancy to create a resilient system – in other words one that is not at risk of a single point of failure – costs money. And all too often law firms decide this is one area of technology expenditure where they can afford to make economies. If you are prepared to take such a risk, then fine – until something goes wrong! Then, when you start comparing the cost of creating a resilient system with the cost of recovering from an IT “disaster” and the loss of billable fee earning time, you may find your cost cutting was a false economy.
Building a resilient tech infrastructure is like house insurance. You pay your premiums not because you think your house might burn down but because you know the risk of being uninsured in the event of a fire is unacceptable.