The annihilation of cloud services company Codespaces should raise serious questions for any company that hosts some or all of its data in the cloud, says Warren Olivier, Veeam Regional Manager for Southern Africa.
“The ability to work in the cloud gives us unparalleled flexibility at low cost,” says Olivier. “But the lesson from the Codespaces disaster is that we can’t afford to get lax about security: We have to apply the same good practice principles to avoid data loss, no matter where our data is located.”
Olivier says Codespaces, a seven-year-old business that hosted data for its customers, was destroyed in less than a day after a lone hacker gained access to the controls of their Amazon Web Services account. The hacker first tried to extort money by launching a distributed denial of service (DDOS) attack; when Codespaces employees tried to regain control of their account, he responded by deleting all their data, including their backups.
“This is a story to send shivers down the spine,” adds Olivier. “But it’s also a lesson in the value of sticking to the basics. No matter how technology changes, the basic rule of maintaining data availability stays the same: Keep at least three copies of your data, in two different media, one of which must be kept in a separate location. If Codespaces had followed this 3:2:1 rule they’d still be in business.”
In the case of cloud services, Olivier notes that the requirement for a separate location can easily be fulfilled by keeping secondary backups hosted by a different service provider. “The important thing is that there should be no way of moving from one environment to another without going through a new authentication process — you can’t have one set of keys that opens two buildings.”
Verified protection that ensures data can actually be recovered is equally important, notes Olivier. “You can outsource your backups to a cloud service provider, but you can’t outsource the responsibility for ensuring that your data is protected, always available and can be recovered quickly when the need arises. A recovery time and point objective of 15 minutes or less is now achievable for most organisations.”
“Your SLA should specify exactly how and where backups are stored and protected, and provide verification that your data is recoverable. Your service provider should be able to act as a trusted advisor, making you aware of what the threats are and advising you on appropriate risk management and mitigation strategies.”
“Disasters can happen to anyone, anytime,” says Olivier. “Whether they’re real or virtual makes little difference — a fire or flood can take out your business as effectively as a malicious hacker. Giving yourself the ability to recover from a disaster, by having reliable backups you can actually restore from, is what distinguishes the survivors from the statistics.”