Cyber Security Advice Questions

Submitted by xtramelanin on August 15th, 2018 at 10:27 PM

Mates,

As we wind down on OT season, I have a question I am hoping the many wizards of smart on this board can help with, and hopefully others can benefit from the answers.  I am curious about the best ways to manage the physical security of data for a business application.  The suggested methods of data back up and storage are:

1.  Purchasing a different network, in effect, and having on-site multiple servers which store all the data across multiple drives.  Cost less than $1,000.

2.   Or saving it in 'the cloud'.  Cost is pretty cheap, we already have that storage capacity paid for with other services.

I am concerned about the integrity of the cloud and what happens if, for instance, ohio loses power for 1/3 rd of our country again and we're cut off.  Similarly, what about on-site storage, not a good idea?

So our two questions would be:

1.  Of the two alternatives, what are the pros and cons of the suggested methods?

2.  Are there other methods you might suggest, and also, what about virus/ransomware suggestions?

Thank you for your assistance.

XM  

 

Comments

BlueMan80

August 15th, 2018 at 11:15 PM ^

Go with the cloud.  Let someone else handle the hardware and backup responsibilities.  It also makes upgrading your PC/systems easier.  Just point your new system at the cloud.  I’ve got multiple PCs connected to the cloud.  They share data with each other and with my smartphone and iPad.  In the not,so recent past, I worked with Box, Dropbox, and SugarSync.  They all have pros and cons.  Let me know if you need some help.

As for anti-virus protection, Malwarebytes is good.  I’ve lived with McAffee for many years because my former employer (Dell) was a partner of theirs.  There’s some new predictive software that recognizes code patterns to protect systems that is enterprise focused today.  (I.e, expensive). I’m assuming it will trickle down to consumers in the next few years.

ChiBlueBoy

August 15th, 2018 at 11:16 PM ^

Definitely cloud. If you aren't worried about the contract, I'd try AWS for the best security. Google and Microsoft Azure are the other big names. All 3 are secure, but they don't give you much comfort if there's a loss (e.g., agreeing to indemnification). Depending on your business (e.g., if you have client data), that can leave you exposed and basically insuring any loss by your cloud provider. There are some solid, slightly smaller providers, like Rackspace, that are solid, can manage your cloud, and are a little easier to work with. Often they will use AWS themselves, but provide broader services as well.

If you're maintaining info subject to HIPAA or GDPR, it's a whole 'nother thing.

SphtKr

August 15th, 2018 at 11:30 PM ^

Hi XM,

I'd recommend a mix of cloud backups and "cold storage" backups - that is, backups that are not connected to the internet. Cold storage would just be weekly, monthly, quarterly, or semi-annual backups (depending on your recovery requirements). If you got a ransomware that affected the cloud backups you would want those cold storage backups for recovery. This may be difficult if you have tens of TB in data. Otherwise standalone hard drives are relatively inexpensive.

You may want to consider something like blu-ray backups as well if you are concerned about damage to electronics while in storage.

I have found that all antivirus/antimalware programs fail at some point. You should deploy at least one; Malwarebytes (premium) is very good. You'll want protection that does real-time scanning (the free Malwarebytes does not, it is mainly used for cleaning).

rs207200

August 15th, 2018 at 11:33 PM ^

one note: don't describe it as "physical security of data"

physical would imply things like doors/locking mechanisms, biometric security, true walls, etc.

 

cookie1012349

August 15th, 2018 at 11:34 PM ^

I work for a cyber security company and I get this question a lot. Short answer is in the cloud but there are a lot of options. It really depends on A) are you just looking to store the data of the applications B) how sensative is data are you collecting (ie will compliance of any sort come into play). 

If it's just storage, there are several companies who can do that no problem. It will be cheap and easy. Depending on the sensative nature there are several I can refer but Google won't do you wrong. 

As for virus/ransomware suggestions, they're bad don't get them. 

UMForLife

August 15th, 2018 at 11:47 PM ^

I am no expert but here it goes.

It depends on what data. If you have healthcare data and concerned about privacy, then you want to make sure the cloud vendor Don't store data offshore. It can be a hassle with certain types of contracts that vendors will not sign. Offshore data centers Don't have to follow American laws. But there are ways around that. I like cloud but if you need real-time data then you want to make sure you have proper network and internet. You do not have to worry about losing data. Many major vendors have backups across the country. I would be surprised if you ever get into the problems like you describe. Nonetheless, you want to do some research.

On-site is ok but it can be a pain. You need a good team to manage and keeping up with the hardware can be expensive. Backup and restore can be a hassle. Doable and I have done a lot of this but I moved to cloud purely because of the cost and the headache of managing/maintaining.

Regarding virus- you are not going to get away from this regardless of where you host. But if you are in cloud, major vendors do a lot to protect your data. You also have the option to encrypt your own data. I had a model like this where I stored the data after encryption. I wouldn't do this unless you have a very good reason to be concerned or you have to justify the loss. Also, look into insurance. It doesn't come cheap but there are ways to cover your loss if it happens. 

 

Good luck.

 

mtzlblk

August 15th, 2018 at 11:55 PM ^

Cloud/off-site, no doubt.

1. This covers you if there is a fire in your building that would destroy everything if you were to keep it stored locally

2. It will without a doubt be cheaper and more extensible, flexible and capable to go cloud.

3. In the case of a power outage, the cloud solution will have a much better method of handling that and losing less data, if any at all. The cloud solution will typically have redundancy and recovery solutions, whatever you do locally will not have that, at least not for $1, 000. If you use something like AWS, they wouldn't lose any data. All you would miss is data that would have come in/been stored during the power outage, but you would miss that no matter where you stored the data. Not even sure about that, I believe AWS has backup power supplies in generators so that they wouldn't likely even go offline, so they may be up even though the rest of the world is without electricity.

ChiBlueBoy

August 16th, 2018 at 9:28 AM ^

All the major cloud sites (and even the larger companies that store a lot of data) have backup generators that kick in within mili-seconds in the event of a power outage, and they can run for days without outside power. If there is a major outage, the data is much safer with the cloud. The issue is whether your business will be able to connect to it, but the nice thing is you can access it from anywhere.

MGoAragorn

August 16th, 2018 at 1:39 AM ^

From a security POV, a reputable cloud service vendor is the best choice, as they hire some of the very best security talent in the world. But, as Willie Sutton famously said when asked why he robbed banks, "Because that's where the money is." Cloud service providers are constantly bombarded with attacks, looking for weakness anywhere it can be found. So if they screw up, or you screw up by exposing the keys to your cloud-based data, you're SOL.

That can be mitigated somewhat by encrypting all the data in flight (meaning to and from the data center) and at rest. 256-bit encryption is pretty good.

On a different plane, GDPR privacy is a whole added kettle of fish. If your customer data includes that of EU individuals, their data is subject to GDPR, which includes a labyrinth of rules and regulations. 

ChiBlueBoy

August 16th, 2018 at 9:34 AM ^

Good point. A vendor assessment guy I worked with told me about reviewing a contractor that used AWS. He thought it would be an easy review because he knew that data was hosted in a secure environment, so mostly had to worry about access. He was on site and asked the company about how they monitored usernames and passwords. The would-be vendor said, "oh, we have a list right here," opened up a desk drawer and pulled out a hand-written list of all the company's usernames and passwords for accessing AWS.

NRK

August 16th, 2018 at 7:08 PM ^

Technically GDPR applies to individuals in the EU, not just EU individuals, so probably the most pertinent question is if you are offering services directly or indirectly to the EU.

 

I will echo what others have said here - cloud and then periodic other back ups work well, but definitely cloud first. 

NRK

August 16th, 2018 at 7:11 PM ^

I will say also, that most large cloud providers have servers located in the EU that will help with parts of the GDPR (e.g., avoid an unexpected cross-border transfer in using a cloud vendor), and all are aware of data privacy rules and how to deal with those issues (e.g., model clauses).

 

Sorry, someone said GDPR and I got to bring my 2 years of work to a conversation on the blog...

ShadowStorm33

August 16th, 2018 at 2:17 AM ^

I see a few people have recommended Malwarebytes. What do people think of Norton? I feel like at least historically it used to be one of the better antivirus options, and you can get it free through Comcast.

skwasha

August 16th, 2018 at 3:02 AM ^

This is not exactly true... yes, for vanilla AWS or Azure you have limited recourse. However, both also offer enhanced tiers of support that can/will comply even with HIPAA’s draconian standards.

ChiBlueBoy

August 16th, 2018 at 9:39 AM ^

Yes. In fact, if you store PHI (info subject to HIPAA), they require that you use only particular products and sign their form business associate agreement. The problem is that their BAA is, as expected, completely one-sided towards Amazon (as much as the law will allow). They don't negotiate that agreement unless you're the size of a CVS.  

If you are downstream from a covered entity, your BAA with the covered entity will not be as one-sided towards you, so there's potential liability. The flip side of that, however, is that AWS is pretty secure, so the likelihood of AWS losing data is very low. If it happens, though, you may be screwed contractually.

The Blue in Ohio

August 16th, 2018 at 4:16 AM ^

Definitely go to the cloud. We held our backups onsite and at an off-site facility at my previous job and the data traffic running our backups overnight for all of our stores was crazy insane, and we would always have to adjust what times different areas would run because when one would get hung up it would throw them all off. I would recommend AWS, especially if you are concerned about the integrity when we started looking into it they seemed to be the most popular option at the time. 

bluebyyou

August 16th, 2018 at 5:12 AM ^

At my firm, we use redundant servers, back up to two tapes nightly and store one copy of  same in a fireproof safe as well as having a senior person take one copy of the tape off-site and also use cloud backup.  We cannot afford to lose our data.

jblaze

August 16th, 2018 at 6:23 AM ^

So, I’m assuming you are a small business. I work for a large enterprise and we use the cloud for backups. 

If I were you, I’d look into Amazon Web Services or even IBM, but you mention that you already have existing cloud providers. Maybe ask them what their backups are and how they can switch in the event of an outage. 

1VaBlue1

August 16th, 2018 at 7:07 AM ^

The big clouds (AWS, Azure, Google, IBM) all have multiple regions for backup of each.  You will need to make sure whatever tier you go with will have access to a backup region (or availability zone in AWS-ese, its all the same) (region is an Azure term).  Also get the cost before hand.  As cheap as they appear, the hidden costs behind a 'real' cloud access point can (will) surprise you when you add in the region and application layer costs you're firm will probably want.  I suspect you don't have an IT staff that is cloud savvy, or wouldn't be asking here...  There is a lot of configuration that needs to be sorted out if you want to do it right.  

MIMark

August 16th, 2018 at 7:54 AM ^

Cloud. If you are worried about data loss due to power loss, don't worry. There are regionally spread backups.

A caveat. While your data is still your data, it is stored on someone else's hardware in someone else's building. So encrypt everything, whatever it is you are storing. There are commercial solutions to encrypt just about anything.

ottomatic

August 16th, 2018 at 8:22 AM ^

Your requirements should be based on the real sensitivity of the data and your business continuity needs. If 1/3 of the country loses power we will have bigger fish to fry than your business availability.

If the records are sensitive you should also be looking at encryption - regardless of location. Bring in a consultant to do a Business Impact Analysis. Then build your cybersecurity spend around actual needs.

ndekett

August 16th, 2018 at 9:03 AM ^

Allow me to preface that I'm not an expert, just an end user.

My company (the company for which I work) uses CTERA, which makes a backup to a cloud server every 4 hours of every file in a certain folder on my C:\ drive. It operates without me thinking, works reliably, and allows me to revert back to any version of any file if I need to. That might not be helpful if you're just looking to backup tabular data, but it's crazy helpful if you're like me and tend to corrupt files, accidentally delete files, etc.

I have zero clue how much this thing costs, but it seems like there is so much competition out there that the costs seem like something to de-prioritize over functionality and comfort.

Blue_by_U

August 16th, 2018 at 9:13 AM ^

personally, I have a Nigerian Prince who manages all of my financials, secured data, social security information, bank statements, and passwords, pretty much anything I feel could be breached. The irony I had no idea we were related, until he sent an email telling me of my good fortune and all I had to do was send payment to his offshore account, then mail all of my data information, and he could remotely control my network and ensure my family security and privacy...it's been great so far, though I think he's still learning math a little bit, I keep asking to place 25% of my monthly income into investments and at the end of each month my account is empty. He says he made a keystroke error and not to worry he accidentally placed 100% toward the investments, in the end, I will become rich beyond my wildest dreams at a much faster rate this way, and it will only be a few more months before I can retire in luxury. I can share his email if that sounds good? /S

 

 

In all seriousness, I have a lot of digital artwork for clients, every design/template/finished product goes straight to a TB hard drive for backup. I keep it up to date every quarter. As I transition I keep core elements in a folder and burn those to disk in the event the external drive should ever fail.