How tragic, Codespaces.com is no longer a viable business. This is tragic, and a massive shame. It does serve as a critical reminder that security of our services and data is essential. It is the most important piece of running any IT service.
Personally, I find it very sad that we live in a world where this kind of thing can happen. The note on codespaces.com website made me feel extremely sad and angry, but its the world we live in. As an ex-business owner, this was always my biggest worry. Someone trying to hold me or my business hostage, just for money. Most people run businesses (especially small or medium businesses) for the passion of what they are doing, and money is a by-product of that passion. To see this on the screen is extremely sad:
However, it does prove to us all that security is key. When I talk about cloud services,some of the first questions are always, How secure is it? How safe is my data, and what do I do in the event of a disaster…
Frankly, it is no different than what we have always done within a datacenter. Security of data is your responsibility, Lets look at security first:
SECURITY, SECURITY, SECURITY
We all hate the word, unless you are a security guy. I cannot count the amount of times I have sat in Architecture meetings and the security guy just sits saying “No, can’t do that”, “No way are we opening up that firewall”, “Again, no we can’t do that” !! Arrrghhhh just let me do it, is what we all think! Most of the time though, he is right. Security is key. Once someone has access into your environment, that is pretty much the end. As Codespaces have found out. It is no different whether you are using cloud services, or building services in your own datacenter. If someone finds out a password, whether it be via brute force hacking, or having someones email password to reset the cloud login, when they have your password, you can be screwed.
For me though, this isn’t the most critical part of protecting your data. Having a backup and recovery plan is the most critical.
BACKUP, BACKUP, BACKUP
Breaches do happen, they should always be avoided and there can be no excuse, but nothing in my opinion is ever 100% guaranteed. I can hear everyone shouting at me right now, but all it takes is a rogue employee (Edward Snowden anyone) and their is not much you can do. Being able to recover from a scenario like Codespaces is the most critical.
Lets think about this for a minute.
Since the early days of my career as an IT Admin, I used to have to manage the daily backups. It was a boring job, one I really didn’t enjoy, but as the junior, it was my responsibility to ensure every day the backups were completed and secured. It was a simply process (on a Monday it had an extra task):
- Check backups on all servers completed successfully
- Remove previous nights tapes and replace with new tapes for tonights backups
- Place last nights backups in a fire proof safe
- Take the full backups from the weekend to the offsite location and store in a fireproof safe
Essentially the above process had three main areas.
- Previous nights incremental backups always kept on site in a fire proof safe
- Weekly full backups kept offsite in a fire proof safe
- Monthly full backups kept offsite (different location to above) in a fire proof safe
In the modern era we live in, we don’t really use tapes anymore (anyone remember seeing the above picture?). Enterprises still do, but for the average small, medium business or personal user we dont have big tape drives stack in our home offices or garages, but it doesn’t change the process. Personal photos anyone? Everyone has them…
For me, I have a three stage backup process for my photos, and its a good example of how to do offsite backups.
- Personally photos imported from camera and saved on my Mac Mini
- Mac Mini syncs photos with my NAS device (with multiple disks for redundancy)
- NAS device syncs all new files with a cloud provider (offsite)
This serves three key areas:
- Photos on my mac mini are backed up
- NAS device has redundancy in the event of disk failure
- All photos are stored offsite with a cloud provider in the event my house either burns down, or burgled.
I have photos of my children, my wedding, my first car even that for me are irreplaceable, so even for the simplest of use cases (home photos) you need to have a recovery plan. Which brings me back nicely to cloud:
Just because you are using a cloud provider who has security in place to protect all the infrastructure, this doesn’t mean YOUR DATA is secure. All it takes (as what appears to have happened with Codespaces) is someone hacking your password, and they can wipe you out. To me it appears Codespaces had backups, and resiliency built in to their services, but it was all managed with one account. This is the same for on-premises Data Centers too, if all your data backups are protected with just one account, you are still at risk. I think even with the hacking and deletion of key areas of service, if they had backups somewhere else, they could recover from this.
So to finish:
No matter how big or small you are as a business you need a plan for every eventuality. Hacking, data corruption, service failure. What happens if the location you store your backups is hit at the same time as the location you run your business services… Can you recover from this? Codespaces couldn’t and they have now gone out of business. Don’t let it happen to you, think about it carefully…