Why Cloud does not automatically mean you have a BCP/DRP
On 10 March 2021, there was a fire at a cloud datacenter owned by the largest hosting provider in Europe, OVH. The fire was brought under control within hours, but all of its four datacenters located at the site in France suspended services. According to Netcraft, around 3.6 million websites across 464,000 distinct domains including governments’ websites were disrupted due to this incident. The actual number of impacted businesses may likely be even higher.
In a press release on 13 March, OVH announced that two of the four datacenters and the non-damaged servers in another datacenter would restart by 22 March. The datacenter where the fire started seems to be unrecoverable, and therefore its infrastructures are planned to be replaced in other datacenters. OVH cloud provides data backup service but it is optional, and its configuration is the responsibility of each customer, meaning that many customers may have lost their data forever.
Cloud services are becoming more popular these days however, the nature of them vary depending on the provider and the contract. Major worldwide cloud services including Microsoft Azure and Amazon AWS provide availability options such as Availability Zones which protects the service from one or more datacenters’ failure. On the other hand, there may still be a number of cloud service providers whose business continuity management system is not at this level. Private datacenters of company groups may be in same the situation or even worse.
Lesson Learned
- Disasters that disrupt a whole site could happen anywhere even at large datacenters. Do not ignore rarely occurring but catastrophic risks such as fire, terrorism or an airplane crash.
- Availability of cloud services can depend on the contract. Review the contract to confirm that the contracted availability is in line with your business continuity plan (make sure you do have one!).
- Review the information of the cloud provider (c.f. audit reports) to confirm data dispersion and that the provider is adequately capable to ensure the contracted availability.
- Review configurations related to backup and disaster recovery management on a regular basis.
- Develop contingency plans (c.f. Disaster Recovery Plan, Business Continuity Plan) for critical IT processes and perform exercise/tests on a regular basis.
- Ensure that your supply chains including key supplier/partners (and their key supplier/partners if possible) are sufficiently resilient.
If you need any assistance or have any questions regarding cybersecurity within your company, don’t hesitate to contact us.