Ensuring infrastructure resilience in an online world

Contributed article
The Internet is a wonderful tool when it works, but we are increasingly at a loss when it encounters a problem. Steve Durbin, Global VP at Information Security Forum (ISF), looks at what organisations should be doing to minimise the risks and boost their Business Continuity , as a growing proportion of commercial transactions are performed online.
Server outages at global ISPs may be an extreme case, but they serve to illustrate the challenge faced by businesses that are shifting a growing proportion of their information and transaction infrastructure online, often to cloud-based computing.
The growth in cloud computing is one example of the trend towards ever-greater reliance on the Internet. Analyst firm, IDC estimates that companies are already spending US$16 billion a year on public IT cloud services globally, and that the market will grow to US$55.5 billion by 2014. 
Moving to cloud computing and making use of virtualised servers often makes sense financially, but organisations need to be aware of the inherent business risks associated with this, and ensure they are prepared for infrastructure failure when it comes and have in place appropriate and tested Business Continuity Plans
Threat of infrastructure failure
ISF’s Threat Horizon 2012 report, based on Member research and analysis, highlighted infrastructure failure as one of the top 10 threat scenarios for the short- to medium-term. 
In the report’s future scenario, companies have come to rely heavily on Internet-only sales channels and mechanisms, to the extent that most people only have one way to perform their day-to-day transactions with businesses like banks and airlines. Poor Internet resilience, especially at ‘pinch-points’ in the network, results in frequent and sustained regional Internet outages and prolonged loss of service.
In this world in which Internet-only channels is the norm, the threats to business come from loss or damage to communications links or services – often as a result of under-investment in infrastructure – and from malfunctioning of computer or network equipment, associated with a lack of resilience.
The impact of these regular outages is a direct loss of business, and increased costs to provide work-arounds, potentially leading to reduced transaction integrity and associated fraud. In addition, there is likely to be a loss of trust in the Internet, and a loss of customers to competitors who are able to offer an easy alternative.   
While the threat of infrastructure failure is a future scenario, there are very real issues confronting organisations today that want to move to cloud computing and Internet-based sales channels today.
Organisations that increasingly rely on the Internet to conduct business, or serve the public, will require some kind of quality of service (QoS) guarantees – which will add cost, as well as run into issues over net neutrality. 
Also, who is going to fund the necessary investment in Internet infrastructure to deliver the capacity and ‘intelligence’ it needs, and what is the payback for anyone who does?
Another issue for Internet-based critical communications and online transactions is that networks are always susceptible to physical damage.  Internet channels are only as resilient is their weakest link, and cables can never fully be protected against natural disasters, mechanical diggers or stray vessels at sea.
The growing proliferation of easily accessible wireless Internet access has got people used to the idea of always-on connectivity.  While this helps staff to work more efficiently while out and about, few people consider how secure, or otherwise, these connections are.  Organisations that rely in the Internet for their businesses need to ensure security is made easy for their staff.
Finally, a vital element in the successful deployment of cloud computing and Internet-based services is supplier trust.  Buying cloud computing is just like buying any other service, and organisations need to make sure they research and question potential suppliers thoroughly.  The costs involved if there is a serious failure could far outweigh the savings produced by cloud computing.
What can companies do?
Having established where the critical parts of IT infrastructure lie, and the risks associated with their loss or degradation, organisations should put in place a framework of controls for securing it.  This should be recognised at a senior level within the organisation, and be based on the participation of critical infrastructure stakeholders – including business owners, individuals responsible for running critical infrastructure and information security practitioners that advise on it.
Organisations should give special attention to the selection and application of a balanced set of controls (including preventative, detective and reactive) to protect information systems that support critical infrastructure.
Where it is not possible to apply a balanced set of controls, alternative measures may be necessary to compensate for this. For example, in the case of information systems that cannot be patched or upgraded, it may be possible to deploy monitoring controls (such as a network sniffer, intrusion detection sensor or event log monitor) on the network or system that monitors activity of information systems.
In selecting controls, organisations should adopt security architecture principles, such as: ‘defence in depth’ (using layers of security to increase the level of protection); ‘least privilege’ (only granting the minimum possible privileges to users); ‘default deny’ (denying access to information systems by default to prevent unauthorised access).
Applying protective measures to information systems without thorough planning can have an adverse impact on the critical infrastructure.  Another important aspect to ensuring the resilience of critical infrastructure is to reduce single points of failure. To ensure that critical infrastructure is available when required, supporting information systems should be run on robust, reliable hardware and software, and be supported by alternative or duplicate facilities.
When it comes to outsourced cloud computing services, it is crucial that the third parties involved with critical infrastructure are well managed, especially when they are located outside the organisation’s premises or offshore.  It is essential that third parties and their activities are assessed, and measures put in place to protect information systems from threats, such as unauthorised access.
Measures that help reduce the information risks associated with using third parties include reviewing and, where necessary, updating contracts and agreements to include statements regarding security requirements, roles and responsibilities, the right to audit and reporting of incidents. Organisations should also establish alternative suppliers and service providers.
Organisations should consider stipulating the use of an internationally recognised information security standard, such as ISF’s Standard of Good Practice for Information Security.
Research indicates that contracts and agreements are often poorly developed, and any weaknesses cannot easily be rectified until the renewal date.  Under these circumstances, organisations should seek legal assistance and make plans to cancel the contract or negotiate a new contract at a convenient time.
Where third-party engineers, contractors and consultants have access to information systems that support critical infrastructure, organisations should pay special attention to the logical and physical controls needed to protect against unauthorised access.
While the Internet does have a high degree of resilience, experience shows that we cannot expect 100 per cent uptime and external factors, such as accidental damage or extreme weather, may conspire to cause significant regional outages. Overall, the Internet is only as good as its weakest link, and preparing contingency plans to operate businesses in the event of failed or reduced Internet service should be a priority.
About the author
Steve Durbin is Global Vice President at the Information Security Forum (ISF). 
Steve Durbin on writing for the Continuity Forum
Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner.  As global head of Gartner’s consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. 
Steve has been involved with mergers and acquisitions of fast-growth companies across Europe and the US, and has also advised a number of global technology companies on IPOs both on NASDAQ and NYSE.