|By Ryan Barrett||
|May 3, 2014 02:00 PM EDT||
There are two pieces of good news to come out of Heartbleed. First, we haven't heard of any significant security breaches, which mean that the industry as a whole is getting better at fixing problems as they arise.
The second is that, because Heartbleed presented every single cloud provider with the exact same challenge, it created an excellent global litmus test for crisis response. Everyone started from the same baseline, which eliminates the variability in evaluating their response.
If you're a customer of the cloud, you can review any provider's public response to Heartbleed to evaluate both their technical dexterity (how long did it take them to issue a fix?) as well as their communications and customer service (did their communications assure you that you were in good hands?). And if you're a provider, you can see how your response compared to the competition - and, if necessary, make changes.
Below are a few key crisis response elements that you should look for.
In the event of a security crisis, it is critical that customers are notified as quickly as possible, and with as much pertinent information as is available. Most important, customers should know what is being done to protect them. Timing is everything. Did the company you're evaluating have a public response on their blog? On Twitter? Via email? And how quickly did they start communicating?
The communication does not necessarily have to include a comprehensive action plan. But it must be enough to assure you that the service provider is aware of the issue and actively working on a solution.
Who Is Doing the Communication?
After a major security breach, it is important that customers know that the service provider is taking the matter very seriously. Therefore, customer communication should be attributed to a C-level executive within the company. For something as significant as Heartbleed, you want to hear from the company's security or operations executives.
Transparency About Impact and Potential Risks
If a company has been impacted, they should be open and up-front about it. They should clearly articulate which services have - and have not - been affected. It should be easy to assess the impact on users, how long they've been exposed to the risk, and what action the company has taken (e.g., systems patched/certificates reissued).
Responsible Disclosure Policies
It's just as important for a company to disclose what they don't know as it is to disclose what they do know. For instance, could there have been hackers who may have accessed user data? Users would want to know where the company stands on the patch management programs and if there is a tool to check if a service/product/site is still vulnerable.
Sharing of Best Practices
After the initial communication has been delivered, customers will need clarity around what next steps should be taken. IT teams will want to know if immediate upgrades are needed; users will want to know if it's time to change passwords. It is important that customers know where to go for answers to potential questions - whether it's the company's blog, an online forum, or a support phone number. Put yourself in the shoes of a customer: if you still had questions, would it be clear from the provider's communications what you should do next?
Heartbleed may soon be history, but there will inevitably be another crisis. You should use the trail of communications left behind by Heartbleed as a litmus test for crisis response. If you're a customer, make sure that all your providers delivered the level of communications you needed to feel comfortable. If you're a provider, make sure that customer communications is as much a part of your crisis response processes as is your technical work.
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
Jul. 7, 2015 04:45 PM EDT Reads: 1,674
Jul. 7, 2015 04:30 PM EDT Reads: 716
Jul. 7, 2015 04:15 PM EDT Reads: 463
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises ar...
Jul. 7, 2015 04:00 PM EDT Reads: 1,932
Jul. 7, 2015 03:45 PM EDT Reads: 1,386
Jul. 7, 2015 03:45 PM EDT Reads: 902
Jul. 7, 2015 03:45 PM EDT Reads: 2,375
Jul. 7, 2015 03:45 PM EDT Reads: 2,677
Jul. 7, 2015 03:30 PM EDT Reads: 2,341
Jul. 7, 2015 03:30 PM EDT Reads: 1,786
Jul. 7, 2015 03:30 PM EDT Reads: 1,931
Jul. 7, 2015 03:30 PM EDT Reads: 2,442
Jul. 7, 2015 03:00 PM EDT Reads: 2,368
Jul. 7, 2015 03:00 PM EDT Reads: 2,721
DevOps Summit, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development...
Jul. 7, 2015 02:45 PM EDT Reads: 2,098