Cloud services as part of a BC/DR plan after a terror attack

While terrorists usually go for big targets, even small-and-medium sized business need to think about the reprecussions of a terror attack. Gregory Machler outlines how the cloud can keep business running

I was talking to a friend about data security over lunch today and we discussed 'dirty bombs' and a what-if scenario for small-and-medium sized businesses.

If there was a catastrophe like a dirty bomb, many of the affected small-and-medium-sized businesses would go out of business. Many large businesses, like banks or healthcare firms, have extensive disaster recovery plans. A large terrorist attack would lead to many problems, but they could scramble services to various data centers around the country and select new suppliers to keep them running.

But, for example, I have a good friend that has a small business selling performance shoes. He markets the shoes in a geographic location within our metro that doesn't have many close competitors. A dirty bomb would have a disastrous effect on him. If he physically survives, he would have the following problems: Would his supply chain be intact? He could be disconnected from his suppliers and the outside world.

[See also: Business continuity and disaster recovery: The basics]

His phone and internet access come over a cable line which must be working in order to track product orders via emails with suppliers. The EMP (electromagnetic pulse) from the bomb could destroy his cable connection or cable head-end. Even more importantly, he could be missing power due to the EMP. The loss of a critical infrastructure would lead to a need to relocate elsewhere, because it is very likely that the cable and power companies could not restore power and cable services quickly enough.

This type of bomb would have repercussions throughout the country and some parts of the world. Businesses would have difficulty finding suppliers of goods that were provided by affected businesses. Affected businesses would need to move, potentially reacquire their goods, and restart. The lack of product supplies and proper business data (tracking goods, sales, and taxes) would drive many out of business.

The issues associated with business data can be addressed by cloud services. Many small businesses, like my friend's performance shoe business use email providers (like Gmail or Yahoo) to order goods such as shoes. My friend has a POS (Point-of-Sale) machine that runs a common business-accounting package that saves sales data on the server's hard drive and also backs it up to network NAS (Network Attached Storage) drive. So this covers goods (email provider), sales and taxes (business accounting), and backup. But, a dirty bomb's EMP (electromagnetic pulse) could blow out the POS machines and the NAS backup drive.

How do cloud services help?

The small business could have backup within the cloud. Backing up the business data for sales and taxes would enable a move to some other location and a quicker restart of the business. All sales order information would also be in the email providers cloud. What about the POS machine? This is currently a technology reach, but a POS machine could be designed to run in the cloud via a browser with a credit card swipe on iPad-like large screen tablet to collect payment. Lastly, sales information is kept in the email cloud.

There are some drawbacks. In this scenario email providers, the cloud backup provider, and the cloud POS application all have access to your critical business information. There could be tens of thousands or more businesses that share the same cloud offerings. A compromise of data on one or more storage subsystems could lead to millions of compromised credit cards. Internal threats within a corporation (like Google) could be significant, even encouraging criminal forces to try to compromise a worker inside a cloud provider.

Hence there are three cloud relationships to manage: email provider, backup provider, and POS application provider. The POS cloud application must be checked to see if it properly protects (encrypt) credit card information meeting thereby meeting PCI compliance standards. The browser based POS application must also be checked for application vulnerabilities.

Separately, the cloud backup provider must encrypt sensitive backup information. Lastly, the cloud email provider must protect the all emails, thereby protecting those related to shoe orders. There may also be a need to certify cloud solution providers, proving that they are protecting data adequately. So once my friend moves to another city or unaffected location, he can quickly retrieve critical data and applications. He would have power, communications (internet and phone) and applications that run on the internet (email, POS, and backup).

In what other ways does cloud computing help businesses worldwide. It's simple really: There are many businesses that have access to power and the internet especially in the capitals of countries around the world. They only need iPad-like tablet with a browser and a credit card swipe on the tablet to conduct business. No infrastructure is necessary. It is better than the 'laptop per child' initiative because browsers running on tablets are cheaper that laptops.

In conclusion, in a disaster the cloud protects a businesses' information. But, it does not address the product supply issues or potential relocation. It does make business easier to restart, track supplies, and conduct ongoing business. It is an enabler of business. Lastly, the browser on a tablet connecting to cloud services enables profits for emerging small businesses worldwide and that is a good thing.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!