Moving to the cloud has many advantages.  Spreading the capital costs of hardware and software across multiple organizations saves money.  Having system maintained by experts who focus on those systems 24x7 can improve availability.  The list goes on and on.

One big question is what happens when the vendor of a critical cloud application goes belly up?  Will you see it coming with enough time to plan for and execute a smooth migration to a new cloud provider?  Will your business be able to handle the downtime associated with the cloud computing vendor’s demise?  Source code escrow is a way to help insure you against a cloud provider going out of business.

Source code escrow forces a cloud application provider to provide copies of their source code to a neutral 3rd party on your behalf.  In the event the cloud provider is unable to meet their contractual obligations, you will be given a license and access to the source code to ensure you can continue to run the application in your own environment.

Just having access to the source code isn’t enough though.  Here are some tips to consider when using code escrow services for cloud computing providers.

  1. Make sure the code base also has a current executable copy.  Having to figure out all the steps needed to compile code in a pinch may not be feasible.
  2. Check with the escrow company on a periodic basis to ensure the vendor is actually putting new code in the vault.
  3. Ensure you have ready access to your data.  Having a functioning system is great.  Having your data in that system is even better.   Ensure that regular backups of your data are going into the vault along with the source code.
  4. Keep a couple of good contacts at the cloud provider.  If the company has gone under, those people will be looking for work and you’ll be looking for someone to help run the system in your data center.
  5. Getting code out of escrow typically involves lawyers and possibly the courts.  Don’t expect this to be a quick and tidy process.

Even with taking these precautions, having a cloud application provider go out of business will cause serious headaches.  Source code escrow services can minimize the long term impact to your business but it won’t help you in the short term.  If you’re using cloud computing, part of your operations strategy should be how to deal with short term outages.  Be ready to put this plan in motion as you get your code out of escrow and build out the new system.

I’m certain that at some point in your life you made a decision that caused someone to ask you this question.  “Well if Johnny jumped off a bridge would you follow him?”  It’s in our nature to compare ourselves to those around us.  We want validation, acceptance, respect.

Often people want to know how their organization’s information security posture stacks up against others in their industry, size bracket or geographic region.  I’m usually polite and give them some mild comparison while emphasizing that it’s not a competition.  What I really want to say is “Who cares!”  Who really cares what anyone else is doing?  You’re supposed to be making decisions based on the risk factors unique to your business.  If everyone else took excessive and dangerous risk would or should you?  If everyone else spent exorbitant amounts of money to secure something and it was bankrupting them would you follow suit?

Now I know there is some value to understanding the marketplace and how you fall into it.  But that’s typically not what people want to know.  They want to know if they can avoid security and still be a major player.  After asking how they compare to their peers, never once have I heard an executive tell me “That’s ok…we’re going to do it anyway because it’s the best decision for us.”  They are always looking for an excuse not to do something.

If you’re responsible for information security and IT risk management let me give you a bit of advice.  Make decisions based on your organization, its needs and its culture.  Maybe Johnny’s a bit crazy for jumping off the bridge.  Maybe he’s just too chicken and needs to live a little.  Are you going to live your life according to what Johnny’s doing?  Put your organization is a position to succeed regardless of what others think is the best way.  That’s called innovation.  Try it…you might like it!

“Time is of the essence.” “Time is money.” Yadda, yadda, yadda.  You’ve heard it all before. Every business leader is pressed for time in one way or another. That’s why today’s post is quick and simple. Three questions every CEO should be asking their CIO, CISO, CFO, VP, Director or “Whatever” of Technology.

    1. Can you prove to me that we’ve not had a system breach in the past “x” months and will your evidence stand up to an independent 3rd party review? 
      The idea here is to make people uncomfortable.  You don’t want to be placated.  You don’t want to hear someone touting their belief in the team.  You want concrete evidence.  Make them show you moths of event logs that have been reviewed for anomalies or malicious activity.  Ask for something, anything.  Just don’t settle for “We believe our systems are safe”.   Even if you have no plans to get an independent review, ask them to be able to support their conclusions.  As Ronald Reagan said, “Trust, but verify”.
    2. How are we coming on addressing the top risks identified in our latest IT risk assessment? 
      This assumes you have performed a high level risk assessment with your CIO, CFO, Legal, HR and Insurance teams within the past year.  Technology is changing daily.  The way we use technology is changing just as fast.  Are you up to speed on the risks that face your organization from the use of technology in your business operations?  You know risk exists.  Are you addressing the biggest risks first?  Are your investments to lower risk working?  Are their new laws that could change your risk?  Can new insurance products transfer some of the risk?  Ask questions of your leaders.  Make sure sufficient progress is being made to reduce risk where necessary.
    3. Do we have expertise on staff to deal with the changing threat and regulatory landscape?
      This is the toughest question.  Everyone hopes to have the best and brightest on our teams.  The reality is we always have gaps.  Make sure your leaders know gaps are ok.  They do however need to be identified and dealt with.  Perhaps you have a security team already.  Great, but do they have all the skill sets that are needed to fully protect the organization?  If not, can they get them?  Should they?  Are contracts or retainers with experts a better solution?  Either way, it’s best to be prepared.  You can’t afford to be caught flat footed in this rapidly changing security environment.

CEOs that get answers to these three questions will be far ahead of many of their peers and competition.  While there is a “right” answer to every one of these questions, the “right” answer will be different for everyone.  The important part is to ask the questions and then ensure the “right” answers are supplied.

A system administrator notices some logs are missing from a server.  There were also some strange spikes in network traffic a few hours earlier.  They tell you “Something’s not right, we may have been hacked.”  Your heart sinks and your palms get sweaty as your heart rate begins a steady increase.  “What do we do?” you ask.

Hopefully this never happens to you.  But if it did, would you be prepared?  Who would you call?  What would you say?  Where do you go for help?  Asking these questions for the first time during an emergency is not a good idea.  Having a good computer security incident response plan is critical to helping you make good decisions in times of crisis.

Think about it.  First responders such as police and fire departments, EMTs, the Red Cross and the military all have disaster response plans.  They also practice putting those plans into motion on a consistent basis so when the disaster strikes, they are ready.  They know who’s in charge and what their role in responding to the disaster is.  They know the resources they’ll need and how to access them.

Your computer security incident response plan should be no different.  There should be a well-documented plan for how your organization will respond to an information security incident.  There should be a team ready to go.  They should know their roles, what they need and how to get it.  They should have trained with the plan and be ready to execute it on a moment’s notice.

Is your team ready?  Do you know who the outside experts are should you need them?  Do you know how and when to engage law enforcement?  Creating a computer security incident response plan will answer these questions for you.  It’s better to have a plan and never need it than to be searching for answers in the midst of a crisis.

There is a common characteristic shared by many of us at Integrity.  Most of our significant others jokingly “forbid” us from talking about what we do for a living at social functions.  We’ve been told that we “scare” people or make them “nervous” or “paranoid”.  While it’s not our intent (ok sometimes it is fun to watch that one obnoxious guy at a party squirm), I have noticed this to be at least somewhat true.  Stories about what hackers can and will do to reach their end goal can be unsettling to the average non-technical party goer.

As humans we have the tendency to become afraid of that which is unknown.  What’s at the depths of the ocean?  In the heart of the jungle?  Under the bed of a 5 year old?  In the dish at the foreign restaurant down the street?  Cyber security is no different than any other unknown in life.   We fear what we don’t fully understand.

The job of a cyber-security professional should be to help educate business leaders and the general public on cyber threats without invoking fear and paranoia.  We need to distinguish between that which is possible and that which is likely.  Using the FUD (fear, uncertainty & doubt) factor to sell your theory, get funding or to simply make a point is very short sighted.  Eventually these individuals will become more educated and aware of all things security related.  If you’ve made them out to be a fool by taking advantage of their lack of understanding, you’ve failed.

My challenge to everyone this week is to make a concerted effort to sense when we may have made someone uncomfortable when speaking about security and attempt to dispel any unwarranted fears.  Paranoia cripples while awareness enables.  Be an enabler.

People often comment that penetration testing or ethical hacking must be one of the coolest jobs around.  You get to hack into computers, sneak into secure facilities and create all sorts of mayhem, legally.  Kind of like a geeky James Bond.  I’ll admit, I love what I do.  It’s a lot of fun.  What most people don’t understand though is that the fun portion is really only about 25% of a given week.  If you’re thinking about a career in information security let me list some of the other “un-cool” tasks the team I and do for every one of our awesome hacking sessions or social engineering tests.

  1. Constantly reviewing journals, web sites, Twitter feeds and other sources for new vulnerabilities, exploits or attack vectors that have changed since….well yesterday.
  2. Fully documenting our procedure and the test to be run to ensure the client’s systems are correctly scoped and we don’t overstep our bounds thereby creating an unexpected outage and lost revenue for the customer.

    Read more: Penetration Testing: Really As Cool As It Sounds?

Penetration testing is one of the fun aspects of a career in information security.  Organizations pay us to hack into their systems.  We break it, they fix it.  A sweet gig if you can get it one might say.  The problem is nobody really seems to understand what a penetration test is or how it differs from a vulnerability scan.  Here are some of the quotes I’ve heard in the past.

“We want a penetration test but don’t want you to send any exploits down the wire.” Huh?

“For this test, DDoS, brute force, man in the middle and SQL injections are out of scope.” What?

“Please don’t perform any attacks that could lead to a system outage or data corruption.” Really?

Read more: So You Think You're Ready for An Ethical Hack...Now What?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724