Physical Security Still Matters

The havoc caused by Hurricane Sandy on the North American East Coast has brought to light a threat that has been keeping a low profile, but has immense implications for the digital environment – physical security. While intense focus has been placed on malware, botnets and exploit kits, it seems the industry has almost forgotten that none of these really matter if there is no connectivity. In the end, we are still constrained by our physical surroundings – no power, no internet.

ABI Research’s head office is in New York. Prepared with back-up generators, we were able to keep our servers online for most of the duration of the hurricane. Yet these unfortunately failed when a second storm hit a week afterwards. Sitting in my London office, I am unable to access my work emails or get onto our SharePoint. However, I have access to the internet since there is no storm in the UK, and can reach out to my work contacts using my personal email. This is handy because not all my contacts are on the East Coast; they are dispersed around the world – Europe, Asia, North American West Coast. Using this work around, I am still able to keep operating as ‘almost’ usual, attending my set conference calls and doing my research.

And this has me thinking about how to address this issue of availability in the future. Even if the internet were down here, I could always get access on my smartphone using 3G. At the very worst, I could get on my 2G, which I keep for battery backup and which uses a different network operator to make my calls. The question is therefore, how can connectivity be sustained in the face of natural disasters and other acts of God?

The answer is redundancy - both from a technology and geographic perspective. Technologically speaking, this is getting easier with different connection methods: fixed line, wireless, cellular. There is no shortage of ways to connect, should one network be down.  Geographic dispersion is perhaps a less common method, but it may become more popular following recent events. For organizations that have satellite offices in different geographic regions, placing redundant sets of servers in those countries will enable better availability and continuity of work.  This is a costly affair however, and those that cannot afford in-house solutions will probably turn to cloud services.

I do not doubt that cloud services will increasingly evolve to provide the optimal uptime. They are also not insulated from physical threats, but they can apply business models that focus on just this issue. By placing data centers in different countries and continents, they can ensure one affected area will not impact availability. And this works for any context, not simply natural disasters or power outages. Distributed redundancy can also help mitigate DoS attacks for example. While botnets are disrupting access, organizations can simply use any other of their servers elsewhere and keep on operating their business as usual. This can even serve to undermine the magnitude of DDoS attacks –perpetrators will have to split or increase their resources in order to attack all the different ports of entry.

Perhaps an even more interesting example is Kim Dotcom’s struggle to re-launch the new and improved Megaupload service (renamed Mega), this time with sets of redundant servers in many different countries. The service was set to be hosted in Gabon, but the Communications Minister just recently suspended the site on the basis of copyright violations – despite the fact the service has not even been launched yet. This has not deterred Dotcom, who has an alternative domain.  But it shows that cyber threats are not the only threats that affect ICTs, and political machinations can also have adverse effects.

As more countries bridge the digital divide, there are increasing opportunities for hosting servers in new places, cutting costs and perhaps even driving technological development in those regions. Organizations should certainly look more closely at the benefits of a geographically and technologically distributed redundancy model, and those cloud providers who can cater to these areas might win big.