Digital Edition

SYS-CON.TV
The Upside of Heartbleed
How a global security crisis created a common litmus test

There are two pieces of good news to come out of Heartbleed. First, we haven't heard of any significant security breaches, which mean that the industry as a whole is getting better at fixing problems as they arise.

The second is that, because Heartbleed presented every single cloud provider with the exact same challenge, it created an excellent global litmus test for crisis response. Everyone started from the same baseline, which eliminates the variability in evaluating their response.

If you're a customer of the cloud, you can review any provider's public response to Heartbleed to evaluate both their technical dexterity (how long did it take them to issue a fix?) as well as their communications and customer service (did their communications assure you that you were in good hands?). And if you're a provider, you can see how your response compared to the competition - and, if necessary, make changes.

Below are a few key crisis response elements that you should look for.

Response Time
In the event of a security crisis, it is critical that customers are notified as quickly as possible, and with as much pertinent information as is available. Most important, customers should know what is being done to protect them. Timing is everything. Did the company you're evaluating have a public response on their blog? On Twitter? Via email? And how quickly did they start communicating?

The communication does not necessarily have to include a comprehensive action plan. But it must be enough to assure you that the service provider is aware of the issue and actively working on a solution.

Who Is Doing the Communication?
After a major security breach, it is important that customers know that the service provider is taking the matter very seriously. Therefore, customer communication should be attributed to a C-level executive within the company. For something as significant as Heartbleed, you want to hear from the company's security or operations executives.

Transparency About Impact and Potential Risks
If a company has been impacted, they should be open and up-front about it. They should clearly articulate which services have - and have not - been affected. It should be easy to assess the impact on users, how long they've been exposed to the risk, and what action the company has taken (e.g., systems patched/certificates reissued).

Responsible Disclosure Policies
It's just as important for a company to disclose what they don't know as it is to disclose what they do know. For instance, could there have been hackers who may have accessed user data? Users would want to know where the company stands on the patch management programs and if there is a tool to check if a service/product/site is still vulnerable.

Sharing of Best Practices
After the initial communication has been delivered, customers will need clarity around what next steps should be taken. IT teams will want to know if immediate upgrades are needed; users will want to know if it's time to change passwords. It is important that customers know where to go for answers to potential questions - whether it's the company's blog, an online forum, or a support phone number. Put yourself in the shoes of a customer: if you still had questions, would it be clear from the provider's communications what you should do next?

Heartbleed may soon be history, but there will inevitably be another crisis. You should use the trail of communications left behind by Heartbleed as a litmus test for crisis response. If you're a customer, make sure that all your providers delivered the level of communications you needed to feel comfortable. If you're a provider, make sure that customer communications is as much a part of your crisis response processes as is your technical work.

About Ryan Barrett
Ryan Barrett is Vice President of Security & Privacy at Intermedia, the world’s largest one-stop shop for cloud-based email, phones, collaboration and security services for SMBs.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud,...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provid...
Modern software design has fundamentally changed how we manage applications, causing many to turn to...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, ...
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 20...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 1...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point wh...
Dynatrace is an application performance management software company with products for the informatio...
Today, we have more data to manage than ever. We also have better algorithms that help us access our...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held Novemb...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, ...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018,...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @...