The UK Government, alongside the Financial Times, the Guardian, and New York Times, Verge, Reddit and Twitter, to name a few, recently had issues with their websites following a problem that stemmed from their cloud computing provider, Fastly.
Fastly is an Edge Cloud provider. This means that their aim is to speed up the loading times of their clients’ websites, and to protect these websites from denial-of-service attacks, especially during peak times when attacks are higher. However, for an hour at 11:00BST on Tuesday 8th of June, the company had issues with its global content delivery network, causing major issues to the websites it supports.
What this really highlights is the blind trust that organisations place in cloud service providers. This brings into question the inherited resiliency risk that you acquire from cloud service providers. If there is a critical dependency, be sure that there is a Plan B, in case of failure or cyber incident. Where possible protect yourself contractually with SLA’s and assurances from your service provider on their resiliency and DR procedures.
So far, this specific issue seems to have impacted sites across Europe and the US. Fastly report that they have investigated the issue to restore impacted websites and to fix the original issue; “we have identified a service configuration that triggered disruption across our POPs (points of presence) globally and have disabled that configuration. Our global network is coming back online.”
What is clear, however, is that when so much infrastructure is put on a single source, on a single CDN or Cloud hosting company, when this source buckles, the disruption it causes is vast.
‘Liability for loss of service will probably be covered by the service level agreement with customers of paid-for cloud services but the agreements will typically not cover all losses sustained’ prof Rebecca Parry of Nottingham Law School.
‘They were lucky that this was a configuration error, and not a malicious attack. To reduce disruption, a Service Level Agreement (SLA) needs to meet the organisations requirements. This means that there needs to be a back-up plan to repoint services. There needs to be assurance regarding security controls. That way, organisations will know what data is cached, for the performance of their services.’ says, Chris Cheyne, CTO, SecurityHQ
Follow us and Comment on Twitter @TheEE_io