Way back 5 years ago, a company whose business was to store code in the cloud simply vanished. Nearly in the blink of an eye Code Spaces went out of business. The culprit? Its confidence that the cloud was a golden bullet in storing data.
Code Spaces was a company that offered to development teams (I mean programmers here) code repositories and project management tools. It had been thriving for over 7 years, with no shortage of folks interested in its services.
But that all ended when its cloud storage was attacked.
I know you already know at least the basics of security. We all talk about security and backups—especially in the cloud—but wat we don’t understand is: how are we protecting our data in the cloud?
Now Code Spaces was based on Amazon Web Services (AWS). They used AWS storage and issued server instances to provide services to its clients. Note here—many healthcare platforms—including electronic health record platforms—are engaging with AWS to make their services more accessible (doing the same thing Code Spaces had done when offering very accessible services to computer developers).
Code Space’s client server instances were not compromised or stolen. According to its website when the attack occurred, an attacker gained access to its control panel and demanded money in exchange for releasing control back to Code Spaces.
When Code Spaces refused to comply with the ransom, the attacker began deleting its resources. Their notice to clients read as follows: “We finally managed to get our panel access back, but not before ‘he’ had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances.”
In plain English? That means that a huge chunk of data Cloud Spaces had stored in their cloud environment was un-recoverably gone.
Can you imagine getting a notice from your cloud storage company stating that they lost your data from an attack? If you are solely relying on cloud with no additional backups to keep your business secure in the event something happens to that data, you might be in the same spot as Code Spaces.
The attack effectively destroyed Code Spaces.
You can think of this in exactly the same terms as someone breaking into your home, demanding a ransom and then throwing out or destroying your priceless family heirlooms if you failed to comply with their demands. Effectively a cybercriminal threw a grenade into the data center and destroyed everything inside.
What would you do if your cloud provider’s data center were completely destroyed—by ransom attack or simply torn apart? They wouldn’t have any backups.
Would you?
This scenario probably never occurred to you—it certainly hadn’t when Code Spaces designed their cloud-based infrastructure. More likely today than 5 years ago is a possibility that a cloud vendor gets attacked. This story is simply one very clear example of the dangers you are playing with when not opting to back up your data. If you are simply relying on the cloud to keep your data safe and backed up, you might be rolling the dice.
Code Spaces did replicate their data, but with everything in the same place, everything was controllable from the same panel (subsequently all destroyed). If a grenade or attack were to hit your backed up cloud data—data stored in the very same cloud—you probably would not be any better off.
I know none of us want to think about or even consider unconscionable attacks like these—and Code Spaces certainly has my sincerest condolences. No one deserves to have to go through something like this.
My hopes from retelling this story 5 years post-mortem?
Get a few organizations aware that they are NOT really backing their data up securely when they completely resort to a cloud solution. I never want to have to help a business owner or hospital recover from a cyberattack leaving an entire cloud infrastructure’s data useless.
My message to you: you are only as secure as your last backup.
