Data Centers & Technology:

Transcription

1 Data Centers & Technology: Risk in the digital landscape Presented by; Ralph de Mesquita Principal Risk Analyst, Risk Engineering UK

2 Agenda Rise of cloud providers Four scenarios: where are the insurable & financial risks? Review of traditional data center risks Review of non-traditional data center risks Hybrid attacks Conclusions 2

3 Cloud Computing Who provides Cloud Services? Cloud Providers Amazon AWS Microsoft Azure Salesforce Google IBM Amazon AWS: $14bn annual revenue Microsoft Azure: $10bn annual revenue 3

4 What services does the Cloud offer? Software as a Service: use cloud provided software applications Platform as a Service: develop & host applications using cloud software Infrastructure as a Service: cloud hosts your software applications Data Storage Diagnostic tools Software applications Sales tools & web apps Networking 4

5 Data Center Options What & Where are the Insurable, Uninsured & Uninsurable Risks? On Site: Traditional & legacy systems Own Data Centre Hybrid Solution: private & public cloud Off Site: colocation Colocation Off Site Cloud: uninsured risks? Off-site hosted (cloud provider) 5

6 List of Incidents Data Centers Costs for Traditional Risks $50m loss: back-up power failure at airline Hardware failure, backups did not work $90m fine for bank after software problems 10 hour outage after accidental fire suppression system release 3 month delay after overheating in data center during construction $50m loss: router failure at airline following DDoS attack 6

7 Scenario 1 What is Damage? Own data centre, colocation or cloud provider? 1a. Overheating occurs in the data centre but no fire 1b. Contamination occurs from a contractor working in the data center e.g. dust 7

8 Data Center in the course of construction Overheating Data center in course of setup Fans left switched on Fans not connected to cooling circuits Data center overheated (90 0 C) Network routers installed and on Warranties and service contracts declared void by the supplier Has Damage occurred? Who is responsible? Where does the insurance liability rest? 8

9 Data center in the course of construction Loss Lessons Ensure safety systems are commissioned and installed before hardware is installed and switched on If hardware is installed before safety systems ensure adequate controls are put in place e.g. temperature monitoring with remote signalling, 24/7 presence if values are significant Ensure policy cover is clear if installing own equipment during construction works Ensure contractor & IT staff have a tested emergency response plan not just for fire safety & evacuation purposes If overheating has occurred, engage with Zurich as we have access to specialist electronic testing houses equipment may not need to be replaced 9

10 Insurance Implications Damage: dust, overheating, contamination, smoke, particulates Our material damage and business interruption policy respond when Damage has occurred Damage by manufacturers determined by standards (for dust this is less than 20 micro grams of contamination per square inch) Engage with Zurich at the earliest opportunity to have equipment tested by specialists We will negotiate with your service & warranty suppliers e.g. agree a 6 month wait & see approach on tested equipment Action: communicate this issue to your data center managers & ensure procedures are in place to escalate to the insurance team 10

11 Scenario 2 A Power Failure Own data centre, colocation or cloud provider? 2. The back-up power fails due to the a failure of the Automatic Transfer Switch (ATS) 11

12 Single (Tier 1) power supply: Single points of failure Transformer Generator ATS UPS Server rack 12

13 Dual supply N+1 (Tier 2/3) power supply: Single points of failure Transformer Generator ATS Parallel UPS Parallel UPS Power Main Distribution Server Rack Power 13

14 Full 2N (Tier 4) power supply: Fully redundant power supply Transformer Generator Transformer Generator ATS ATS UPS UPS Server rack 14

15 Insurance Implications to a Power Failure Was the cause of the failure by an insured Peril e.g. fire, or a sudden mechanical failure i.e. mechanical breakdown? Policy cover either Material Damage or Machinery Breakdown Why did the primary power fail? A loss of power from a Supplier has a 48 hour excess on the business interruption policy What are the financial impacts to a power failure i.e. what level of redundancy do you have for mission critical applications? 15

16 Power Supplies Loss Lessons Understand the type of system you have in place risk assess and map your power supplies identify failure points Resilience Tier I, II, III & IV Selected approved products e.g. UL 1008 tested ATS switches A well tested and trained emergency response is better than a paper plan Approved maintenance agreement in place Implement power supply monitoring technologies Use software tools to plan replacement (prior to end of life) 16

17 List of Incidents Non-traditional Cyber Based $81m stolen from bank after hack $3m stolen from bank customer accounts after hack DDoS attack on ISP provider - internet in USA out for 4 hours Hospital scanner offline for one week following ransomware 157,000 customer details stolen from internet & mobile phone company Steel mill suffers damage to furnace after cyber attack Hybrid Attack 17

18 Scenario 3: A Cyber attack leads to a fire Own data centre, colocation or cloud provider? 3. Hackers attack control systems for machinery & plant which directly leads to a fire 18

19 Hybrid Attack Cyber attack via Malware provides access to control software for manufacturing machinery Attackers switch off machinery which causes damage to plant Intellectual property stolen from the company servers Plant downtime for 1 month 1. Which insurance policies could cover fall within? 2. Where do the business interruption costs fall? 19

20 Insurance Implications to a Hybrid Attack Our standard material damage policy responds to physical damage caused by fire & explosion only where a computer virus was the cause Our business interruption policy, however, excludes cover where the proximate cause was a cyber attack Business interruption cover for a hybrid attack is covered by our Cyber Security & Privacy Product Is your company vulnerable to a hybrid type cyber attack? 20

21 Scenario 4: A Ransomware attack Own data centre, colocation or cloud provider? 4. Hackers encrypt your critical data (ransomware attack) 21

22 Code Space case study June Cloud Hack Code Space hosted application development work in Amazon AWS Business entirely hosted in AWS and backed up in AWS Hacker accessed master AWS account & demanded ransom Code Space blocked hacker but hacker had created back door Hacker deleted all files and back-ups Code Space went out of business Use multi-factor authentication to mitigate against credentials theft Use different admin credentials & segregate systems 22

23 Insurance Implications to Ransomware Attack Covered by our Cyber Security & Privacy product Digital asset replacement costs Business income protection (subject to policy limits) Forensic investigations to determine cause & extent of hack Cyber extortion threat handling 23

24 High value data & mission critical applications The 3, 2, 1 of data back-up: Three copies of data Two different media One stored off-site and off-line Cloud Computing Backup e.g. Amazon S3 & Glacier Test backups! Own Data Centre Local back-ups Branch locations Local back-ups Off-site AND offline back-ups Co-location Computing Local back-ups 24

25 EU Data Protection Regulation (GDPR) Enforcement Date: 25 th May 2018 FINES 4% of worldwide turnover or 20m euros whichever is greater 25

26 With the right expertise. 1. How is the digital landscape changing in your company? 2. Understand financial impacts in the event of a loss or failure 3. Understand the residual risk & financial cost AFTER controls have been implemented 4. Run workshops to validate risk & financial models 5. Stress Test your resilience e.g. Red Team testing 6. Have gaps in risk transfer & risk appetite been identified? 26

27 The information contained in this document is intended as a general description of certain types of services and insurance covers available to qualified customers. Zurich Insurance Company Ltd or any of its subsidiaries and its employees do not assume any liability of any kind whatsoever, resulting from the use, or reliance upon any of the information contained herein. It does not replace or complement your individual insurance policy, which is the only source for terms and conditions of your respective insurance cover. This is intended as a general description of certain types of services and insurance covers available to qualified customers through subsidiaries within the Zurich Insurance Group Ltd. including, in the United States, Zurich American Insurance Company, 1299 Zurich Way, Schaumburg, Illinois 60196, and, in Canada, Zurich Insurance Company Ltd, 100 King Street West, Toronto ON M5X 1C9, and, outside the US and Canada, Zurich Insurance Plc, Ballsbridge Park, Dublin 4, Ireland (and its EU branches), Zurich Insurance Company Ltd, Mythenquai 2, 8002 Zurich, Zurich Australian Insurance Limited, 5 Blue St., North Sydney, NSW 2060 and further entities, as required by local jurisdiction. 27