Monday, February 2, 2009

Ma.gnolia disappears in the Cloud

Yikes. Seems like Ma.gnolia has disappeared in the cloud.

This weekend Ma.gnolia experienced what seems to be a catastrophic data loss - their website is down and they have no idea when it will be back up. 

I have never used Ma.gnolia, a service that lets you move your bookmarks and favorites around with you. Before I read about their data outage I had barely heard of them, but they seem to be a popular alternative to Deli.cio.us amongst the bookmarking crowd.

Do stories like this prove that the cloud is a dangerous place? The anti-cloud perimeter types love this stuff. But of course you are much more likely to lose your laptop than to end up in a Ma.gnolia type situation. In the bigger picture, disaster recovery is a great reason to move towards the cloud, not away from it (anyone who has lost their personal laptop wishes they had more, not less, data in the cloud).

It makes sense that this kind of situation happens a lot less often than data breaches. There are many reasons that vendors cut corners on data security, but it doesn't make much business sense not to have some disaster recovery plan. After all, total data loss and unavailability of services are much more fatal to customers than security breaches. Unless you have a rabid fan base or have locked in customers, your customers will defect when faced with protracted outages (those two exceptions are the only way to explain Apple Mobile Me's continued use).

It doesn't work that way with data security. I don't buy the high rates of supposed customer churn after a data breach (measured at anywhere from 1 to 6.5 percent by the Ponemon Institute). Data breaches occur frequently enough that customers are growing immune to them. If Ma.gnolia had accidentally leaked user's bookmarks, it would be met with a shrug. But now their entire business is at serious risk and users are defecting to Del.ico.us in droves. 

At the risk of a vast generalization, information security is something you do because the law requires it even though your users probably don't care, whereas disaster recovery is something you do because your customers care even though the law probably doesn't require it.

The moral of the Ma.gnolia story for CISOs is to make sure the right safeguards and processes are put in place for using SaaS and web apps. A few simple actions can limit the risk these pose to your enterprise:

1) get the contractual language right - get specific on DR, security, privacy, etc.
2) ask some basic questions of the vendors (like do you have a DR plan)
3) define precisely what data and business functions can and can't be mixed in with the service. 
4) document the use of the service and the associated credentials

No comments:

Post a Comment