Click here to close now.

SYS-CON MEDIA Authors: Pat Romanski, SmartBear Blog, Bob Gourley, Mike Kavis, Elizabeth White

Related Topics: Security, Java, Microservices Journal, Linux, Open Source, Cloud Expo

Security: Article

The Upside of Heartbleed

How a global security crisis created a common litmus test

There are two pieces of good news to come out of Heartbleed. First, we haven't heard of any significant security breaches, which mean that the industry as a whole is getting better at fixing problems as they arise.

The second is that, because Heartbleed presented every single cloud provider with the exact same challenge, it created an excellent global litmus test for crisis response. Everyone started from the same baseline, which eliminates the variability in evaluating their response.

If you're a customer of the cloud, you can review any provider's public response to Heartbleed to evaluate both their technical dexterity (how long did it take them to issue a fix?) as well as their communications and customer service (did their communications assure you that you were in good hands?). And if you're a provider, you can see how your response compared to the competition - and, if necessary, make changes.

Below are a few key crisis response elements that you should look for.

Response Time
In the event of a security crisis, it is critical that customers are notified as quickly as possible, and with as much pertinent information as is available. Most important, customers should know what is being done to protect them. Timing is everything. Did the company you're evaluating have a public response on their blog? On Twitter? Via email? And how quickly did they start communicating?

The communication does not necessarily have to include a comprehensive action plan. But it must be enough to assure you that the service provider is aware of the issue and actively working on a solution.

Who Is Doing the Communication?
After a major security breach, it is important that customers know that the service provider is taking the matter very seriously. Therefore, customer communication should be attributed to a C-level executive within the company. For something as significant as Heartbleed, you want to hear from the company's security or operations executives.

Transparency About Impact and Potential Risks
If a company has been impacted, they should be open and up-front about it. They should clearly articulate which services have - and have not - been affected. It should be easy to assess the impact on users, how long they've been exposed to the risk, and what action the company has taken (e.g., systems patched/certificates reissued).

Responsible Disclosure Policies
It's just as important for a company to disclose what they don't know as it is to disclose what they do know. For instance, could there have been hackers who may have accessed user data? Users would want to know where the company stands on the patch management programs and if there is a tool to check if a service/product/site is still vulnerable.

Sharing of Best Practices
After the initial communication has been delivered, customers will need clarity around what next steps should be taken. IT teams will want to know if immediate upgrades are needed; users will want to know if it's time to change passwords. It is important that customers know where to go for answers to potential questions - whether it's the company's blog, an online forum, or a support phone number. Put yourself in the shoes of a customer: if you still had questions, would it be clear from the provider's communications what you should do next?

Heartbleed may soon be history, but there will inevitably be another crisis. You should use the trail of communications left behind by Heartbleed as a litmus test for crisis response. If you're a customer, make sure that all your providers delivered the level of communications you needed to feel comfortable. If you're a provider, make sure that customer communications is as much a part of your crisis response processes as is your technical work.

More Stories By Ryan Barrett

Ryan Barrett is Vice President of Security & Privacy at Intermedia, the world’s largest one-stop shop for cloud-based email, phones, collaboration and security services for SMBs.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories
Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) ap...
Health care systems across the globe are under enormous strain, as facilities reach capacity and costs continue to rise. M2M and the Internet of Things have the potential to transform the industry through connected health solutions that can make care more efficient while reducing costs. In fact, Vodafone's annual M2M Barometer Report forecasts M2M applications rising to 57 percent in health care and life sciences by 2016. Lively is one of Vodafone's health care partners, whose solutions enable o...
How do you securely enable access to your applications in AWS without exposing any attack surfaces? The answer is usually very complicated because application environments morph over time in response to growing requirements from your employee base, your partners and your customers. In his session at 16th Cloud Expo, Haseeb Budhani, CEO and Co-founder of Soha, will share five common approaches that DevOps teams follow to secure access to applications deployed in AWS, Azure, etc., and the frict...
With IoT exploding, massive data will transform businesses with opportunities to monetize almost anything that can be measured. In this C-Level Roundtable Discussion at @ThingsExpo, Brendan O’Brien, Aria Systems Co-founder and Chief Evangelist, will lead an expert panel of consultants, thought leaders and practitioners who will look at these new monetization trends, discuss the implications, and detail lessons learned from their collective experience. Finally, the panel will point the way forw...
SOASTA, the leader in performance analytics, today reported record growth of the CloudTest community, exceeding 30,000 registered users of the CloudTest platform in Q1 2015. SOASTA also announced widespread adoption of its Web and mobile testing solutions, with more than 1,600 customers completing more than 285,000 tests using CloudTest during the quarter. This rapid growth shows that DevOps-driven digital businesses are embracing a more continuous approach to testing, and CloudTest is meeting t...
While DevOps most critically and famously fosters collaboration, communication, and integration through cultural change, culture is more of an output than an input. In order to actively drive cultural evolution, organizations must make substantial organizational and process changes, and adopt new technologies, to encourage a DevOps culture. Moderated by Andi Mann, panelists will discuss how to balance these three pillars of DevOps, where to focus attention (and resources), where organizations m...
of cloud, colocation, managed services and disaster recovery solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. TierPoint, LLC, is a leading national provider of information technology and data center services, including cloud, colocation, disaster recovery and managed IT services, with corporate headquarters in St. Louis, MO. TierPoint was formed through the strategic combination of some of t...
How is unified communications transforming the way businesses operate? In his session at WebRTC Summit, Arvind Rangarajan, Director of Product Marketing at BroadSoft, will discuss how to extend unified communications experience outside the enterprise through WebRTC. He will also review use cases across different industry verticals. Arvind Rangarajan is Director, Product Marketing at BroadSoft. He has over 19 years of experience in the telecommunications industry in various roles such as Softw...
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to off...
The IoT Bootcamp is coming to Cloud Expo | @ThingsExpo on June 9-10 at the Javits Center in New York. Instructor. Registration is now available at http://iotbootcamp.sys-con.com/ Instructor Janakiram MSV previously taught the famously successful Multi-Cloud Bootcamp at Cloud Expo | @ThingsExpo in November in Santa Clara. Now he is expanding the focus to Janakiram is the founder and CTO of Get Cloud Ready Consulting, a niche Cloud Migration and Cloud Operations firm that recently got acquir...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
SYS-CON Media announced today that John Treadway’s blog has exceeded 475,000 page views. John Treadway, Vice President at Cloud Technology Partners, has surpassed 475,000 page views on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, Microservices Journal, and several others. His blog home page at SYS-CON can be found at JohnTreadway.SYS-CON.com.
SYS-CON Events announced today that Column Technologies, a global technology solutions company, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1998, Column Technologies is a leader in application performance and infrastructure management for commercial and federal markets. The company is headquartered in the United States, with a diverse and talented team of more than 350 employees around th...