Until now the threat of fines of up to £500,000 have been nothing but hearsay but the precedent has now been set. Both public and private organisations need to take stock and control of their responsibilities relating to the data they hold – get it wrong and you do substantial harm to individuals and the reputation of your business.

Hertfordshire County Council faxed details of a child sex abuse case to a member of the public is to be fined £100,000 for breaching the Data Protection Act.

Sheffield-based A4e was fined £60,000 for losing an unencrypted laptop with the details of thousands of people.

The commissioner said these fines are the first he has delivered and would “send a strong message” to those handling data.

Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.

The A4e data breach also occurred in June, after the company – a private sector company which provides information on employment and starting a business – issued an unencrypted laptop to an employee so they could work at home.

The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. It was later stolen from the employee’s house and an unsuccessful attempt to access the data was made shortly afterwards.

A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.

The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it.

These cases highlight the critical importance of the proper policies, procedures, instructions and above all else controls in relation to information and data. Organisations that utilise third parties (like UKFast) don’t transfer their liabilities relating to ‘their’ data and the Data Protection Act in the eyes of the law. However, partnering with a hosting provider who is ISO27001 certified satisfies organisations ‘duty of care’ responsibilities that the correct management and control of data is taking place – as verified by government approved, independent third parties.

To use a provider who does not employ such a certified system, to guarantee the protection of client data is now guaranteed to cost you up to £500,000 in the event of a breach.

Ensuring the security of data is more imperative than ever before

Changes in the most part are based on what has been learned in developing the standard; guidance and clarification have been the main themes this time of this version release with greater detail and guidance on virtualisation as well as how security should now be handled in virtual servers and in a cloud environment.

Perhaps the best part about the release of PCI DSS version 2.0 is the launch a new PCI DSS website aimed at small companies.

Recognising that these companies may lack technical expertise, the message is couched in simple terms and designed to be understood by the non-IT specialist.

There is now a dedicated PCI DSS for Small Merchants website:

• https://www.pcisecuritystandards.org/smb/index.html

In addition, the PCI SSC has produced a guide designed to explain the standard and requirements to non-technical people:

• https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

This is for version 1.2.1 at the moment but as this remains relevant until the end of next year and the principles have not changed it is an excellent tool to use in achieving PCI DSS compliance.

Despite clarifying many points, the standard still leaves two key areas in limbo, tokenisation and point-to- point encryption.

Both of these technologies are key elements in enabling merchants to take parts of their systems out of scope of the standard.

In other words, if merchants can prove card data has been encrypted or substituted by a token, then it is viewed as secure and out of scope of PCI compliance requirements.

UKFast are PCI DSS (Payment Card Industry Data Security Standard) compliant in our operational business processes relating to the payment card industry. When looking for a hosting partner, look out for PCI compliance requirements in order to guarantee the security of your payment card information and other critical financial details.

You could also have a look at our round table on PCI compliance where we were joined by Graham Boler, consultant at ECSC, Daniel Atherton, managing director of Athernet Solutions, Jason Zemmel, managing director of Half Price Perfumes, Richard Bromley of Ken Bromley Art Supplies, Reshad Hossenally, managing director of Ticket Arena and Neil Lathwood, IT director at UKFast.

Our panellists discussed the reasons behind needing to be PCI Compliant, trust in online security and the procedure of achieving the standard.

According to figures issued by Visa earlier this year just nine per cent of the UK’s Level 1 retailers (those that handle more than six million transactions a year) have actually managed to achieve PCI DSS compliance.

Talk of ‘green practices’ and ‘carbon neutrality’ conjures up images of reduced product quality and ill-conceived environmental controls in order to utilise green resources or save on non-re-usable materials. This is not an image you want associated with your information security practices and regimen.

UKFast’s carbon neutrality however, is derived from the accurate ‘foot printing’ of our carbon emissions in tonnes of CO₂e (Equivalent Green House Gas Emissions) in the process of providing our managed hosting services.  Of interest is the fact that 91% of our emissions are produced by the consumption of power from the national grid.

At UKFast we have chosen to offset our carbon emissions by procuring Voluntary Carbon Standard (VCS) certified Carbon Credits.  The money paid for carbon credits of this kind goes directly to maintaining and further developing renewable energy and carbon reduction projects worldwide.

At the same time, in order to be assessed as carbon neutral we have documented and implemented a Carbon Reduction Plan – seeking to achieve a number of documented carbon reduction objectives year on year.

The physical and logical security provided by UKFast services will in no way be affected detrimentally by our commitment to maintain a carbon neutral operation.  In fact, by even more accurately monitoring, measuring and seeking to reduce our greatest carbon producing factor – power consumption; we will in fact be making UKFast operations even more secure.

Through the use of innovative technologies and better working practices, a reduction in relative power consumption will decrease the strain placed on the existing national grid infrastructure. This will also further mitigate and control the risk presented by a potential power outage – one of the greatest threats present to instigating a business continuity scenario.

So, carbon neutrality is not just great for the environment but is also a valuable tool to further secure our information assets and threats to their confidentiality, integrity and most notably; availability.

There are a great many criticisms levelled at the current PCI DSS, such as the fact that it is out of date as soon as it is published and in other areas lacks clarity in terms of what is required.

Many people are hoping that the updates will remove perceived subjective interpretations in the current system.

There are 3 major areas that cause particularly emotive reactions:

Virtualization
Currently section 2.2.1 of PCI DSS states that there can only be one function per server, but if the council means physical servers then this would mean banning virtualization. However, it could also mean virtual servers; and in that case merchants can use one physical server running separately, but use dedicated virtual servers. As yet the PCI SSC have yet to officially explain what is allowed, and how that all fits together.

You may ask how is such haziness in the standard currently clarified should retailers deploy virtualization? Those that do must assert to their Qualified Security Assessor (QSA) that each virtual machine is, in fact, a dedicated server. Unfortunately, in this case, the outcome boils down to the interpretation of the standard by their individual QSA.

Scope
Generally, the PCI DSS scope is defined as any system that stores or processes unencrypted credit card data. Yet while a business may separate all systems that store or process credit card data, they still may use a shared Active Directory, or perhaps a shared administrative LAN to manage other areas of their infrastructure as well as those systems dedicated to payments.

There’s nothing to say that the Active Directory or administrative LANs are in scope, but there’s nothing to say that they aren’t, either – it’s a grey area that continuously comes up.

Cloud Hosting
At this time, with reference the use of ‘cloud’ technologies and services, it is ultimately the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner. As part of a merchant’s due diligence, merchants need to make sure they are dealing with someone reputable. The council will continue to rely on section 12.8, which governs the use of third-party providers, and states that the merchant must ensure that the provider is compliant to PCI DSS.

With the release of PCI DSS 2.0 next month, it is likely that there will be greater clarity and prescription on the areas of virtualization and scope. However, few expect any further detail on the use of a cloud within merchant’s infrastructures. That said there are a number of QSAs out there who feel there may be enough detail lent in the new standard to be able to assess the suitability of a cloud infrastructure.

Secondly, identify your organisation’s current security system as it relates to the PCI DSS.  For example capture the data flow of card holder data (CHD) throughout your current environment, documenting the data handling process and the infrastructure components encountered and involved in this process as the PCI DSS requires CHD be protected, wherever it is at any given time.

Thirdly, form a team to tackle the technical and compliance requirements of the standard simultaneously.  The tech team can start scanning IPs for vulnerabilities and assessing current tools and products against the PCI DSS and the compliance team can take stock of what policies and procedures are in place against the requirements of the PCI DSS and what needs drafting and implementing.

Next, take the results of these two tasks and formulate a synchronisation matrix in which tasks, with owners and deadlines are coordinated and de-conflicted to ensure continuity of effort and efficient use of resources.  The use of a well versed and experienced project manager (or piece of PM software as a minimum) is a ‘force multiplier’ at this stage, which will save time and money.

Communication is the key to rapid success.  Regular dialogue and meetings is essential to ensure that no conflict of effort occurs.  Compliance requires the implementation of more than 200 controls, so here are a few things to consider if you wish to speed things up:

1. Keep it Stupid/Simple. Can you simplify the way you process CHD? Using tokenization technology can reduce the scope (however the PCI SSC are about to issue new direction relating to tokenization as part of PCI DSS 2.0 so consult the PCI SSC website before making any decisions). Using this sort of technology will involve an upfront cost, but that will pay for itself in the mid- to long-term as it drives compliance costs down.
2. Evolve existing infrastructure. Can you maximize previous security efforts and investments? For example you may not need to purchase an IDS; check to see if it’s possible to add an IDS license to an existing IDS-ready product, such as a firewall.
3. Concurrent activity. Can you incorporate credit card handling training into the existing regular staff training, so that implementation occurs during the course of the project.

The PCI DSS is not quantum mechanics and accurate and regular communication in conjunction with well disciplined project management should ensure rapid compliance.

In case you have not come across it before, phishing is defined as “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication”.

A good example would be:

An email arrives in your inbox from your bank explaining there has been an issue with your account and that you need to log in to verify a couple of pieces of information.  The email provides a link that directs you straight to a login screen.

The email looks trustworthy as it is well written and contains the bank’s logos and details. You follow the link provided, to a website which appears to be legitimate, and you enter the relevant details required without giving it a second thought.

Next thing you know, large sums are missing from your account and you have no idea why.

Avoiding becoming a victim of phishing is not too difficult; you just need to be vigilant when you receive emails asking for personal information.

Here are my top tips to avoid becoming a victim of phishing:

1. Read emails carefully – if they are full of grammatical errors or spelling mistakes, they should not be trusted.

2. If you have been asked to log into any online account, navigate to that website yourself – do not click any links provided.

3. Be aware that many banks will specify the kind of emails they will and will not send to you.  Some even guarantee that they will never email you to ask you to login to your account.

4. Check the legitimacy of the site you navigate to by viewing the details of the SSL owner.

5. Use a web browser that provides anti-phishing support and which protects you from known fraudulent websites.

6. If in doubt, do not provide personal information and speak directly to the supposed source of the email.

At UKFast we are often asked about our business continuity plans. However, on many occasions this has to be pointed straight back at the questioner.

We start by identifying every critical inward and outward facing business process and list it in order of criticality.  All the information assets involved in each process are identified and referenced to an information asset register.

For each of the services, the risks are identified as well as the possible business continuity impacts that they would have on the business should they occur.  This can range in seriousness from the loss of site access through to the loss of site.

The risks are prioritised in terms of their impact and the business continuity planning process makes arrangements to tackle these risks in the order identified by the risk assessment process.

UKFast’s business continuity plans address all of our company’s activities and ensure that adequate resources are available to provide continuity to all information security assets. This includes taking appropriate steps for the protection of our team and all information processing facilities.

Our business continuity plans are maintained within a set framework and are subject to continual testing, maintenance and improvement.

You may be able to gauge that our BCP regime is extensive but this is in part because there are a number business continuity scenarios that would affect both our own company and our client’s business processes.

At UKFast we offer solutions to all of our clients that ensure if such scenarios were to occur, they would do so without an effect to their business processes.

In summary, the UKFast business continuity plans consider UKFast business continuity and specifically our network first, in the event of a BC scenario. There are a number of scenarios that will only directly affect UKFast business processes and a number of scenarios that will affect both UKFast and UKFast Client business processes.

So…what is your business continuity plan?

When visiting a site, it is important to look for certain signs to ensure that a site is safe before entering credit card details or private personal information.

A small padlock is normally visible in the bottom right or at top right corners of the screen and means that any data entered in to the site will be secure as it will be encrypted.

By clicking the padlock, you can discover information about the SSL and who it is owned by/ issued to. For example, clicking the padlock on https://my.ukfast.co.uk gives the following information:

There are also different types of SSL referring to different encryption levels. The most common forms are 40 bit, 128 bit and 256 bit are the most common. But what does this actually mean?

These figures refer to the length of the encryption key required to unencrypt data – for example, 128 bit encryption actually means that the encryption key is 128 digits long. As with passwords, the longer the key, the more possible combinations there are – so the higher this number, the more secure the site.

There are other forms of visual verification on screen that can indicate that the site you are visiting is secured by an SSL. Often the URL for a secure site will begin with “https”, the “s” referring to “secure.” The company name may also be featured to the left hand side of the address bar, to add extra piece of mind.

Finally, an EV or Extended Validation Certificate provides additional visual information to reassure the website visitor that the site is protected by an SSL. A site with an EV certificate will highlight the address bar in green and will normally contain the name of the Certificate Authority which has issued the certificate and also the name of the company which the certificate has been presented to.

Clearly there are many different types of SSL and many ways to check the security of a site. However, the most important thing is that you can be confident that when you provide personal information online, you are confident that you are using a secure website.

In certain circumstances, 97 per cent of customers are not getting their advertised speed. In addition, there is a growing gap between the claims ISPs make about broadband speed and that which is actually delivered.

So, how does this tie into the hosting industry? Well, there are many hosting providers who, like their broadband counterparts, over promise on bandwidth offered with the hosting package. Hosting providers who use promises of ‘unlimited bandwidth’ as their advertising slogan cannot deliver. It’s impossible. If these unlimited bandwidth promises were ever fulfilled, surely the world’s biggest bandwidth consuming websites (YouTube and Facebook for example) would host with these companies in order to dramatically cut costs?

How do they get away with advertising in such a way with no potential to deliver on it in the way that a customer would expect? The secret lies within small print. You must check the terms and conditions on any offers of this nature. The likelihood is there is something in the Ts&Cs about an acceptable usage policy which means that you will be cut off once you have used 100GB for example.

A common feature of unlimited bandwidth offers is the promise of, “unlimited bandwidth and 100 Mbps connection.” Sounds good, doesn’t it? They want you to believe that you will have 100Mbps connection to the internet which would give you the ability to consume 340TB every month. Clearly this has never been possible. In reality, a 100 Mbps connection is simply the capability of the network card on your server and not the speed of the pipe.

Pipe speeds may vary from provider to provider, but the end result does not – large numbers of customers all promised unlimited bandwidth and all connected to the same pipe. This is problematic as it means that the maximum capabilities of the pipe to which all the customers are connected is not enough to perform at the expected level of the user. This leads to bandwidth performing way below the level of everyone’s expectations and results in lots of slow to load websites.

You get what you pay for. Investing in hosting with a company that has invested in high quality infrastructure and that operates with significant available network capacity makes sense.

In this final post of the series we shall explain how an organisation can attempt to be as compliant as possible with the ISO27001 standard, even without receiving this accreditation.

Without pursuing ISO27001 accreditation myself, how may I ensure that my organisation is as compliant as possible with the ISO27001 standard?

The best way to ensure that your organisation is compliant with the ISO27001 regulations, is to begin by making sure that as many of your information assets as possible are managed by an ISO27001 accredited hosting provider.

By employing the provision of specific services relating to security in this way, you will not yourself be accredited by association, but are much more likely to ensure that you are acting in accordance with the correct regulations.

Finally you can ensure that your organisation adopts an information security policy that has been approved by an ISO27001 accredited provider.  This can then be the strong foundation which may be the source of further direction, policy and procedure in relation to your own, and your clients’ information assets.

The first blog in this series hopefully provided a brief overview of the ISO27001 accreditation. In this post we shall deal with some more specifics of this certification and explain what your hosting provider will have done to earn this recognition.

Checking accreditation

You should first ensure that an organisation is fully accredited to the ISO27001 standard by checking the organisation’s’ ‘certificate of registration’ which should have been issued by an umbrella body of auditors on behalf of UKAS.

UKAS approval

UKAS stands for the United Kingdom Accreditation Service and you will need to check that the ‘Certificate of Registration’ is UKAS approved.

UKAS is the sole national accreditation body recognised by UK government to assess, against internationally agreed standards.

Accreditation by UKAS demonstrates the competence, impartiality and performance capability of these evaluators.

Verifying the UKAS ISO27001 accreditation should be simple, as accredited organisations should have the UKAS logo, the name of the auditors and the unique certificate number clearly printed on any literature.

Using the unique certificate number and the details of the umbrella body auditors, it should be relatively simple to confirm the validity of the accreditation, as most reputable bodies will allow you to validate a certificate via their website.

‘Scope of activities’

Every ISO certificate of registration requires a “statement of scope”.

This explains what operations, departments, physical locations, individuals and business practices are included as part of the external audit.

Some organisations may choose only to include a limited aspect of their business operations in to this statement of scope. Obviously in relation to physical and logical security relating to information from a service provider this may be a cause for serious concern.

It might be that an information processing facility is included within the scope and is assessed to meet the standard but that the support, sales and operations departments of an organisation are purposefully left out of the statement and therefore may represent a serious vulnerability or risk to information assets.

To this end it is critical that the scope of the hosting provider’s certificate of registration is inclusive of all aspects of the organisation’s operations.

Keep your eyes peeled for our third and final blog in this series, where we will be explaining how to ensure that your organisation is as compliant as possible with the ISO27001 standard even if you have not received this accreditation.



This first blog in the series will act as an introduction to the certification, whilst in part two we shall be examining the accreditation in more detail.

In our third and final blog we will explain how you can ensure that your organisation is as compliant as possible with the ISO27001 standard even if you have not received this accreditation.

What does it really mean that a hosting provider is ISO27001 accredited?

Finding a hosting provider with an ISO27001 accreditation means that you can feel safe in the knowledge that that organisation is committed to information security at every level.

In order to earn this official recognition, a company has to be exhaustively audited by an independent third party against exacting and detailed standards.

That organisation will have identified ‘information assets’ within a specified ‘scope’ and assessed the risk to each in relation to confidentiality, integrity and availability.

‘Risk’ is scored by assessing the impact of an event occurring against the likelihood that such an event would take place. In order to earn the accreditation, a hosting provider will have employed controls to reduce this risk to an acceptable level.

Can my organisation be ISO27001 accredited by association?

If your hosting provider is ISO27001 accreditaed, this unfortunately does not mean that you are also accredited by association.  However, any services exclusively managed on your behalf, by the provider, are operated in compliance with the ISO27001 standard.

The areas not compliant with the ISO27001 standard are those actions and procedures conducted independently by your organisation.

Are all ISO27001 accredited providers equally qualified?

It is important to understand that not all ISO27001 accredited providers are equally qualified.

There are a number of accreditation details which are important to bear in mind:

• Is an organisation accredited / registered?
• If they are a UK based organisation is the accreditation UKAS approved?
• Can you independently verify the ISO accreditation via the independent auditors using the unique certificate number?
• What are the ‘scope of activities’ included within the organisations accreditation?

In parts two and three of this series of blogs we shall look at each of these aspects in more detail.

David Smith, deputy commissioner at the ICO told the Infosec Security Conference that the NHS had highlighted 287 breaches since the end of 2007, most of which were breaches related to stolen data or hardware.

This accounts for more than 30 per cent of the total number of serious data breaches reported.

The NHS is the UK’s largest employer with 1.7m staff and is currently in the process of rolling out digital patient records. With this in mind, this latest news is rather concerning.

Most of the breaches (113) were the result of stolen data or hardware, followed by 82 cases of lost data or hardware.

So how is it that an organisation which insists that its third party IT service providers are ISO27001 certified can be responsible for a third of all data breaches in the UK?

To be truly effective, an Information Security Management System (ISMS) must be simple, usable and clearly communicated throughout the organisation in which it is employed.

In addition, responsibility and ownership of assets, policies and procedures must be clearly dictated and controlled at the highest level, to ensure disciplined adherence to the standards.

As the NHS itself is not ISO27001 accredited, some would argue that it may not be fully aware of the standards requirements and therefore there is little chance of the information security approach being effective.

So what is the information security approach of the NHS?

A good question and one that I am not even sure the NHS can answer.

It seems that the NHS may have assumed that in appointing ISO27001 certified third parties to conduct and manage certain services on their behalf, this will ensure the security of their information, data and information assets.

Unfortunately for the NHS, there is no such thing as accreditation by association.

The scope of the NHS’ information security assets is vast. As mentioned previously, the NHS is the largest employer in the UK and as with most modern organisations the majority of these employees will have access to some form of information processing asset.

Herein lays an enormous vulnerability to information security that is currently not being adequately controlled.

As these staff are not controlled by a NHS ISMS that dictates and controls an approach to information assets and regularly audits such controls to ensure that they are effective; each NHS employee presents an unregulated risk to NHS owned data.

Hence the frequency and nature of such data loss should come as no surprise.  NHS data put into the trust of an organisation that runs an effective ISMS and is certified ISO27001 compliant should be considered secure.  However, as soon as it is re-introduced into the realm of the NHS, there is absolutely no way that this will remain the case.

It is an unenviable task given the size of the organisation, but a coordinated approach must be adopted to secure the information within the NHS as an organisation.

I for one have opted out from plans to digitise patient records, not because of some civil liberties rant or fear of a ‘Big Brother’ state but because the risks to confidentiality, integrity and availability are uncontrollable under the current NHS information security model.

What is not necessarily understood by the less technical amongst us, myself included, is what the published features mean and what they allow you to achieve. At UKFast, we provide Cisco ASA Firewalls only, and so these are what I will focus on. The table below shows an excerpt from the comparison table Cisco publish and the feature set of each firewall:

*Maximun IPs provided by UKFast dependent on solution.

Maximum Firewall Connections – the maximum number of connections the firewall can handle at any time. Buy websites and application will push the limit on the connections.

Maximum Firewall Connections per Second – the maximum number of new connections the firewall can accept per second.

Maximum VPN Sessions – number of VPN connections that can be in operation at 1 time.

Maximum VLANs – VLANs allow a single firewall to appear like a number of firewalls – like virtualising a dedicated server into a number of virtual servers. Having the ability to configure a number of VLANs allows for increased solution security and provides the ability to provide different access lists and port security on database servers than you have on web servers, for example.

Failover Upgrade Available – A “Yes” identifies that by buying 2 units, failover is possible.

IPS Upgrade Available – All Cisco ASA firewalls now support being upgraded to include IDS/IPS.
Maximum IPs – The number of IPs that can be protected by the firewall. A solution with more than 10 servers or using more than 10 IP addresses (for SSL certificates, for example) would need to be upgraded from using the base ASA 5505 model.

Definitions

• 5505 UL = 5505 Firewall with Unlimited User Licence upgrade installed
• 5505 SP and 5510 SP = Version of firewall model with Security Plus Licence upgrade installed
• VPN = Virtual Private Network
• VLAN = Virtual Local Area Network
• IDS = Intrusion Detection System
• IPS = Intrusion Prevention System

The impact of data loss or unavailability is an area of concern to any business that associates any level of importance to their online presence. The level of concern is determined by the available budget and also the costs associated with data either being permanently lost or data just being unavailable for any period of time.

Data (all or part) being permanently “lost” is commonly known as the “Recovery Point Objective” (RPO) – the more precise definition being “the amount of data loss, expressed by an amount of time, which is acceptable”. The agreed RPO will determine the type and frequency of data backup.

Data being unavailable for any period is commonly known as the “Recovery Time Objective” (RTO) – the more precise definition being “the amount of time deemed acceptable for data to be restored and a solution to be made “live” once again”. The agreed RTO will determine how and where backed up data will be stored and, therefore, restored.

Combining the aspects of both RPO and RTO provides the first step in establishing the data protection or backup requirements of a solution.

Relationship of RPO to RTO

The graph illustrates 5 different scenarios. Each scenario represents the decision a particular business has made in regards to what they will accept in terms of their Recovery Point Objective and their Recovery Time objective. With both the RPO and RTO, a lower value represents the requirement for a more stringent data protection plan.

Scenario 1
Let’s first consider the 2 scenarios which give us points 1 and 2 – a static brochure site.
We assume the acceptable RPO is high as data does not change and the original web designer has retained a copy of the site. However, the RTO is different – the site being static does not mean that it is not considered a key business asset.

Assuming high RPO, 2 outcomes are possible:
1. High RPO combined with high RTO (Point 1 on the diagram):
A high RTO here suggests that the website is not a key business asset as there is no hurry to get it back online. In this case no backup is needed – the site can be uploaded again once the server is back up and running.
2. High RPO combined with low RTO (Point 2 on the diagram)
The low RTO tells us that the website is a key business asset and it is essential for it to be restored ASAP, depending on budget.
a. High leads to a load balanced solution being employed.
b. Low budget leads to daily backups alone being employed.

Scenario 2 – a solution storing financial and accounting data (Point 3 on the diagram).
The actual data is critical and it must not be lost – giving us a very low RPO; whereas, the availability of the data is less essential and therefore the RTO is high.
a. Even with a low budget, a dedicated backup server with regular test restores is a minimum.
b. Data replication onto a separate server is recommended.

Scenario 3 – content management system driven brochure website (no ecommerce).
Clearly, the website is important to the business as they have paid for it to be updateable, and the loss of this data would result in no website content.
The result is mid level RPO and RTO (Point 4 on the diagram) as the business will be affected by the site being down and data not being restorable.
a. Low budget results in employing daily backups to give relatively fast data restore with a maximum 24 hours data loss.
b. High budget allows us to employ load balancing and database replication.

Scenario 4 – ecommerce website which is the business’ sole source of income.
The perfect example of low RPO and RTO (Point 5 on the diagram) – data loss and downtime are unacceptable.
The technologies employed depend on the budget available:
a. Even with a low budget, we must employ load balancing and data replication where the worst case scenario is short periods of downtime and minimal data loss.
b. The recommendation is a private cloud built on highly resilient hardware across geographically separated locations; thus removing any potential for data loss or downtime.

UKFast managed backup features:

• Weekly full system state server backup
• Daily incremental server backup, including your system state
• Intelligent, burstable quota starting at 50GB per server and up to 200GB
• Option to choose customised managed backup
• Full management of your server backup solution and completion of the recovery process

How do UKFast’s burstable quotas work?
Your standard backup quota is 50GB and UKFast allows this quota to burst to 200GB. We are enabling you to actually use 300% more space than this. The caveat is that your usage MUST fall below 50GB once in any 14 day period. Should your total usage not fall below this 50GB limit in any given 14 day period, your backups will fail and it will no longer be possible to restore your data. In this situation, your Account Manager will contact you to establish exactly what your required quota is and to discuss how to put this in place.
The intelligent, burstable regime ensures a flexible quota sufficient to provide ongoing and uninterrupted backup for 87% of the UKFast client base.

Customising your backups, it’s the intelligent choice:
Choose a time that suits your server usage – if your quietest time is 4pm, then that’s when we’ll run your backups.

By customising your backups to only include the relevant files and folders, you gain several benefits:

• You will be able to backup ALL files which YOU consider to be mission critical.
• The time taken to complete a backup is significantly reduced – any impact on your server whilst your data is backed up is minimised.
• The time to restore data is significantly reduced – the quicker data can be restored to your server, the sooner you will be online and fully functional.

Top Tips on backups

• Tell UKFast what time is best for you for backups to run to reduce the impact on your server
• Nominate which specific folders and files you wanted to be backed up to ensure your quota is not reached and backups run successfully
• Take a dedicated backup server to increase the flexibility of backup implementation
• Request cross datacentre backup for increased resilience and business continuity

Restrictions and limitations

• Backup is restricted to a weekly retention period.
• Incremental backups are based on time stamps. If you move files into an existing directory or move a whole directory into the backup fileset after a Full backup, those files will probably not be backed up by an Incremental save because they will have old dates.

I’ll tackle the point of detection and reporting first. It’s an important point to reiterate at this point – we’re talking about speed AND ease. The faster the query is detected, the faster the resolution can be sought and so any impact will be minimized. The easier it is for a customer to raise a query, the less stressful the episode will be for them. What methods can and should be employed to ensure fast and easy detection? If its speed of detection you’re after, its monitoring you need:

• Service monitoring – by monitoring the main live services on the server, for example HTTP and SQL, you know if you suffer a software issue
• Hardware monitoring – by monitoring RAID arrays and power supplies, for example, you know if you suffer a hardware issue
• Capacity monitoring – by monitoring the usage of various aspects of the server relative to their maximum capability allows you to be warned before capacity is reached, when it is potentially already too late

Ease of reporting is all about making sure information can get to the person that needs it with no interruptions and without undue hassle.

• Make sure you answer the phone quickly and avoid keeping customers on hold or making them choose a series of options in a phone system. Avoiding delays in the customer getting through to an actual person makes the whole process more enjoyable for them.
• Use freephone numbers to ensure situations are not exacerbated by the customer getting irritated by the costs of making the phone call
• Make sure support teams are not outsourced and are always UK based. Engineers dealing with issues need to have all relevant information, be in the same time zone and speak the same language as the customer

Speed of resolution is probably a more laboured argument with hosting companies guaranteeing response time pretty much as standard now. We all know that it’s important to resolve queries and get a customer back online ASAP, so what should we do? It is sensible for dedicated hosting customers to expect a guaranteed speed of response and speed of resolution – the web hosting provider should ensure the customer knows how soon an engineer will be working on the query and how soon there will be a resolution. You also want to make sure the right type of engineers are going to be available at all times – there is no point in having fully qualified dedicated server engineers who only work 9 – 6. They need to be there 24 hours a day because we all know that queries always arise at the most inconvenient times.

Getting it right is not that easy and that’s why the level of support provided by different web hosting companies varies dramatically. However, you will certainly be on the right road if you include the elements I’ve discussed above.

At UKFast we are very lucky. We have hugely qualified (or should I say certified) Microsoft and Red Hat engineers, who have the industry knowledge and experience to architect solutions to achieve the stated goal.

For relatively simple database driven websites, it may well be that a couple of load balanced web servers connecting to a pair of replicated database servers do the trick. Keeping this solution online is not a problem as there is no single point of failure. In addition, the technologies used for high availability of websites and databases are tried and tested. Its when you add in bespoke applications and complex software relationships that we have to get the grey matter working.

2009 was definitely the year of the cloud – UKFast launched our cloud hosting platform in addition to launching a number of “private cloud” solutions for our clients – these virtualized solutions dedicated for use by a single customer have proved to be excellent. Combining redundant pairs of firewalls, switches and load balancers with multiple hardware nodes and SANs ensures the required level of hardware fault tolerance. What you do on top of this hardware layer is the key to providing 100% solution uptime. Creating virtual dedicated servers on the cloud ensures they have intrinsic resilience to protect against hardware failure. Combine this with load balancing and replication technologies and you are protected against software issues and traffic spikes.

The uptime benefits are clear. But there is much more to it than that. Depending on who you’re talking to at any time, the scalability can be even more of a draw. Additional hardware nodes can be added to the pool of resources and made available without fuss and the same goes for SAN systems. Windows and Linux virtual machines can exist alongside one another in a single solution.

If its a combination of scalability and flexibility you want, this is your answer.

General Douglas MacArthur fought in three major wars (World War I, World War II and the Korean War) and accepted Japan’s surrender on September 2, 1945. He knew a good bit about security in relation to the 3 mediums of the day – land, sea and air but his quote above holds true today in the fourth medium; the information plain.

Information is a weapon; modern Generals will tell you this and confess that in relation to logical information and the world wide web, it provides the greatest of all strategic vulnerabilities to a first world country in an A-symmetric war against a poorly funded and resourced but motivated and intelligent enemy.

Why? Because a determined enemy with the most simple of IT resources and connectivity can act as a force multiplier, fighting ‘well above his weight’ on a battlefield who’s weapons are only constrained by the technical capabilities of a given individual, organisation or state. The ‘opportunities’ to inflict lasting damage on infrastructure, operations and business from the other side of the globe, using a man with a single finger on a button, are greater now than at the height of the Cold War.

If countries and states can be threatened by such actions then commercial organisations (from large corporations to ‘one-man-bands’ in back bedrooms) are at just as much risk from information security breaches.

So how can comparatively small enterprises secure themselves against threats that have brought down states (e.g. Georgia in 2008) – services, technologies, restrictions, physical barriers?
These all have a part to play but the key to success is a word that you don’t see very often, if at all…….in fact …………ever, in relation to information security; DYNAMISM.

To employ a ‘barrier’ type approach to information security is to engage in single dimension ‘trench warfare’, blindly employing services, technologies and standards without understanding the enemy. Organisations must continually manouevre and evolve in response and more importantly, in anticipation, of the ‘opportunities’ that are ever present to the security of information.

Engaging a well communicated, adequately resourced and systematic approach to the vulnerabilities posed to an organisation will ensure that ‘opportunity’ is restricted. MacArthur, no doubt, would have advocated the principles of defence:
DEPTH. A multi-layered approach to the assessment of threat, detection of vulnerabilities and action to resolve breaches is essential; providing depth; a period of ‘stand-off’ so that if one asset is compromised there is not a complete breach of information assets. The use of such services and technologies as ensuring up-to-date patches for software, redundant firewalls, loadbalancers, failover server solutions in multiple datacentres, access control (both physical and logical), encryption for some or all assets and regular penetration testing.
ALL ROUND DEFENCE. Continuous and active assessment of where the vulnerabilities lie in relation to an organisation’s information assets. Threats will continuously change and evolve and in order to remain best protected all opportunities, from all angles must be considered, identified and controlled, constantly.
MUTUAL SUPPORT. Complete and continuous communication of an organisation’s up-to-date approach to information security to all members (normally via an Information Security Policy) will create the conditions for a unified approach to information security threats. In addition, the maintenance of relationships with information security specialists, in order to stay abreast of emerging threats and proactive actions.
RESERVES. The use of a rehearsed, documented and resourced Business Continuity Plan that could employ failover capabilities; available via such technologies as cloud environments or hosting in multiple datacentres as part of a Disaster Recovery Policy.
OFFENSIVE SPIRIT. Remain pro-active and plan for the worst case; just because a threat has not been experienced, does not mean it should not be taken seriously: prevention is better than cure.
DECEPTION. ‘obscurity is security’ – the control of information inside and outside an organisation is paramount to the maintenance of a secure information environment – the use of access privileges, password protections, encryption, disposal procedures and the like reduce the threats posed by information loss.

In summary, to consider information security in relation to a safe or padlock is to present an ‘opportunity’, a sitting target. In order for organisations to provide information security for their assets they must remain dynamic and embrace constant learning and evolution to tackle the ever changing threat.

UKFast and Sale Sharks with the students

Neil Lathwood, UKFast’s IT Director and I visited Ashton-on-Mersey School earlier this week to give a helping hand on their ICT taster day. Basically, the plan was to get this group of 35 14-15 year olds hooked on the idea of doing the Level 2 ICT Diploma in years 10 and 11.

After brief introductions from Jim Seymour and Aaron Saxton (Head of ICT @ AoM), I gave a 10 minute introduction to UKFast taking the students on a journey from where the Internet evolved from and what UKFast does, to specific case studies about the biggest internet successes and how young people are involving themselves in the evolution of the internet and making money from it.

“Over 21,000 UK 15-16 year olds are making £60,000 a year online – almost 3 times average salary”

We had 3 separate workshops running through the day aimed at getting the students to think about different areas of UKFast’s business:

• “Corporate event” – Plan a corporate event to invite a selection of UKFast’s top performing staff and a number of big clients to.
• “Sharks” – Consider the section of the Sale Sharks site aimed at young people and come up with idea of content and a look to improve it
• “wwwdot” – Come up with an idea of a website you are going to establish that will make you an internet millionaire – consider costs involved in setting it up as well as your unique selling point and how it will be a success.

Each group worked together all day and were given marks based on team work, innovative ideas and quality of the presentations.

The highlight of the day was the arrival of Sale Shark’s Charlie Hodgson and Lee Thomas to judge the best 3 teams of the day’s “wwwdot” presentations. The guys were really impressed with the ideas that the students came up with and how they plan to make the businesses a success. The lucky winners came up with “Viewpoint” – a website combining the best bits of Youtube and Facebook and all in a single place. For their efforts they are going to be special guests at a Sale Sharks fixture later in the season!

The ICT diploma is fantastic to be a part of and knowing that we are inspiring the next generation of Internet Entrepreneurs and Technology Wizards gives us all great satisfaction.

Society today is a demander of speed and the internet is no exception. Google says that just milliseconds subconsciously deter people from staying on a webpage. In fact the search giant is so interested in speeding up the web that they’ve pinpointed this as their major focus and launched the Google speed website.

So, why speed? The basic fact is that a speedy service gives people a great customer experience. People do not like to wait – think about this next time you’re in a long queue at a shop.

The difference online is that it is much easier to go elsewhere.

For example, you’re on a website looking for garden furniture and you’ve found the double outdoor swing chair you want but the payment page is loading very slowly.

Firstly, this looks very unprofessional – broken links and slow pages don’t inspire your customers to view you as a trusted retailer. When 80% of Brits don’t trust companies to look after and protect their data why give them any further reasons to doubt you?

Secondly, online you can quite easily click back to Google and buy the second double outdoor swing chair on the list instead. Online your direct competitors are always your next door neighbours – which is not the case on the high street.

But don’t by any means let this increased level of competition make you shy away from the internet. This is the major platform of our time and every business, large or small, now needs to have an online presence. To satisfy your customers you need that presence to be fast. What’s stopping you?

It takes individuals of many different natures for a business to operate successfully. Every person has a talent and personality that lends that individual to a specific role.

Some people are great organisers who exude practicality, others may be more sporadic but with a creativity that breaks down boundaries and gets them noticed. Each individual person has a different quality to offer your organisation. But according to a book I just read (Good to Great by Jim Collins) the challenge in driving successful business is first getting the right people on the bus and then getting these people in the right seats.

To me this makes complete sense – when people are in the right seats they do their best work. When they’re utilised wholly, they’re more passionate about their work. Take a walk down memory lane and I’ll take a bet that at school your favourite subject was the one you were best at. Or now, in the kitchen, your favourite dish is the one you’re best at cooking – because passion breeds expertise.

At UKFast our recruitment method is threefold in order to get the right people in the right positions. We recruit from interviews, psychometric testing and then a three month training period is embarked upon to make sure our new recruits fit into their team.

From experience we can confirm that this method works. And it works well. There are many different people at UKFast and each and every person has something to offer. We make the greatest effort to get them in the right role.

Anyone can be a hero when things are going well. It’s when our backs are up against the wall, and the pressure is on in the workplace that you really find out who your superstars are…… You are looking for people who can be Cool Hand Luke. The people, who as the pressure cooker hots up, get calm, stay focused and see everything with clarity. The classic cool, calm and collected. Flappers need to be coached to understand the impact of their behavior on the situation and others around them and develop more appropriate responses.

Most jobs come with a certain amount of pressure, which in my experience is a good thing, especially in Sales – it keeps people stretched, challenged and focused on the job. Putting your people under pressure can therefore bring out the best in them and play a crucial part in their development. Working on developing a cool response to pressure situations will yield even better results and assist in developing your people.

The Brigadier

Real passion that can be harnessed for business benefit comes in several guises. The “Tigger” character from Winnie the Pooh generally has a fizz, energy and buzz about them, that boosts and positively infects people around them. These are the energised, lust for life, doers. Tackling everything with the same smile and gusto, from loading the photocopier to climbing Kilimanjaro. They don’t have to tell you they are “passionate” – their vibe is tangible. When recruiting look for people who spend their weekends out of their armchair and out there doing what ever floats their boat – the 5am car booters, the ramblers, anglers, trainspotters, needlecraft and guide leaders. Feel their vibe.

“Passion” also comes from the quiet man (or woman). Often the polar opposite of Tigger – focused, persistent, obsession in what they do. Find them in your office – they are dedicated, skilled and single minded. They are the ones who care deeply about what they do and usually gain expert status. The “quiet men” are harder to spot – when recruiting – look for someone who has a highly detailed knowledge of a specific field -star gazing, history of football league, Linux as true open source genius, and watch for the flame that ignites in their eyes when they talk about it.

Remember, passion is a feeling not a competency.

The Brigadier

We know in the current business climate many companies are looking to reduce costs. To the overzealous bean counter looking at the company cost spreadsheet, the training budget is often the first place their beady eye stops and the finger hovers over the delete key. It’s easy to slash the training budget, it only affects our people!

Now let’s look at this from a different angle. Surely in these economic times this is when your staff need training more than ever, this is how companies differentiate themselves, great people giving great service.

People still need training and developing if newer hires are to reach standards required and longer established staff continue to develop and keep their skills fresh. When the training budget has gone, the real leaders are the ones who roll up their sleeves and get stuck into training their people themselves.

Gone – The training course with neat presentations from the suits, interactive role plays and the nice sandwiches and cakes.

Enter – On the job coaching, mentoring, peer skill sharing and you. Find your marker pens, and enter the tried and tested – the good old white board.

Pull random telephone calls and get the team to evaluate them. Get one of your superstars to talk about how they closed that deal, sorted that tricky customer’s problem. Have a huddle at a convenient time with a cup of tea to get a key learning point across every day. You made it as a manager, you know your stuff, share it with your people, make them better and lead from the front.

Human beings are emotional creatures, programmed after thousands of years of evolution to seek out and make connections with other human beings – we are social pack creatures. We naturally seek out people we like and make us feel good. If something has gone wrong with your service provision, or you have a sales target to meet, sorting it out or closing the deal is easier if you are likeable – that’s why it’s generally easier and more cost effective to increase revenues to your existing customers than secure new business – as Simon and Garfunkel sang Keep the Customer Satisfied.

Customers are savvy, they know when employees are faking it and insincerity can be sniffed out a mile away – take the advice of my mate, senior HR manager for a household name blue chip company – “if you are recruiting two people equally capable of doing the job, pick the one you like. If you like them after a 45 minute interview, chances are your customers will too.”

It’s even more important to understand the characteristics of people in a tough economic climate. The recruitment pool is bigger, but size doesn’t matter, its quality we need. Amiability, how often have you sat across from people and you’ve thought – too aggressive, too insistent, they’d only alienate my clients. How many experiences have we had from aggressive Corporations chasing and chasing from desperate sales people who come across as not likeable? When will these Stock Exchange listed companies grasp the idea of likeability and not chase the green back with promises unlikeable employees can’t deliver?

Power to the likeable people