Reports that Russian authorities have blamed problems accessing Google and YouTube on a fire at a data centre in Strasbourg, highlight the growing cyber threat in the cloud, whether caused by malicious actors or not.
It has been reported by BBC news that the data centre belongs to French provider OVH, which provides cloud services for 1.6 million customers across 140 countries across Europe, America and Asia. According to Malwarebytes, OVH is the largest hosting provider in Europe and the third largest in the world, its revenue in 2019 was 600 million Similarly, the company is rumoured to have started the IPO process too.
OVH's chief executive Octave Klaba tweeted that fire destroyed one of the data centres and a part of a second, asking customers to activate their disaster recovery plans. The French government, cryptocurrency exchange Deribit and the Pompidou Centre in Paris were also affected.
According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, there are 140 OVH servers used by government hackers and sophisticated criminal groups that he and his colleagues track. Of those, 36% are now down, he said in a post on Twitter.
“OVH is a pretty important hosting company on the internet”, said Mike Prettejohn, director of Netcraft, a UK based network security company speaking to Reuters. He added that the affected servers hosted 3.6 million websites including niche Government platforms in France, United Kingdom and Ivory Coast. In all, Mr Prettejohn estimated around 2% of sites using a FR domain would be affected by the fire.
The Vice website said that the fire shows “how things we often think of as "cyber" have very real physical infrastructure that can be attacked, impacted by disasters, or otherwise messed with.”
The fire is also a reminder that there are pros and cons to cloud storage. On the plus side it makes worrying about hardware somebody else’s problem. The cloud is more scalable and flexible and it can be accessed from anywhere.
The downside is that the data is always somewhere, which still needs security, data protection, Internet access, backups and disaster recovery. That exposes businesses and (re)insurers to a digital/cyber supply chain risk.
More business these days use services like AWS to store and process data. Indeed, lots of companies migrate their entire network to a cloud provider. Software as a Service (SaaS) companies also provide services to companies on a hosted basis.
That means that just one business can have multiple cloud relationships in their corporate network, which introduces uncertainty as to who is responsible when something fails. A common cyber liability insurance question is how the cloud impacts cyber risk?
Insurance brokerage and consultant Woodruff Sawyer says that insurers now do a fairly good job of recognizing what constitutes the cloud. It notes that:
“Most cyber insurance policies define a “computer system” to include third-party networks that you have contracted with to support your company. So if a breach happens, the policy will respond regardless of where the data was stored when the breach occurred. But, there are still questions about whose responsibility it is.”
Until recently, cyber insurers have been expanding the scope of their cyber business interruption coverage to include cloud vendor outages. Many insurers are now limiting this coverage, however. Cyber insurance experts say that if this is a real exposure for an insured, then it should look for a specific “Contingent Business Interruption” under a cyber policy.
As Woodruff Sawyer explains: “Cloud vendors need to make sure that their Cyber/E&O policy will respond to cyber-related claims, because a cloud customer may demand to be made whole for direct and third-party (liability) costs incurred as a result of the breach.
“For example, a customer may say it cost them millions of dollars to deal with notifying their customers about the data breach, or that they lost business as a result of the vendor’s failure. In determining total Cyber/E&O limits, a cloud vendor needs to think about the aggregate exposure they have to multiple customers through those contract liability caps.”
The Russell mission is to provide data insights that identify and analyse a complete network of connections between firms in the cloud. Cyber cloud risk is no longer a theoretical loss problem but insurers and corporates can use cyber scenarios to take action that mitigates their exposures.
The age old risk of fire will always be with us, even in a modern day data centre, while increasingly outlandish scenarios that might have been confined to sci-fi fans a decade ago can also no longer be discounted.