Are we all at risk? Implications of the Oracle-Dyn Merger News
In October, a large part of the internet went down for a few hours as sites from Netflix, Spotify, Reddit and The New York Times went dark. The massive outage was the result of an attack on an Internet infrastructure company called Dyn.
The acquisition of Dyn by Oracle was a further step to launch Oracle’s cloud ecosystem. If you think of AWS as building up Infrastructure-as-a-Service (IaaS), a company like Oracle must add more services like DNS.
Unlike AWS, Oracle built applications first and decided to acquire Nimbula, a provider of private cloud infrastructure management software. Nimbula's technology helps companies manage infrastructure resources to deliver service, quality and availability, as well as workloads in private and hybrid cloud environments. This led to Oracle’s entry into the public cloud and its subsequent big play of software and hardware for a hybrid cloud go-to-market strategy.
One of the functions missing is the core networking functions—when something goes wrong the infrastructure goes down. Oracle needed a DNS solution but didn’t have one. Dyn provided that for them. The attack just happened at a pivotal time in the face of the expected merger.
Why did Dyn get attacked? Simple, rather than just a vanilla good guy vs. bad guy attack, today’s hackers are thinking bigger. If you bring down the infrastructure you bring down everyone. Think of the TV show Mr. Robot. In the show, the main character, a hacker brings down an organization like Google—but bigger. By hacking and deleting everything, he brings the entire country toward an economic depression because it was so powerful. In reality—the hackers who challenged Dyn were probably thinking, “If we just knock out Dyn, we take down all their customers.” However, by today’s standard, Dyn was successful—their outage only lasted a few hours. Any other company that experienced such an attack would typically be down for days.
If you look at Neustar, which offers protection for large scale attacks, its biggest threats are those attacking the core infrastructure, rather than the individual properties. The result? You need to worry about your own security and that of your cloud provider. The cloud provider’s problem(s) are also yours.
We no longer live in an age when we can outsource our issues, especially when it comes to security. Inspect what you expect. Think about all the moving parts of your ecosystems and inspect those parts. Build layers of redundancy, consider and think about front layers. Do not narrow your thinking to just DDoS attacks, but also DDoS mitigation. Reddit had a good strategy in place when it partnered with Dyn. Without Dyn, it may have been down for days, but Dyn was able to get them back up within hours.
Ten years ago, as the CTO of a cloud service provider, prospects used to run us through the security gambit to ensure we had the proper security measures in place to protect their infrastructure they put in our cloud… at the same time AWS, MS and Google were being hit by security incidents and downtime one after the other.
When prospects would ask me how we a company a fraction of the size of the big three were going to prevent a breach of their data, I would respond “We won’t.” I didn’t mean that our infrastructure was insecure, but a secure IaaS is only half the battle. Rather, it is the responsibility of the IT and Security teams within the end user to be sure the take ownership and accountability of their security posture and inspect it, even (especially) if it is in a public or hosted cloud.
The Dyn example demonstrates that if you assume all the moving parts of your application ecosystem are secure because you are outsourcing them, you can be left in the same situation Dyn’s customers were denied Internet access for a good chunk of time.
This commentary is not to highlight any mistakes that Dyn may have made, but rather to highlight the need for IT and Security organizations to inspect what they expect when they outsource their application hosting and components. Make sure you choose the right solutions to implement—make sure they’re resilient and also include hardware solutions for mitigating DDoS.
(About the author: Shahin Pirooz is chief technology officer at DataEndure. He has more than two decades leading technology teams. Prior to joining DataEndure, Shahin was CTO at CenterBeam and RiverMeadow, and held leadership roles at EarthLink, AppShop and EDS).