Finnish eLearning company Rockway shares their hard-earned experiences with data security and cloud-vendor management.Business Security Best Practices, Case Studies // 17.03.2016
Securing your critical company data against theft and malware is crucial, but protecting only the data that’s inside your company is not enough. As more and more business-critical data moves to the ‘cloud’, it is vital to properly evaluate vendors and their ability not only to keep data readily available, but also secure.
In this blog post Rockway, a leading Finnish eLearning (in English here) company, shares some hard-earned insight on the right ways to manage vendor relationships. I am here today with Niklas Lindholm, Rockway CEO, and Björn Lindholm, the company’s CTO who is responsible for product development and IT security.
Teemu: Thank you both for joining us. Let’s start with your business: what’s it all about?
Björn: So. We’re a Finnish company focusing on online learning, specifically with band instruments. We serve people who want to learn to play popular music when they want and where they want. We’ve been in business for eight years now, with a small core group of employees and a network of hundreds of freelance music teachers.
Niklas: That’s a pretty good summary. Business-wise, we are one of the largest eLearning businesses in Finland and yeah, we’ve been at this for a while. We’ve built pretty much everything ourselves.
Teemu: Could you describe your service a little more so that our readers can understand the context when we start talking about your past experiences.
Niklas: Sure. Our service is the Netflix of music learning. You basically subscribe to a service on a monthly basis, and you can use any of the learning materials whenever you want. From guitars to drums and bongos, everything is available.
Björn: This kind of model requires a very customer-focused approach. For example, we have a lot of customers who prefer a paper bill. Others prefer to pay by credit card. As the burden of risk with credit cards is high, we use trusted third parties. It is imperative that customer data doesn’t leak, even if we outsource its handling, ‘cause you know, at the end of the day it’s still us who suffers.
Niklas: There are quite a number of things that you need to consider in selecting a vendor, like size. Is it a start-up that can go bankrupt tomorrow, but that gives you better service? Or is it a large company that you know will deliver to a certain scalable standard, but might be too expensive?
If a vendor goes bankrupt and all credit cards are fully tied to them, you would need to ask for the credit card details again, and that’s a dangerous thing because it might lead to cancellations.
Teemu: This is actually a good place to move to Rockway’s experiences. You’ve had some issues with your website hosting, then copyright issues, and finally a major case when your streaming vendor was going to go bankrupt.
Björn: Let’s start with the first one. In 2008 we had a vendor who was hosting our website, and they ended up suffering a DDOS attack. It was actually in the news, but we found out because our site was down. After trying to call our vendor a LOT, we decided to switch. We had the code and the databases backed up, but the problem was with the SLL certificate. It had cost us a significant amount of money and there we were, trying to get the keys from the service provider.
Niklas: After hundreds of calls, we finally got the keys. We lost a week of business—a quarter of our monthly income.
Björn: Nowadays we are able to do the switch in a couple of hours if needed. We know these things can happen, so we have prepared for them. It allows us to avoid vendor lock-in very efficiently. We also really learned the value of good service. Both for us and for our customers. After such a bad experience, we’ve tried to build closer relationships with our customers ‘cause when they trust us as vendor, it has a really positive impact. There are more people coming back after short breaks, and new customers are more confident about buying from us because they know we are ‘the good guys’.
Teemu: So what happened with the second case where your videos were being ripped?
Björn: Pretty early on, some guy was ripping our videos and sharing them as torrents. From the logs we could see what videos were accessed, when and by whom. From there it was pretty easy to track the guy down. Niklas basically called him directly.
Niklas: It was a surprisingly straightforward thing. I introduced myself and said that we had found out that he was ripping and sharing our files illegally. Thankfully the guy was reasonable, so we got it sorted out smoothly.
Teemu: So let’s get to the third one. This case was pretty big for your business, right? Quite a dramatic event the way I see it, with all your hard work at the verge of destruction?
Niklas: It wasn’t quite that dramatic, but it was a close call. Our longstanding streaming vendor had unbeknownst to us ran into all sort of troubles during their attempt to go international, like having applied for bankruptcy and changing a lot of upper personnel.
Long story short, we received a rather cryptic call from them just before Christmas telling us to find a new place for our stuff, as they could not guarantee what would happen after year-end.
Björn: So there we were, with hundreds of terabytes worth of videos, pictures, notes and other things, which we needed to synchronize—all in the cloud. And we had two weeks to move everything. Luckily the guys were nice enough to call us and warn us. Sadly, even they didn’t know what would happen after New Year’s. I wrote a script that would download everything through their APIs and reconstruct it as a new database. That was the easy part. Then we had hundreds of terabytes to download, transfer to a new vendor and integrate. In two weeks.
In the end we managed to move everything to Amazon, who had just launched their video streaming service. Amazon of course did not have any of the tools we needed for synchronization, so we had to build things like the management panel and the sync tools from scratch. The nice thing is that after that ordeal we’re completely independent from our service provider. Our platform is our own, so moving again would be far easier.
Teemu: What have you learned from these events? What guidance would you give other companies?
Björn: Firstly to keep your head cool. If there is no proactive action plan, then it needs to be created there and then. Think, then act, and be decisive about it.
Also, it pays to prepare. Think about your critical services, try to figure out what could happen, and prepare for it accordingly. For a start-up without much money, even planning things out will help a lot. Think about your vendor. Try to build things so that you can move them. And remember to talk to your vendor. Even when it is the vendor’s fault, talking with them will usually solve things. Try to build your service in a flexible manner, for example on top of virtual environments, so that you can set up or duplicate it easily.
Niklas: Hmm… let people work in peace. Like when these guys are coding, I should let them code and not hassle them. It just slows them down and creates stress.
And when choosing a vendor, try to get the most stable partner you can afford, so that you feel that they will be around tomorrow.
CYBER ATTACKS IN ACTION:
This blog post is based on our upcoming second eBook in the Cyber Security Demystified series, called: Cyber Security Demystified: Securing Business Data.