Cloudhouse Urgent Security Update Support Process
23/07/2019 Cliff Hobbs ID: 407795
This article details the process of identifying and notifying the Cloudhouse customer base of an urgent update that needs deploying due to security reasons.
It is feasible that over time, that an issue might be identified in the Cloudhouse software that inadvertently leads to a security breach. This could potentially allow malicious actors to exploit and compromise a Container causing a security breach for the customer. To be able to address this issue quickly, Cloudhouse has created the process detailed in this article to alert and address any identified issues with our Customers.
Everyone involved in the deployment, management, and support of the Cloudhouse software should be aware of this process.
Trigger for the process
The trigger that there is an urgent fix that needs deploying will come from the Quality Assurance (QA) Manager who acts as the Release authority.
The QA Manager will be supplied with release notes based on the update, detailing the:
- Impacted versions, which may be specific version numbers or all versions after a known good version.
The QA Manager will then notify the following people that this process needs to be initiated:
- Chief Delivery Officer
- Chief Technical Officer
- Head of Support
All Cloudhouse projects require the Customer to provide two contact email addresses for support liaison as part of the transition from ‘Project Control’ to ‘Business As Usual’ running. We log these email addresses in our Dynamics CRM system in a reportable field.
On identifying an issue:
- The Head of Support (or their delegate) runs a script against all Containers held in the Cloudhouse Github repository to determine which Containers are affected.
- Once the affected Containers are identified, their owners can be ascertained.
- The technical contact emails for the affected Customers can then be sourced from the Cloudhouse Dynamics CRM and used to create a mailing list.
- A standard email will then be created (see the example at the end of this article) and sent to the mailing list.
- Cloudhouse will keep a central record of any undelivered items and confirmation of any receipt/response.
- Cloudhouse will also update the banner on the Cloudhouse Online Knowledge Base (https://docs.cloudhouse.com/) to advise an update is required, including a link to an article containing further information.
The email sent as part of the alerting process requests the Customer to verify they are still utilising the affected Container and if so, to email Support@Cloudhouse.com.
Once Cloudhouse Support receives this email, they will raise a support ticket. Next, a check is made on the status of the Customer's support contract, which will be:
Customer is on a current Subscription License, or a Perpetual License with an up to date Support and Maintenance Contract
Cloudhouse Support will verify the latest version of the Container in use against the Container on record. If the latest version is still impacted, Cloudhouse Support will work with the Customer to update to the latest version with the new files for the Customer to test and deploy.
Customer uses a Third Party IT Provider/System Integrator to provide containerisation
Cloudhouse Support will be asked to be put in contact with the Third Party and discuss with them the best way forward to update the Container in alignment with their arrangement with the Customer.
Customer is out of support contract and has no packaging resource
Cloudhouse Support will offer to put the Customer in contact with a Cloudhouse Account manager, to either get them back on Support or arrange for a chargeable Professional Services engagement to implement the update.
Risks, Limitations and Mitigation Actions
Various issues may arise during the execution of this process. Here are a selection of potential problems and their mitigating actions:
No response from Customer
All contact details Cloudhouse holds for the Customer may be no longer valid. In this case, Cloudhouse Support will ask the Cloudhouse Account Director to gain new contacts via the commercial/procurement route.
Container held by Cloudhouse is out of date
Cloudhouse Support only retains the details on the last Container it worked on. If a third-party has subsequently performed work on the Container, then the version data may be out of date. Once Cloudhouse is in contact with the Customer, the initial work will be to verify the current version of the Cloudhouse software the customer has deployed and if it is affected.
Customer not willing to update container
Cloudhouse cannot force a customer to update a Container. Cloudhouse will advise the Customer in writing that not updating is against Cloudhouse’s recommendations.
Below is an example of an email we suggest using as the basis of the email to be sent to customers notifying them of a potential issue:
Dear Customer, XXX Personalise if possible XXX
Our records show you are a user of the Cloudhouse Compatibility Container software to enable XXX Application name XXX to work on a modern operating system.
We note that you are using Version XXXX.
We need to advise you that we have discovered a security issue in this version and we’d like to help you resolve this by updating to a newer version of our software.
For more information on this issue see – XXX Link to Alert on Cloudhouse Knowledge Base XXX.
Please contact us on Support@Cloudhouse.com to discuss this issue further so we can explain the options available to you.
We look forward to hearing from you,