Cloudhouse Urgent Security Update Support Process
Applies to: Cloudhouse Application Compatibility Packages/Compatibility Containers
30/07/2020 Cliff Hobbs ID: 407795
It is feasible that over time, Cloudhouse identifies an issue in its software that inadvertently leads to a security breach. This could potentially allow malicious actors to exploit and compromise a Cloudhouse Application Compatibility Package/Compatibility Container causing a security breach for our Customers.
To be able to address such issues quickly, we have created the process detailed in this article to alert and address any identified issues with our Customers.
Everyone involved in the deployment, management, and support of the Cloudhouse software should be aware of this process.
All Cloudhouse projects require our Customers to provide two contact email addresses for support liaison as part of the transition from 'Project Control' to 'Business As Usual'.
We log these email addresses in our Dynamics CRM system in a reportable field.
The trigger that there is an urgent fix that needs deploying comes from the Quality Assurance (QA) Manager who acts as the Release authority.
The QA Manager will be supplied with release notes based on the update detailing the:
- Impacted versions, which may be specific version numbers or all versions after a known good version.
The QA Manager notifies the following personnel that this process needs to be initiated:
- Chief Delivery Officer
- Chief Technical Officer
- Head of Support
On identifying an issue:
- The Head of Support (or their delegate) runs a script against all Containers held in the Cloudhouse Github repository to determine which Containers are affected.
- Once the affected Containers are identified, their owners can be ascertained.
- The technical contact emails for the affected Customers can then be sourced from the Cloudhouse Dynamics CRM and used to create a mailing list.
- A standard email will then be created (see the example notification email at the end of this article) and sent to the mailing list.
- Cloudhouse will keep a central record of any undelivered items and confirmation of any receipt/response.
- Cloudhouse will also update the banner on the Cloudhouse Online Knowledge Base (https://docs.cloudhouse.com/) to advise an update is required, including a link to an article containing further information.
The email sent as part of the alerting process requests the Customer to verify they are still utilising the affected Container and if so, to email Support@Cloudhouse.com.
Once Cloudhouse Support receives this email, they will raise a support ticket then check the status of the Customer's support contract, which will be one of the following:
- Customer is on a current Subscription License, or a Perpetual License with an up to date Support and Maintenance Contract
- Customer uses a Third Party IT Provider/System Integrator to provide packaging
- Customer is out of support contract and has no packaging resource
See the relevant section for further details.
Customer is on a current Subscription License, or a Perpetual License with an up to date Support and Maintenance Contract
Cloudhouse Support will verify the latest version of the Container in use against the Container on record. If the latest version is still impacted, Cloudhouse Support will work with the Customer to update to the latest version with the new files for the Customer to test and deploy.
Cloudhouse Support will ask to be put in contact with the Third Party and discuss with them the best way forward to update the Container in alignment with their arrangement with the Customer.
Cloudhouse Support will offer to put the Customer in contact with a Cloudhouse Account manager, to either get them back on support or arrange for a chargeable Professional Services engagement to implement the update.
Risks, Limitations and Mitigation Actions
Various issues may arise during the execution of this process. Here are a selection of potential problems and their mitigating actions:
- No response from Customer - All contact details Cloudhouse holds for the Customer are no longer valid. In this case, Cloudhouse Support will ask the Cloudhouse Account Director to gain new contacts via the commercial/procurement route.
- Container held by Cloudhouse is out of date - Cloudhouse Support only retains details on the last Container worked on. If a third-party has subsequently performed work on the Container, the version data may be out of date. Once Cloudhouse is in contact with the Customer, the initial work will be to verify the current version of the Cloudhouse software the Customer has deployed and if it is affected.
- Customer unwilling to update Container - Cloudhouse cannot force a Customer to update a Container. Cloudhouse will advise the Customer in writing that not updating is against Cloudhouse's recommendations.
Below is an example of an email we suggest using as the basis of the email to be sent to customers notifying them of a potential issue:
Dear Customer, XXX Personalised XXX
Our records show you are a user of the Cloudhouse Compatibility Container software to enable XXX Application name XXX to work on a modern operating system.
We note that you are using Version XXXX.
We need to advise you that we have discovered a security issue in this version and we'd like to help you resolve this by updating to a newer version of our software.
For more information on this issue, see XXX Link to Alert on Cloudhouse Knowledge Base XXX.
Please contact us at Support@Cloudhouse.com to further discuss this issue so we can explain the options available to you.
We look forward to hearing from you.