Is Government Part of Your Business Continuity Strategy?

Last year, Wired reported on the U.S. Federal Bureau of Investigation's raid on data centers in Texas. There have since been several developments in the story, including grand jury indictments and pending criminal trials for the alleged offenses. Nonetheless, apparently the data centers were co-location facilities, meaning that they housed the servers and equipment for multiple legitimate businesses. That didn't matter: those businesses were shut down when the FBI carted out the equipment. Undoubtedly some of those businesses never recovered.

This raid (and others like it) raises some interesting new questions about business continuity planning, disaster recovery, the possible pitfalls of co-location, and the whole idea of public "cloud" hosting. I am seeing evidence that many businesses are already considering these issues in their IT strategies, and I think more businesses should. Here are my recommendations:

  1. Remember that businesses must act ethically and legally, and they must have business controls in place to assure that their employees and assets are not being used for illegal purposes. Mainframes and their justifiably famous security controls and audit trails certainly have advantages in helping businesses conduct themselves properly, but they are merely tools which require competent management.
  2. Civil liberties tend to get debated after the fact, and slowly. But government confiscation of IT assets can occur in any country, and typically there are several agencies that can act without warning. I have heard of one case where tax authorities in an Asian country unplugged and carted away a mainframe (and other assets) in a dispute. Obviously that was an IT disaster. Understand and plan for these risks.
  3. Assess which business functions are critical to the company's survival and which IT assets support those business functions, end-to-end. Then protect those end-to-end assets from multiple hazards. That means not placing any of those IT components in a single public cloud or at a single co-location facility. Could a government grab a cloud provider's servers if any one of its tenants is suspected of illegal activity? Yes, apparently so. Your risk in a public cloud or co-location facility is basically the sum total of the risks each tenant brings to the facility.
  4. Consider keeping critical assets in two or more government jurisdictions. Many businesses have already taken this step, quietly of course and for multiple reasons.
  5. Use encryption smartly, and manage keys well. With mainframes that means taking advantage of encryption features in storage devices (like IBM TS1120/TS1130 tape drive encryption and DS8000 series disk encryption), in networking (for example, enabling TLS/SSL with CryptoExpress and/or CP Assist), in DB2, etc.
  6. Try to educate government authorities on business and technology issues, and keep them informed. In the Wired story, the FBI trusted AT&T and Verizon because those companies had sufficiently strong business controls that enabled them to alert the FBI to possible criminal activity. However, keeping government informed does not mean compromising your customers' privacy without due process.

by Timothy Sipples December 20, 2010 in Current Affairs, Systems Technology
Permalink | Comments (20) | TrackBack (0)

The postings on this site are our own and don’t necessarily represent the positions, strategies or opinions of our employers.
© Copyright 2005 the respective authors of the Mainframe Weblog.