The worst has happened. Due to an unexpected event, your company's infrastructure is down. Lights, power, the data center and network are all unresponsive. What do you do? Most large financial companies turn to their enterprise continuity plan (ECP). The ECP concept was created to specifically address how to handle incidents that disrupt normal business operations and outlines steps towards disaster recovery. But the ECP's disaster recovery plans shouldn't just be about how the business recovers; it must put in place steps to ensure information security is maintained as well.
In these times of constant Internet-based attacks on valuable personal and financial information, even reducing a company's normal levels of security protection for an hour may be long enough for an outsider to start drawing sensitive information from the disaster recovery site(s) before normal business operations can resume.
The first step is to make certain that early on security considerations are incorporated in any corporate disaster recovery project. Security personnel's role in continuity planning activities is to ensure that during disaster recovery, corporate security policies are being enforced and protection services for the company's business and financial information are in place.
As financial companies go through their business continuity planning activities, standard planning processes require business operations decisions from key business, IT and network systems personnel, but security isn't always invited to take a seat at the table. This is because in many organizations security is seen as a support organization and not critical to the operation of the business. Security management must increase the visibility of their role within the company to ensure disaster recovery security is addressed.
A disaster recovery plan should include blending coordinator communications with a communications plan for security personnel. When disaster strikes, it will be important that, along with contacting ECP coordinators, security personnel be notified so they can ensure the company's disaster recovery site perimeter protection programs, like antivirus and antimalware, have up-to-date configurations and are operating properly. In addition, security personnel will need to work with the network group to ensure firewalls and other disaster site network perimeter protection devices are up and operational.
When an incident occurs that requires transitioning to a disaster recovery site, corporate networks normally require the rerouting of Internet and intranet traffic to a new location. While not normally needed during regular operations, financial companies should consider incorporating secure data encryption services between their sites. This is because rerouting of network traffic is normally done through communications circuits placed on standby during normal operations. In order to save costs for these inactive lines, many financial companies use shared trunk lines supplied by their telecommunications provider. Unlike the normal network services that are used solely by the company, providers manage these communication lines and usually share the bandwidth between one or more companies.
While shared bandwidth network links shouldn't have network traffic crossover, there's no guarantee no one's looking at the traffic being carried across these lines. In the case of an incident where these lines become the main network links for the company, encryption services on the wide-area network switches connected to these shared lines will ensure the protection of corporate information. This requires a company's network trunk switches to support data packet encryption with shared keys. Encrypting the packets as they leave the enterprise domain and enter the provider's shared network ensures no one, including provider network support engineers, can access sensitive corporate information.
Another significant service that security can provide to the disaster recovery team is operational information while the company is recovering. Most financial companies have a security operations center (SOC). The normal purpose of these centers is to analyze, monitor and report on data-at-rest and data-in-motion activity and mitigate incidents that violate company security policies, whether inside or outside the company's domain. SOC personnel ensure corporate policies around data protection are being effectively enforced. In times of disaster recovery, SOC information and reports can be restructured to bolster a company's emergency operations center (EOC) data. By using the EOC's tools and reports, along with the data-in-motion and data-at-rest information from the SOC, business managers can get better visibility into the activities occurring all around them. With this higher level of intelligence information, better decisions can be made to ensure the company moves as quickly as possible towards normal operations.
While security services are not normally on the "critical path" in business continuity and disaster recovery planning, they should be. After an incident, with tools in place to ensure enterprise information is secure, and security personnel is working closely with the business teams to reduce risk, financial companies can start their long climb to normalcy with less business disruption. Disaster recovery security isn't a goal for any financial company, it's an obligation. And bringing the finest minds in the company together, whether they're part of business operations or not, will ensure the best plans are in place for when that business-crippling incident occurs.
About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 15 years. He specializes in security/identity management strategies, methodologies and architectures.
This was first published in May 2010