信息安全事项:多模式时代的灾难恢复管理

Multi-modality in IT environments implies complexity. 一个组织的信息系统在该组织拥有的空间和设备上运行的概念已被设在下列地方的系统所取代:

• A proprietary, “in-house” data center
• A commercial colocation (colo) site
• 外包数据中心
• 托管服务提供商
• A remote, vendor-operated site, providing a service over the Internet
• 云, 客户在一系列商业数据中心中执行其应用程序或获取商业服务的常用术语

Oh, by the way, all at the same time.

This complexity is difficult to manage even in the best of times. 灾难袭击任何一个场馆都绝对不是最好的时机. (其他比我聪明的人可以判断，物理灾难是最坏的情况，还是这种“荣誉”属于破坏性网络攻击的受害者.我想我代表我们所有人说，灾难是非常糟糕的，应该避免.

地理多样性

Multi-modality is, in part, a response to the threat of disasters. 它的结构确保了一场灾难不会毁灭一切, 只是组织系统中不幸处于灾难发生位置的那一部分. Or am I being too free with the word “ensures”?

影响将系统移出专有数据中心决策的因素之一是系统的位置——超出了它的功能范围, how it is secured and how it performs. If the intent is to reduce risk, 然后，将系统转移到公司总部对面的仓库和隔壁的外包提供商那里，将不会有太大的效果. 一如既往，糟糕的设计会破坏最好的控制和安全功能. The word “ensures” should be replaced with “enables”; it is up to system architects to provide assurance that a multi-modal environment contains sufficient geographic diversity to meet its overall disaster recovery objectives.

专有数据中心

即使在多模式体系结构中，仍然需要专有的数据中心.¹ It is the central point for communicating with all the systems elsewhere. 它还安装了驱动建筑管理和访问控制系统的计算机, as well as Internet of Things (IoT)² equipment, around the building.

在“内部”数据中心规划从灾难中恢复实际上比以前更加困难. 在过去的日子里(哦, 大约十年前), 组织的大多数应用程序和基础设施都位于自己的数据中心中.

因此, 对该位置的灾难进行规划需要在其他地方建立第二个数据中心, far enough away that the same disaster would not incapacitate both.

现在，仅仅找到另一个地方运行这些系统是不够的，也许是无用的. If they could have been transferred out of the data center, 他们早就是了, in the move to multi-modalism. 如果一栋建筑的边界被毁了，远程通信终端中心还有什么意义呢? 即使可以建立远程链接，数据如何传递到桌面呢? 电话会怎么响?

Colo网站和外包商

Use of a colo site often has more to do with mechanical, electrical and plumbing (MEP) issues than IT. 对于很多组织来说, 如果这些负担可以转移给第三方，那么为数据中心供电和冷却的经济效益就没有意义了. 为他人, 从组织自己的数据中心迁移到托管中心只是向任何东西即服务(XaaS)过渡的一个阶段。.³ 不管是什么, 移动服务器的决定, 存储 and telecommunications into a colo means moving them into not one, but two sites: a prime and a backup. 一个组织可能已经有了灾难恢复设施，它可以为转移的系统服务, 也许不是. 在完全依赖基于颜色的系统之前，测试是有序的. The same point can be made about outsourcing⁴ one or more applications and their associated infrastructure. 在选择外包商时, 客户有责任确保托管公司至少有第二个数据中心, 以及一个经过良好测试和维护的计划，以便在时机成熟时使用它. The basic premise of dual data centers is still in force.

Managed Services and Software as a Service

A special case of outsourcing is managed services: in essence, 雇佣其他人(托管服务提供商[MSP])来做组织自己不想做或不能做的工作. These include certain IT functions, 特别是电子邮件托管, 绩效管理, 安全监视, 存储, 备份和恢复, 以及网络监控.⁵ 当然, many of these activities can be done anywhere an MSP decides, but some require hands-on work. So, 买家应该考虑，如果系统和系统发生灾难，将如何提供这些服务, 更重要的是, 工人们碰巧是.

在客户通过Internet访问软件即服务(SaaS)的情况下，尽职调查的必要性更大.⁶ An organization has the use of software, typically on a subscription basis, but does not own that software nor the servers and 存储 on which it runs. That equipment is somewhere and, in preparing for recovery from disasters, has to be somewhere else as well. Where that “somewhere” is matters, 软件和客户数据从一个地方复制到另一个地方的频率也是如此. These are not novel considerations, but many SaaS subscriptions are made by business functions, 不是它, and disaster recovery may be overlooked.

云

A true cloud is a superb solution to disaster recovery problems. 注意修饰语“true”.” There are vendors claiming to offer cloud services, 但稍加调查就会发现，他们只是在几个网站上提供托管服务. 它们不提供真正的云的底层基础设施和机制, 在这种情况下，相同的软件(通常是虚拟化的)在两个或多个位置同时运行, with data replicated at frequent intervals among them. 目的, and in many cases the actuality, 操作是否可以从一个站点切换到另一个站点，而对客户几乎没有影响. This may be done for performance reasons, load balancing or recovery. 注意后者, 在提交给云提供商之前，必须验证销售人员的基础设施声明，并验证此自动故障转移是否实际有效.

In this era of multi-modal technology, many disaster recovery issues are solved, some are simply transferred and a few are made worse. Disaster recovery is manageable, but only with one’s eyes open.

尾注

¹ This assumes that an organization has a building where its people work, which is only partially true today. Many people work remotely some or all of the time. 未来可能会导致公司和政府机构将工作从房地产中分离出来，剩余的数据中心可能会消失.
² Steven J.; “The End of the Beginning?” ISACA杂志,卷.3, 2017, zpbox.web-sitemap.xqzlsb.net/resources/isaca-journal/issues.
³ McLellan C.; “XaaS: Why ‘Everything’ Is Now a Service,” ZDNet2017年11月1日 www.zdnet.com/article/xaas-why-everything-is-now-a-service/. Pronounced zăss, it means “Anything as a Service.”
⁴ 在使用颜色时，组织拥有设备并租用场地和MEP. 如果一个系统是外包的, the organization owns the application(s), but not the equipment on which it runs, 也不是占地面积, 也不是环境保护部. 当然，这些都是细微的差别，但在灾难恢复计划中至关重要.
⁵ Olavsrud T.; “How to Get the Most From a Managed IT Services Provider,” 首席信息官2017年6月30日
⁶ 高度,J.; “Cloud Vs SaaS: What’s the Difference?” nChannel2016年7月13日 http://www.nchannel.com/blog/cloud-vs-saas/. 所有这些基于云中的软件的服务都是SaaS，但SaaS不一定在云中. 可以直接访问这些服务，而无需通过云提供商. 这是一种混乱和一些争议的来源，我不打算在这里进入.