As I set out to write my column this month, I popped over to the NIST website to check some facts. The National Institute of Standards and Technology publishes security standards and guidelines for the U.S. government in its "800 series," and they are generally useful in the private sector as well. I visit the NIST website occasionally to check the facts on topics ranging from encryption algorithm lifespans to risk assessment methodology. But this week, the NIST website has been taken down due to the U.S. government shutdown.
The NIST website is displaying a maintenance page saying, "Due to a lapse in government funding, the National Institute of Standards and Technology (NIST) is closed and most NIST and affiliated web sites are unavailable until further notice. We sincerely regret the inconvenience." I hope they do, because a lot of professionals rely on information provided by government agencies.
This is a somewhat jarring experience. I hadn't realized the government affected my daily life in any meaningful way, but now that the documents I'm looking for are not available to me, I'm starting to wonder what preparations I should have made to account for this situation. In fact, I'm thinking like a business continuity planner.
Business continuity is all about maintaining or resuming normal operations after a primary process is interrupted or has failed. If I were thinking about this a week ago, I might have considered ways to get the information I need even if the NIST website was unavailable. I can't find any mirrors, but maybe I could have created my own by downloading all the documents to my own hard drive. But now that the only information channel I've been relying on has been interrupted, it's too late. Business continuity planners are supposed to think ahead, to predict what might happen and come up with appropriate countermeasures. I'm not one, but I can see how that reasoning applies to my situation.
My natural response to this is that I should go ahead and download the NIST publications whenever the website comes back up. And that's really a commentary on cloud services in general.
I rely on the cloud daily. If I apply the term loosely, then my reliance extends to all of the websites I use to look up information and perform tasks involving data. The biggest problem with that extensive reliance, of course, is that when sites are unavailable, I don't have access to the information and services I need. Cloud services in general have been plagued by availability problems (as well as data loss and other significant issues). This has implications for all organizations. The convenience and scalability of the cloud is somewhat offset by the risk of your service going dark.
What's the alternative? Your data is either in the cloud -- as with Apple's iCloud, the various DropBox-like services, and even video streaming services like Netflix -- or it's on your own storage. If I don't want to rely on the cloud, I'll have to buy more hard drives and keep copies of the data I need. In today's interconnected world, that's not as easy as it once was. I would have to deal with keeping my data in sync with the cloud. And of course, I would be managing a potentially huge amount of data instead of relying on services to do that. And what about Wikipedia or IMDB? They hold way too much data to mirror.
Hopefully, I'll be able to follow through next month with the column I was originally planning to write this month, before the NIST website was shut down. With any luck, the government will be working again by then.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.