And when the police come knocking, then what?
When contracting with a data center, we ask plenty of questions.
We ask about their security posture. Do they monitor entrances and exits? Do they police building parking? How is their alarm system monitored? How secure is their network? Are the cages secure? Who can get into the building?
We ask about their ability to handle disasters. What kind of fire extinguishers do they have? Do they use fire-resistant doors? Slab-to-slab construction? Can they handle flooding? Power outages?
But we need to start asking another set of questions: what is their legal posture?
A couple of months ago, an FBI raid at a data center in Reston took out “tens” of the data center’s customers, in spite of the FBI only targeting one client. The simple reality is that the average FBI agent isn’t a networking specialist, and may not be able to tell which hardware is relevant and which isn’t. And when they’re unsure, the FBI is likely to take everything and let the lab people work it out later. Sometimes quite a bit later.
So, we have to be asking how a data center will respond to such a circumstance.
First, it’s best if your equipment isn’t seized at all. As remarkable as it seems, many companies have a “complete cooperation with law enforcement” policy – if a police officer asks for something, they get it. Client data, equipment, facility access, anything. That’s not just fly-by-night places, either – I once worked for a hospital network with just such a policy. I’m sure the patients found that reassuring. Obviously, that’s not acceptable for a company with proprietary data. At minimum (and, in most jurisdictions, probably maximum too), the data center has to require that the police do their paperwork: only allow access to officers or agents who have a court order or warrant, and only allow the access specifically spelled out in the order or warrant, nothing more. In many cases, this will avoid the problems: if your iron is in cage 267, and the FBI wants to take the servers of your neighbor in cage 268, then the data center only allows them into 267 and you’re fine.
Second, if your equipment or data is seized – whether legitimately or by accident – then you had better find out from the data center BEFORE your customers let you know. This means that you and the data center need to keep a detailed inventory so you know exactly what was taken. And they must have a policy in place to call the affected clients immediately to inform them (i.e., you) when equipment is seized.
Third, you need fast recovery. This means offsite backups – so your backups can’t have been seized along with your servers – and a plan to replace the hardware. Because let’s be realistic: the police aren’t going to return server hardware soon enough. It’s almost certain that while going through channels and demanding that equipment is returned, you’ll lose more business than the cost of new hardware. This is especially true if your company actually is the focus of the investigation: it could be years before you get it back, if you ever do!
Lastly, you ought to make sure that your information is protected. Whether your servers were taken by the FBI, local law enforcement, or thieves, you don’t want anyone reading it without your permission. That means encrypting your at-rest storage AND your backups. Granted, this doesn’t necessarily keep your data secure – they can always get a court order for you to encrypt your files – but it keeps you from being in the same boat as Instapaper and it’s just good practice.
Odds are you’re not going to be raided by the FBI. But you really ought to have a data center with good site security, an up-to-date inventory, and a prompt notice policy anyway. And you should have your data encrypted and keep a Continuity of Operation Plan in place. These are measures you should have been doing already; they just happen to apply perfectly to this scenario, too.