supplied tools for organizational integration of secure distributed computing. Candidates for infrastructure elements of such a suite of tools include OSF's Distributed Computing Environment (DCE), the Object Management Group's Common Object Request Broker Architecture (CORBA), secure World Wide Web access management tools, and the Java component-based Web browser extension technology. Desirable capabilities should include uniform client-server authentication tools, access control lists for authorization, encryption of all data messages, and use of digital signature and content validation tools so that trusted software can be used within reliably secure networked domains.
Despite the increased reliability of modern computing systems using technologies such as high-density integrated circuits, improved packaging techniques, and high-capacity storage media, operational systems do fail. Processors, memory, and disks sometimes fail; software occasionally runs amok; environmental failures such as power outages, floods, and earthquakes regularly occur; and users sometimes delete important files accidentally. To guard against these outages and losses, alternative power sources and processing facilities must be provided for the most critical systems, and up-to-date system file backups must be performed and media kept secure. Good practices to cover for these kinds of failures have been in place for decades, and lower-cost systems and peripheral equipment have made redundancy and backup more convenient and effective than ever.
In its site visits, the committee found excellent practices generally in place for centrally managed mainframe and server systems. At the strongest sites, an inventory of critical systems was in place along with an evaluation of the maximum outage that can be sustained for various information resources without affecting health care. This evaluation is used as the basis for guiding the purchase of redundant processing facilities and their location within campus sites unlikely to be affected simultaneously by any but the most disastrous environmental failures. Full system backups are done regularly and the content is stored at multiple sites to protect against destruction of a single focused site. Routine drills are run to practice switching from hypothetically damaged operational facilities to backup facilities and to restore damaged information in the event of peripheral storage failure. The strongest sites also have redundant network communications facilities in place, routed independently so that