Although there’s no one right way to go about protecting any business from disaster, there are certain steps that apply to pretty much all businesses keen to ensure that critical business systems are up and running as soon after a disaster strikes as possible. Matt Kingswood, from nationwide managed service provider IT Specialists, explores the key steps to business continuity.
- Perform a business impact analysis
The most important thing to consider in protecting your business from a disaster of any kind is to create a plan in advance. The first step is to perform a business impact analysis (BIA), which identifies the risks associated with the business and then, based on those risks, the assets and data that are the most important for that business to continue working without disruption. Knowing what the top risk factors are dictates the solution requirements and, during audits, enables businesses to show what logic was used in setting up their analysis.
A key part of the analysis will be to specify realistic recovery time objectives (RTO) and recovery point objectives (RPO) for these assets. If the RTO and RPO haven’t been defined, the assumption is immediate availability, which results in failed expectations almost without exception. Instead, RTOs should be real-world applicable – there’s no point specifying unrealistic (either long or short) outage durations, for example, as these can easily derail the resulting disaster recovery plan at the very outset. In an actual disaster situation, timings can easily slip, and it’s tempting to delay failover plans for another few minutes when an in-house solution seems imminent. The RPO represents how much data loss you can afford, so this figure should be realistic as well.
- Develop a disaster recovery strategy and plan
Some standards and regulations, such as ISO/IEC 27031 and UK government guidelines, specifically mandate having a written plan. ISO/IEC 27031, the global standard for IT disaster recovery, states: “Strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.”
When creating your strategy, make an inventory of all IT hardware (e.g. servers, desktops, laptops and wireless devices), software applications and data. In addition, ensure that your disaster strategy, plans, contacts and backup files are stored both on- and off-site. Although on-site backups are essential for some types of disaster (like a failed hard drive, for example), a fire or a flood would make off-site backups immediately desirable.
Your disaster recovery plan shouldn’t be a one-off project that is created and then sits on a shelf gathering dust. Instead, it needs to be a starting point that is continually evolving to include ongoing best practices and lessons learned.
Cloud-based disaster recovery as a service (DRaaS) solutions are often an accepted and key component of a disaster recovery strategy, but ensure the solution is fit for purpose both now and at each stage throughout your strategy’s ongoing evolution. Some solutions, for example, market data repository functions as DRaaS but don’t provide disaster recovery – meaning you couldn’t recover to a full environment in an alternative location. Depending on the type of business you’re in, this lack of disaster recovery capability could be detrimental to your business during an interruption, particularly if you’re reliant on high uptime. At IT Specialists, as with some other vendors of DRaaS solutions, we will offer support for disaster recovery strategy development and testing. Take advantage of this service to evolve a plan that will deliver appropriately when you need it most.
- Find the DRaaS solution that works with your business needs
The DRaaS solution that’s most suitable for you will depend on the type of business and industry you’re operating in. If you want to use DRaaS for testing and housing less critical business applications, public cloud can offer fairly automated resiliency. If you’re looking to protect critical sensitive data or applications, a private cloud environment can alleviate concerns about compliance and security issues. Whether you’re using a private or public DRaaS model, your environment can be recovered to virtual machines or a physical environment, but latency can be a challenge, so make sure the solution can fulfil your RTOs.
Hybrid implementations are a growing focus of the market, as you get the best blend of benefits, and the model can be adjusted to suit your specific requirements. For example, at IT Specialists, we offer a DRaaS model called BlackVault Managed Recovery Platform, which combines a dedicated on-site data storage appliance with our private cloud platform, BlackCloud, to provide fully managed backup and recovery. Benefits include greater control over critical data on-site, faster restore times and ease of testing, while cons include the BlackVault appliance, by default, bringing up only a portion of the production environment. It is, however, possible to reconstitute and run the entire environment from the BlackVault appliance if doing so is necessary to meet business and compliance requirements.
- Get the right DRaaS vendor
Once you’ve arrived at a decision on the type of solution you’re looking for and are contacting vendors directly, it’s time to start looking at vendor credentials. It is important to ask the right questions, and a key one to start with is whether a vendor has relevant industry experience and thus understands the regulatory requirements and business context that are essential for you. For example, the right vendor should provide you with answers to questions you hadn’t even thought of but that are related to your organization and its industry. With each vendor, look for a client list in your vertical that confirms the vendor’s expertise. The vendor’s knowledge will be very apparent in their approach to you. If compliance and due diligence questions aren’t immediately covered, this should be cause for concern. The vendor should also have the appropriate due diligence material pre-populated so that you need only spend minimal effort before making your decision.
Ask the right questions:
Similarly, the vendor should answer questions about how your data will be handled. Is data encrypted in transit and at rest? What is the data onboarding process? If vast amounts of data are involved, is it drip-fed or posted on a drive? Finally, what is the vendor’s data destruction policy? (This should be an easy one for them to answer, but if not, there can be massive compliance fines around the corner.) Again, if a vendor is unwilling to answer these questions, that’s a red flag!
Investigate your potential provider:
Check your chosen provider thoroughly. Verify that the vendor can meet the RTO and RPO objectives you’ve specified, as well as any specific compliance concerns, and also find out what happens if your data is lost or corrupted. Double check if backups are made at their end, how far back these go, and where are they stored. Find out the vendor’s process for returning you to your restored environment post-failover and if that process if workable for your business. Finally, establish service level agreements (SLAs) as you would for any other service and check that you’re not locked in – can you migrate to another provider easily in the event you’re not satisfied with the service?
- Finally, test, test and test again!
It is important to note first of all that testing is not a pass/fail outcome. Rather, it is a learning process and transfer of knowledge amongst colleagues and your provider, which is vital for success in a crisis.
Don’t wait until a disaster strikes to find out if your disaster recovery plan is able to protect your business, though. You should perform regular tests to identify and fill any gaps in the plan. One barrier to testing for customers working alone is the amount of time testing takes, the resources consumed (e.g. employee time commitment) and the interruption to day-to-day business processes.
One of the benefits of working with a DRaaS provider, however, is that disaster recovery tests can be performed in a sandbox environment that emulates your production systems – without any interruptions to the production systems themselves. Your provider may also be able to help you create a testing strategy and participate in the test to reduce the amount of time that employees spend away from their daily responsibilities. You can then use the results of the test to identify and resolve any problem areas in your plan.[su_box title=”Matt Kingswood – Head of Managed Services, IT Specialists” style=”noise” box_color=”#336588″]Matt Kingswood is the Head of Managed Services of Midlands and London-based ITS, a nationwide Managed IT services provider. ITS is part of the US Reynolds and Reynolds company which has a strong heritage in data backup and recovery services. In his position, Matt is responsible for developing Managed IT services within the UK and is currently focused on the next generation of cloud and recovery products, BlackCloud and BlackVault.
Matt has more than 20 years of experience in the information technology industry, and was formerly CEO of The IT Solution – a full service IT Supplier acquired by ITS. Since joining ITS, he has led efforts to introduce a range of managed services based on the new ITS cloud platform. Previously Matt had a career in technology for several top tier investment banks before founding and selling several companies in the IT services industry.
Matt has an MBA from The Wharton School of the University of Pennsylvania and a Master’s in computer science from Cambridge University.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.