Business Continuity and Resiliency

111

May 8, 2008

BC Update: Journey to Achieving Business Resiliency

Eileen S. Ott, MBCP

2008 ANNUAL IT SECURITY CONFERENCE

22

OffsiteBackup/

Archiving

Remote Replication

StretchClustering

Continuous Availability

Continuous Availability—The Always-On Business

Resilient, unbreakable

infrastructure

2© 2004 EMC Corporation. All rights reserved.

33

Evolution of Recoverability and Availability:Key Trend The 3 have converged.

Availability through disasters (<1% of occurrences)

Flood, fire, earthquake Contaminated building

Availability through planned outages & competing workloads (87% of occurrences)

Backup, reporting Data warehouse extracts Application and data restore

Availability through Operational failures

(13% of occurrences) Database corruption Component failure Human error

Insurance

ROI

ROI

44

The Industry JourneyIndustries Have Differing Levels Of IT Dependency

100% Procedural 0% IT Architectural

Redundancy

24 hrs x 7 days

Manual

Non Critical BusinessSmall Industries

Resources

Essential Services

Utilities, Airlines, Hospital

BanksFinancial Services

TelecommunicationsFood Manufacturer

Consumer GoodsManufacturing

Manufacturing

Retail & Online

TransportationLogistics

TransparentFailsafe

High Security

Low security

Low FailsafeHigh FailsafeLow Volume

High Volume

Single Data Center

Dual Data Center

Triple Data Center

55

Achieving Resiliency - Four (4) Areas of Discussion

1. Corporate Organizational Structure

2. Business Continuity Awareness

3. Availability vs. Disaster Recovery

4. Efficient use of all assets

Additional information:– Standards and Certifications– Where to go for more information

66

Corporate Organizational Structure

The Trend: Business Continuity, inclusive of Disaster Recover is moving to the office of Corporate Risk and Security, often with direct reporting to the Board of Directors.

Notes:

BC is now appearing on BOD agendas and is treated as an ongoing program as opposed to a one time project/event.

BC/DR is a budget item separated from IT.

More frequent Audits and Auditors report to BOD

CXX pay/bonus based partly on success of BC program

77

Business Continuity Awareness

The Trend: CEO/CFO office creating strategic BC/DR initiatives, directives and goals.

Notes:

Information Technology tasked with providing and implementing solutions, but selection of proper solution is moving to business units

Business Units mandated to become more involved in planning, training and testing.

Business Units are measured on participation and contribution.

New employee, all employee BC/DR training becoming normal. Certain groups requiring in-house BC/DR certification.

Integrated and cross-functional testing and training is creating a greater awareness of BC/DR and improving likelihood of recovery or continuance

88

What is a Business Continuity Management Program ?

• Corporate sponsored and supported • On-going effort to ensure that:

Business continuity and disaster recovery requirements are addressed

• Includes both IT Disaster Recovery and BU Continuity plans• Needed skill sets are identified, allocated, trained• Processes and procedures are in place to enable the continuation

of mission critical business processes• People and information remain connected regardless of the cause

of the disruption• Brings consistency and predictability to the company’s information

availability strategy• Can provide an accurate determination of investments needed to

support the information availability strategy

99

Multiple Disciplines

Applicationsand

Operations Management

DisasterRecoveryPlanning

IT Strategyand

Architecture

PhysicalSecurity

ContinuousAvailability

Risk/Crisis Management

Information Security

Emergency Preparedness

Business UnitsPlanning

1010

Components of a Business Continuity Management Program

Business Impact Analysis

Risk Analysis

Recovery / Continuity Strategy

Group Plans and Procedures

Business Continuity Program

Risk Reduction

ImplementStandby Facilities

Create Planning Organization

Testing

PROCESS

Change Management Education Testing Review

Policy ScopeResourcesOrganization

Ongoing Process

Project

1111

Availability vs. Disaster Recovery

The Trend: Single site used for Production and HA while second site is used for Test / Development / QA and / DR.

Notes:

The executive and business units confusion between Availability vs. DR often requires education

Clients are moving to Out of Region DR data centers, reducing the capability of in-region Availability solutions.

Incorporation of HA or Operational Recovery (OR) solutions in production data center is a high priority.

Request for Active/Active data centers continues while Enterprise Capable Active/Active solutions are elusive.

Knowing application inter-dependencies is critical to mixing Availability and DR without compromising DR.

Including suppliers and key customers in planning and testing

1212

Key Considerations in Achieving Resiliency

Solution: Requirements + Facility Options + Data Consistency Risks + DR Technologies = DR Strategy & Business Case

Business & IT Alignment:– BIA, Application Interdependency, System & Application Mapping

Internal vs. External DR: changes in policy, procedures, and testing.

Unbiased Technical Solutions and Implementation Design

Technical Integration– Replication, Clustering, and Virtualization– Implementation Risks & Roadmaps

1313

Efficient use of all assets

The Trend: Implementing solutions, processes, policies and products that improve automation, repeatability, predictability.

Notes:

Publishing approved solutions

Documenting all critical information, including the required knowledge of SME’s.

Virtualized Servers, Storage, Tape, Staff

Elimination or reduction of point solutions in favor of Enterprise Solutions

Reduce/eliminate custom scripting in favor of product based solutions

In-sourcing non-core expertise

Use of BC planning tools to more easily maintain and distribute documentation

1414

Continuity Challenge: The Common Current State

Notprotected

Under-protected

Different requirementsDifferent technologiesDifferent processes

Over-protected

Continuity Issues Survive a disaster

Achieve high availability

Prevent data corruption

Non-disruptively upgrade software and/or hardware

Do parallel processing

Move and migrate data

Restart the enterprise

Protect remote data sites

Shorten backup and restore times

Contain costs

Cannot add resources

Pain Points Inconsistent service levels

Gaps in coverage

Growth in complexity and effort

Growth in cost and risk to the business

Continuity Defined: Ensuring applications and data are available during planned and unplanned outages.

1515

Physical to Virtual Recovery

Physical server

Physical server

Physical server

Lower TCO recovery site• Local to unlimited distance• Zero to minutes RPO• Short RTO• Failover / failback support

Typical production environment

Virtual machine

Virtual production environment

Source Target

ReplicationLink

1616

Classify and tier Applications and Data

ArchiveData

Clones

Single Instance fixed, stable, non-changing data into an Active, Intelligent Archive

Streamline backups

Performance tune the backup process to eliminate redundant block level data with Data De-Duplication technology & VTL Utilize snaps for incremental changes

Building Information Protection Into The Data Center…

Virtualize servers

SnapsSnapsSnapsSnapsProduction

Data

Tier 3

Tier 2

Tier 1

BackupEnvironment

1717

Classify and tier Applications and Data

ArchiveData Backup

Data

Clones

Single Instance fixed, stable, non-changing data into an Active, Intelligent Archive

Streamline backups

Performance tune the backup process to eliminate redundant block level data with Data De-Duplication technology Utilize snaps for incremental changes

Putting It All Together: Adding a remote location…

Virtualize servers

SnapsSnapsSnapsSnapsProduction

Data

Tier 3

Tier 2

Tier 1

Unit of RecoveryRemote Location

1919

Technology Futures

Change to traditional backup philosophies– Segregation of archival data from backup data– Increased attention to restore service levels (DR vs daily)– Increased use of disk as pre-stage area to tape– Increased recognition of “recovery” versus “restart” (data consistency)

Accelerated adoption of Virtualization technologies for DR and Availability Management

Increased levels of integration and automation between replication and clustering technologies

Emergence of CDP: Continuous Data Protection– Initially by platform– Longer term in support of the Enterprise

Emergence of data replication/mobility functions within the storage network

– Initially at the platform/data base level– Longer term at the Enterprise level

2020

Best Practices for Achieving Business Continuity

Determine requirements / service levels– Business Continuity to SLA’s– Managing to the right “Risk vs. Cost” model

Validate ability to achieve service level agreements

– Evaluate costs / tradeoffs of technologies to meet service levels

Create right level of protection for your specific business and application requirements

Tie it all together– Across storage platforms– Across infrastructure (storage, servers, networks, applications)– Across data centers and geographic locations– Simplify management overhead and implementation risk by being

prime contractor

2121

Source:

Business Continuity Maturity Model

Stage 0– No disaster recovery plan– Or exists as “shelfware”

Stage 1– Data recovery as an IT project– Platform-based– Plan occasionally tested– Ad hoc project status reporting

Stage 2– Data recovery as a process,

component of BC – Link DR to business process

requirements– Defined organization– Plan regularly tested– Formalized reporting

Stage 3– Business integration– Partner integration– Process integration– Continuous improvement culture– Frequent, diverse testing– Formalized reporting to

executives and board

2222

Regulation Proliferation

FSA - SYSC

SEC 17ad-7

Sarbanes-OxleySarbanes-Oxley

21 CFR Part 11

NARA Part 1234

HIPAA

eSign Act

SEC 17a-4

DoD 5015.2

ISO 15489-1

Common Criteria

BSI DISC PD 0008:1999

eGif

Data Protection Act of 1998

Freedom of Information Act of 2000

Public Records Office

UK Metadata Framework DICOM

Dublin Core

SEC 17a-3FERC Part 125

NASD 3010

NASD 3110

Rev. Proc 97-22

ISO 15489-2

MoReq

Interagency White Paper

2323

BC Certifications and Standards:

Certifications:

DRII:

ABCP - Associate Business Continuity Planner

CBCP - Certified Business Continuity Planner

MBCP - Master Business Continuity Planner

BCI ( U.K.):

FBCI - Fellow business Continuity Institute

Other Certifications: CISP, CISA,CISM, CDCP, etc,

2424

Private Sector Preparedness Act, August 2007

Calls for creation of voluntary private sector preparedness standards program

U.S. Department of Homeland Security to establish program with private sector input into program development and operations

2525

Preparedness Standards

Standards

– ITIL NIST

–BSI: BS 25999 NFPA

– ISO 19999 FEMA

–FFIEC ASIS

–RIMS

Others……..

2626

Where to go for more information

www.drii.org

www.drj.com

www.continuityinsights.com

www.nfpa.org

www.disasterrecoveryworld.com

www.continuitycentral.com

www.cpeworld.org

www.globalcontinuity.com

www.fema.org

2828

The BC Market and Where EMC Participates

Sources: EMC Market Research, IDC, AMR

$40 billion dollars spent on BC in 2006

EMC’s BC 2006 revenue: $3.45B– Hardware– Software– Services

• Implementation• Integration• Advisory Services• Program Operations

Prime supplier to core BC service providers:

– SunGard 2006: $1.25B– IBM BCRS 2006: $ .65B

Storage, $5.1

Software, $4.6

Server, $5.5

Consulting, $5.3

BU H/W & S/W, $11.4

Network, $5.0

DR/HA Services,

$3.7

2929

2006 Worldwide Replication Software Market

EMC + Legato, 44.0%

Fujitsu Softek, 1.5%

HP, 10.7%Hitachi, 5.7%

IBM, 10.0%

NetApp, 7.8%

Storage Tek, 3.9%

Sun, 3.9%

Veritas, 3.0%

BMC, 0.4%Other

Vendors, 8.3% CommVault, 0.1%

CA, 0.7%

Replication Mkt. = $1,561M

= Enterprise ScaleEMC Research

80%

15%

5%

3030

Business Continuity Framework

ManageBuildPlan

Assess Program/Service Levels

Define Business Requirements

Evaluate Availability and Recovery Alternatives

Testing and Implement Technologies

Develop Recovery/Failover Plans

Conduct Recovery Testing

Program Management and Integration

Develop/Update Program Definition

Manage Resources, Improvements, Measurement

Design Infrastructure

Conduct Implementation Planning

Managed AvailabilityServices