Cloud Based Business Continuity Murat Lostar
Jun 22, 2015
Cloud Based Business Continuity
Murat Lostar
Continuity of
• Storage• Database
– SQL– NoSQL
• Application• Desktop• Network
People?• Business• IT
• Customers• Environment
Out of scope
• Overall reliability of cloud• Decision to move “the primary” on to the
cloud• Private cloud• Personal backup/DR in cloud
Business Continuity vs IT Continuity• Business Continuity:
capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident (Source: ISO 22301) Is about prevention – not just a cure
• Focused on critical business processes – not on particular assets or enablers like IT systems
• ICT Continuity: capability of the organization to plan for and respond to incident and disruptions in order to continue ICT services at an acceptable predefined level (Source: BS 25777)
Definitions
• (BCP / ICT Continuity)
• DR• RTO• RPO
• Cold standby (backups)
• Warm standby (disks)
• Hot standby (servers)
Principles of ICT Continuity
• Protect• Detect• React• Recover• Operate• Return
(Local / Primary site)(Manual or Cloud automation tools)
(Local + cloud) (Primary site)
(Plan before disaster!)
Cloud based delivery• SaaS – Software as a service (e.g. Salesforce, gmail,
GoToMeeting, Mailchimp)• PaaS – Platform as a service (e.g. Heroku, Force.com,
Google App Engine)• IaaS – Infrastructure as a service (e.g. AWS, Microsoft
Windows Azure)• DaaS – Desktop as a service (e.g. Dell, Citrix,
Deskstone)• …
Why prefer cloud for DR/BCP?• Cost: No Disaster -> Minimal costs• Elastic (to different structures + changes)
-> Cost Effective• Management Flexibility: No control <-> Full Control• World-class redundant facility• Up-to-date applications, defined by RTO, RPO• Cloud service provider support >
local staff + travel(Source: Cloud Security Alliance)
Datacenter Infrastructure Components & MaintenanceProduction• Applications
– License
• Servers– OS + Hypervisor (License)
• Storage– SAN– Primary Storage– Backup
• Network– Router– Firewall
• Disaster Recovery– Traditional
• Same as production?
– Cloud• Snapsot Storage only• Storage + DB and/or
App
Cloud Strategies for Continuity
• Use cloud services as backup (DR).• Use different cloud services for primary
and DR.• Use the same (DR ready) cloud service for
primary and DR.
DR Strategies on cloud
• Backup & restore (encryption?)• Pilot Light– Running replicating database server (no app srv)
• Fully working low capacity standby• Multi site hot standby
File Storage in cloud
• Physical (periodical) physical shipment• iSCSI Based Archiving/Sync• Backup to cloud
Database in cloud
• Offline file shipment• Backup & restore• Log shipment• DB Synchronization • Two phase commit
Applications in cloud
• Release management• Cloud awareness in SDLC
Risks with Cloud BCP• Security and privacy! • Change management • Adaptation of new technologies• Connectivity requirements• Activation
A secure way to store data in cloud for DR• During normal operations
– Encrypt and ship data to cloud• In case of disaster
– Enable computing– Enter decryption key to servers & use
• Return to normal– Destroy decryption key on servers
• Change of provider– Destroy decryption key (& decommission service)
Is your cloud provider secure?Ask:• Certifications– SOC 1 Tyep 2 (SAS-
70)– ISO 27001– PCI-DSS– Others (HIPAA, etc)
• Physical– Two factor
authentication– Log, aduit
• HW, SW, Network– Change mgmt– COBIT
Will your cloud provider continue? Ask: • Level of redundancy
– N + 50%? N + 1? N x 2?• Cloud DRP in the redundant locations/power feeds, circuits,
networks• DR & BCP within contract• Steady state billing• Declared disaster billing• RPO, RTO options and costs• Regular DR tests
Cloud Based Continuity Testing• Remember KISS• Start small (unit testing)• Go big (with your own pace)• May aim full capacity & automatic failover– Include shutdown/disconnect primary site
Why not to prefer cloud for DR?• Data security/privacy concerns• Giving up too much control• Too much invested in current infra&staff• Cloud need to mature• Satisfied with existing infra
Source: Enterprise Strategy Group, 2011
Standards and References• ISO 22301• ISO 25777:2008 – Information and
Communications Technology Continuity Management: Code of Practice
• CloudSecurityAlliance.org• ISACA Journal 2011/2• Wikipedia.org/wiki/
Cloud_computing_architecture
Thank You
Murat Lostar• Linkedin.com/in/lostar• www.lostar.com