Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013

Cloud Based Business Continuity

Murat Lostar

Continuity of

• Storage• Database

– SQL– NoSQL

• Application• Desktop• Network

People?• Business• IT

• Customers• Environment

Out of scope

• Overall reliability of cloud• Decision to move “the primary” on to the

cloud• Private cloud• Personal backup/DR in cloud

Business Continuity vs IT Continuity• Business Continuity:

capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident (Source: ISO 22301) Is about prevention – not just a cure

• Focused on critical business processes – not on particular assets or enablers like IT systems

• ICT Continuity: capability of the organization to plan for and respond to incident and disruptions in order to continue ICT services at an acceptable predefined level (Source: BS 25777)

Definitions

• (BCP / ICT Continuity)

• DR• RTO• RPO

• Cold standby (backups)

• Warm standby (disks)

• Hot standby (servers)

Principles of ICT Continuity

• Protect• Detect• React• Recover• Operate• Return

(Local / Primary site)(Manual or Cloud automation tools)

(Local + cloud) (Primary site)

(Plan before disaster!)

Cloud based delivery• SaaS – Software as a service (e.g. Salesforce, gmail,

GoToMeeting, Mailchimp)• PaaS – Platform as a service (e.g. Heroku, Force.com,

Google App Engine)• IaaS – Infrastructure as a service (e.g. AWS, Microsoft

Windows Azure)• DaaS – Desktop as a service (e.g. Dell, Citrix,

Deskstone)• …

Why prefer cloud for DR/BCP?• Cost: No Disaster -> Minimal costs• Elastic (to different structures + changes)

-> Cost Effective• Management Flexibility: No control <-> Full Control• World-class redundant facility• Up-to-date applications, defined by RTO, RPO• Cloud service provider support >

local staff + travel(Source: Cloud Security Alliance)

Datacenter Infrastructure Components & MaintenanceProduction• Applications

– License

• Servers– OS + Hypervisor (License)

• Storage– SAN– Primary Storage– Backup

• Network– Router– Firewall

• Disaster Recovery– Traditional

• Same as production?

– Cloud• Snapsot Storage only• Storage + DB and/or

App

Cloud Strategies for Continuity

• Use cloud services as backup (DR).• Use different cloud services for primary

and DR.• Use the same (DR ready) cloud service for

primary and DR.

DR Strategies on cloud

• Backup & restore (encryption?)• Pilot Light– Running replicating database server (no app srv)

• Fully working low capacity standby• Multi site hot standby

File Storage in cloud

• Physical (periodical) physical shipment• iSCSI Based Archiving/Sync• Backup to cloud

Database in cloud

• Offline file shipment• Backup & restore• Log shipment• DB Synchronization • Two phase commit

Applications in cloud

• Release management• Cloud awareness in SDLC

Risks with Cloud BCP• Security and privacy! • Change management • Adaptation of new technologies• Connectivity requirements• Activation

A secure way to store data in cloud for DR• During normal operations

– Encrypt and ship data to cloud• In case of disaster

– Enable computing– Enter decryption key to servers & use

• Return to normal– Destroy decryption key on servers

• Change of provider– Destroy decryption key (& decommission service)

Is your cloud provider secure?Ask:• Certifications– SOC 1 Tyep 2 (SAS-

70)– ISO 27001– PCI-DSS– Others (HIPAA, etc)

• Physical– Two factor

authentication– Log, aduit

• HW, SW, Network– Change mgmt– COBIT

Will your cloud provider continue? Ask: • Level of redundancy

– N + 50%? N + 1? N x 2?• Cloud DRP in the redundant locations/power feeds, circuits,

networks• DR & BCP within contract• Steady state billing• Declared disaster billing• RPO, RTO options and costs• Regular DR tests

Cloud Based Continuity Testing• Remember KISS• Start small (unit testing)• Go big (with your own pace)• May aim full capacity & automatic failover– Include shutdown/disconnect primary site

Why not to prefer cloud for DR?• Data security/privacy concerns• Giving up too much control• Too much invested in current infra&staff• Cloud need to mature• Satisfied with existing infra

Source: Enterprise Strategy Group, 2011

Standards and References• ISO 22301• ISO 25777:2008 – Information and

Communications Technology Continuity Management: Code of Practice

• CloudSecurityAlliance.org• ISACA Journal 2011/2• Wikipedia.org/wiki/

Cloud_computing_architecture

Thank You

Murat Lostar• Linkedin.com/in/lostar• www.lostar.com