Embed Size (px)
Citation preview
HPEDriving the Storage Revolution
David A Chapa, Global CTO,EMC
IN MY OPINION
Jeffrey Cepull, CIO & VP for Information Resources, Philadelphia University
CIO INSIGHTS
Meg Whitman, President & CEO
CIOREVIEW.COM
CIOReviewT h e N a v i g a t o r f o r E n t e r p r i s e S o l u t i o n s
JULY 06, 2016
STORAGE SPECIAL
| | JULY 201628CIOReview
Three Companies that had to Prove their Disaster Recovery Plan would WorkBy Pat O’Day, CTO, Bluelock
Given how much modern business relies on technology, you know how important it is to have a Disaster Recovery (DR) plan in place for your IT systems. Imagine if someone asked you today to prove your DR plan works. Worse yet, what if
you had to prove it not only internally, but to your constituents? In a decade of working with clients at Bluelock, I’ve found it increasingly common – and in some cases required–that companies provide solid evidence of a successful recovery to auditors, insurers, investors, board members, regulators and customers.
More security incidents and system outages have occurred and made media news. It’s clear that our clients are responding to a broader set of risks than their original disaster recovery plans were designed to address. Security penetrations, DOS attacks, crypto lockers, prolonged network or power outages, and hardware or software failures to heavily-centralized virtual systems have a far greater likelihood and systemic impact than the traditionally-isolated systems and weather-related events most plans are designed around. Consequently, clients have been required to prove recovery success, recovery quality (data) and recovery time to various groups.
Based on Bluelock’s body of knowledge working with companies in modernizing their recovery approaches every day, I’ve compiled some specific areas of questioning that may help you better assess your plan to deter-mine if you are at more risk than you know. To tease out a bit more color and nuance
around each point, I’ve included examples from Bluelock’s cli-ent base as a Disaster Recovery-as-a-Service (DRaaS) provider, scrubbed for privacy and security.
If you’re a business leader this should help you open a dialogue with your technology team. If you’re on the technology team, this should verify confidence or at least increase awareness. If you happen to be reading this as one of the constituents I mentioned, it’s my hope that these examples will encourage a more productive dialogue with your business and technology leaders. In the end, we are all on the same team and want the best for business and the technology used to support our success.
Proof of ProtectionShortcuts and DR tend to go hand-in-hand. The shortcuts are possible because most companies don’t have to prove their DR plans have worked. DIY recovery environments tend to be outdated or under-scaled due to budget pressure and views of DR as insurance for something that will likely never happen. These shortcuts also impact security in the
DR environment. The challenge is that whether
a business is using its recovery environment at that moment or not, it most likely
CXO INSIGHTS
| | JULY 201629CIOReview
contains a complete copy of production data. Thus, protection and security for your recovery environment is the last thing on which to cut corners. As evidenced by some of the more recent large scale data breaches, it’s clear that the intruder community knows it’s easier to attack systems that are adjacent to production than a heavily-guarded proverbial front door. Proving the protection and security of your production environment can be daunting enough, but proving it in recovery can be even more challenging given the system is of ine percent of the time
One of our clients in the legal industry faced external scrutiny from one of their largest customers when an audit of that customer’s internal DR plans realized a significant dependency on third party services hile third-party services were originally out of scope, this newly-identified ris placed legal services as also accounta le for recovery planning, so our client had to prove their DR plan worked and was secure.
For these reasons, they decided to deploy a hybrid configuration here they o n and operate their net or and security infrastructure, but deploy it around their DR environment at Bluelock. This best-of-both-worlds approach allowed them to leverage their strengths combined with those of a provider with a track record of working with broad sets of applications, security re uirements and their o n office for secure change management.
Proof of ComplianceHIPAA/HITECH is pretty clear on disaster recovery. You have to have it for any system that is part of the overall healthcare delivery system. It has to work. It has to be proven by the time you are audited.
Doing this while maintaining rapid company growth can be difficult his as true for a ma or healthcare provider hose
expanding technology environments threatened the risk of non-compliance. They needed to prove to regulators that their
environments met requirements, using only existing staff-ing and expertise. They also wanted to leverage the
funding that was going to be liberated when they closed down their secondary datacenter site.
The IT department explored doing DR in-house, but realized the task of building a second site for recovery was too time consuming with other priorities. They needed
a DR solution that would meet their HIPAA/I regulations, yet e i le enough to
scale new technologies for innovative healthcare.Leveraging Bluelock’s existing recovery
expertise and our elastic pay-for-what-you-use recovery platform achieved not only compliance, but a position for gro th and e treme efficiency aving the test certification process signed off y oth parties and fully documented ith I I controls certified and audited under our SSAE16 Type2 SOC2 handily exceeded audit requirements.
Proof of RecoveryTesting is not proof. Having a copy of your data somewhere else does not ensure that applications can return to service. Being able to “power on” systems at the recovery site does not guarantee they ill come ac online ithin the specific time period that the business requires. Only a consistently successful recovery of people, processes, and technology will satisfy external parties that the recovery plan is effective.
ne of our clients, a national research firm, needed to gain an insurance renewal that included business impact insurance, which protects revenue in the event of a disaster. They needed to prove continuously successful disaster recovery tests for key systems that supported their client-facing business applications. Each test, done every six months, had to verify that the most recent data and systems could recover within a given timeframe. To show this proof, both our recovery team and someone from the client’s leadership signed the testing certificates, hich verified consistent recovery success
ConclusionIf you haven’t already noticed the trend, effective and e i le DRaaS solutions and expertise help a variety of companies deploy and prove their strategies hile the right choice for is often dictated y usiness specific priorities, timing, budget, and expertise, a good provider alleviates a lot of these pain points.
Only a consistently successful recovery of people, processes, and technology will satisfy external parties that the recovery plan is effective
Pat O’Day
