Post on 28-Nov-2014
description
111
May 8, 2008
BC Update: Journey to Achieving Business Resiliency
Eileen S. Ott, MBCP
2008 ANNUAL IT SECURITY CONFERENCE
22
OffsiteBackup/
Archiving
Remote Replication
StretchClustering
Continuous Availability
Continuous Availability—The Always-On Business
Resilient, unbreakable
infrastructure
2© 2004 EMC Corporation. All rights reserved.
33
Evolution of Recoverability and Availability:Key Trend The 3 have converged.
Availability through disasters (<1% of occurrences)
Flood, fire, earthquake Contaminated building
Availability through planned outages & competing workloads (87% of occurrences)
Backup, reporting Data warehouse extracts Application and data restore
Availability through Operational failures
(13% of occurrences) Database corruption Component failure Human error
Insurance
ROI
ROI
44
The Industry JourneyIndustries Have Differing Levels Of IT Dependency
100% Procedural 0% IT Architectural
Redundancy
24 hrs x 7 days
Manual
Non Critical BusinessSmall Industries
Resources
Essential Services
Utilities, Airlines, Hospital
BanksFinancial Services
TelecommunicationsFood Manufacturer
Consumer GoodsManufacturing
Manufacturing
Retail & Online
TransportationLogistics
TransparentFailsafe
High Security
Low security
Low FailsafeHigh FailsafeLow Volume
High Volume
Single Data Center
Dual Data Center
Triple Data Center
55
Achieving Resiliency - Four (4) Areas of Discussion
1. Corporate Organizational Structure
2. Business Continuity Awareness
3. Availability vs. Disaster Recovery
4. Efficient use of all assets
Additional information:– Standards and Certifications– Where to go for more information
66
Corporate Organizational Structure
The Trend: Business Continuity, inclusive of Disaster Recover is moving to the office of Corporate Risk and Security, often with direct reporting to the Board of Directors.
Notes:
BC is now appearing on BOD agendas and is treated as an ongoing program as opposed to a one time project/event.
BC/DR is a budget item separated from IT.
More frequent Audits and Auditors report to BOD
CXX pay/bonus based partly on success of BC program
77
Business Continuity Awareness
The Trend: CEO/CFO office creating strategic BC/DR initiatives, directives and goals.
Notes:
Information Technology tasked with providing and implementing solutions, but selection of proper solution is moving to business units
Business Units mandated to become more involved in planning, training and testing.
Business Units are measured on participation and contribution.
New employee, all employee BC/DR training becoming normal. Certain groups requiring in-house BC/DR certification.
Integrated and cross-functional testing and training is creating a greater awareness of BC/DR and improving likelihood of recovery or continuance
88
What is a Business Continuity Management Program ?
• Corporate sponsored and supported • On-going effort to ensure that:
Business continuity and disaster recovery requirements are addressed
• Includes both IT Disaster Recovery and BU Continuity plans• Needed skill sets are identified, allocated, trained• Processes and procedures are in place to enable the continuation
of mission critical business processes• People and information remain connected regardless of the cause
of the disruption• Brings consistency and predictability to the company’s information
availability strategy• Can provide an accurate determination of investments needed to
support the information availability strategy
99
Multiple Disciplines
Applicationsand
Operations Management
DisasterRecoveryPlanning
IT Strategyand
Architecture
PhysicalSecurity
ContinuousAvailability
Risk/Crisis Management
Information Security
Emergency Preparedness
Business UnitsPlanning
1010
Components of a Business Continuity Management Program
Business Impact Analysis
Risk Analysis
Recovery / Continuity Strategy
Group Plans and Procedures
Business Continuity Program
Risk Reduction
ImplementStandby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
Ongoing Process
Project
1111
Availability vs. Disaster Recovery
The Trend: Single site used for Production and HA while second site is used for Test / Development / QA and / DR.
Notes:
The executive and business units confusion between Availability vs. DR often requires education
Clients are moving to Out of Region DR data centers, reducing the capability of in-region Availability solutions.
Incorporation of HA or Operational Recovery (OR) solutions in production data center is a high priority.
Request for Active/Active data centers continues while Enterprise Capable Active/Active solutions are elusive.
Knowing application inter-dependencies is critical to mixing Availability and DR without compromising DR.
Including suppliers and key customers in planning and testing
1212
Key Considerations in Achieving Resiliency
Solution: Requirements + Facility Options + Data Consistency Risks + DR Technologies = DR Strategy & Business Case
Business & IT Alignment:– BIA, Application Interdependency, System & Application Mapping
Internal vs. External DR: changes in policy, procedures, and testing.
Unbiased Technical Solutions and Implementation Design
Technical Integration– Replication, Clustering, and Virtualization– Implementation Risks & Roadmaps
1313
Efficient use of all assets
The Trend: Implementing solutions, processes, policies and products that improve automation, repeatability, predictability.
Notes:
Publishing approved solutions
Documenting all critical information, including the required knowledge of SME’s.
Virtualized Servers, Storage, Tape, Staff
Elimination or reduction of point solutions in favor of Enterprise Solutions
Reduce/eliminate custom scripting in favor of product based solutions
In-sourcing non-core expertise
Use of BC planning tools to more easily maintain and distribute documentation
1414
Continuity Challenge: The Common Current State
Notprotected
Under-protected
Different requirementsDifferent technologiesDifferent processes
Over-protected
Continuity Issues Survive a disaster
Achieve high availability
Prevent data corruption
Non-disruptively upgrade software and/or hardware
Do parallel processing
Move and migrate data
Restart the enterprise
Protect remote data sites
Shorten backup and restore times
Contain costs
Cannot add resources
Pain Points Inconsistent service levels
Gaps in coverage
Growth in complexity and effort
Growth in cost and risk to the business
Continuity Defined: Ensuring applications and data are available during planned and unplanned outages.
1515
Physical to Virtual Recovery
Physical server
Physical server
Physical server
Lower TCO recovery site• Local to unlimited distance• Zero to minutes RPO• Short RTO• Failover / failback support
Typical production environment
Virtual machine
Virtual production environment
Source Target
ReplicationLink
1616
Classify and tier Applications and Data
ArchiveData
Clones
Single Instance fixed, stable, non-changing data into an Active, Intelligent Archive
Streamline backups
Performance tune the backup process to eliminate redundant block level data with Data De-Duplication technology & VTL Utilize snaps for incremental changes
Building Information Protection Into The Data Center…
Virtualize servers
SnapsSnapsSnapsSnapsProduction
Data
Tier 3
Tier 2
Tier 1
BackupEnvironment
1717
Classify and tier Applications and Data
ArchiveData Backup
Data
Clones
Single Instance fixed, stable, non-changing data into an Active, Intelligent Archive
Streamline backups
Performance tune the backup process to eliminate redundant block level data with Data De-Duplication technology Utilize snaps for incremental changes
Putting It All Together: Adding a remote location…
Virtualize servers
SnapsSnapsSnapsSnapsProduction
Data
Tier 3
Tier 2
Tier 1
Unit of RecoveryRemote Location
1919
Technology Futures
Change to traditional backup philosophies– Segregation of archival data from backup data– Increased attention to restore service levels (DR vs daily)– Increased use of disk as pre-stage area to tape– Increased recognition of “recovery” versus “restart” (data consistency)
Accelerated adoption of Virtualization technologies for DR and Availability Management
Increased levels of integration and automation between replication and clustering technologies
Emergence of CDP: Continuous Data Protection– Initially by platform– Longer term in support of the Enterprise
Emergence of data replication/mobility functions within the storage network
– Initially at the platform/data base level– Longer term at the Enterprise level
2020
Best Practices for Achieving Business Continuity
Determine requirements / service levels– Business Continuity to SLA’s– Managing to the right “Risk vs. Cost” model
Validate ability to achieve service level agreements
– Evaluate costs / tradeoffs of technologies to meet service levels
Create right level of protection for your specific business and application requirements
Tie it all together– Across storage platforms– Across infrastructure (storage, servers, networks, applications)– Across data centers and geographic locations– Simplify management overhead and implementation risk by being
prime contractor
2121
Source:
Business Continuity Maturity Model
Stage 0– No disaster recovery plan– Or exists as “shelfware”
Stage 1– Data recovery as an IT project– Platform-based– Plan occasionally tested– Ad hoc project status reporting
Stage 2– Data recovery as a process,
component of BC – Link DR to business process
requirements– Defined organization– Plan regularly tested– Formalized reporting
Stage 3– Business integration– Partner integration– Process integration– Continuous improvement culture– Frequent, diverse testing– Formalized reporting to
executives and board
2222
Regulation Proliferation
FSA - SYSC
SEC 17ad-7
Sarbanes-OxleySarbanes-Oxley
21 CFR Part 11
NARA Part 1234
HIPAA
eSign Act
SEC 17a-4
DoD 5015.2
ISO 15489-1
Common Criteria
BSI DISC PD 0008:1999
eGif
Data Protection Act of 1998
Freedom of Information Act of 2000
Public Records Office
UK Metadata Framework DICOM
Dublin Core
SEC 17a-3FERC Part 125
NASD 3010
NASD 3110
Rev. Proc 97-22
ISO 15489-2
MoReq
Interagency White Paper
2323
BC Certifications and Standards:
Certifications:
DRII:
ABCP - Associate Business Continuity Planner
CBCP - Certified Business Continuity Planner
MBCP - Master Business Continuity Planner
BCI ( U.K.):
FBCI - Fellow business Continuity Institute
Other Certifications: CISP, CISA,CISM, CDCP, etc,
2424
Private Sector Preparedness Act, August 2007
Calls for creation of voluntary private sector preparedness standards program
U.S. Department of Homeland Security to establish program with private sector input into program development and operations
2525
Preparedness Standards
Standards
– ITIL NIST
–BSI: BS 25999 NFPA
– ISO 19999 FEMA
–FFIEC ASIS
–RIMS
Others……..
2626
Where to go for more information
www.drii.org
www.drj.com
www.continuityinsights.com
www.nfpa.org
www.disasterrecoveryworld.com
www.continuitycentral.com
www.cpeworld.org
www.globalcontinuity.com
www.fema.org
2828
The BC Market and Where EMC Participates
Sources: EMC Market Research, IDC, AMR
$40 billion dollars spent on BC in 2006
EMC’s BC 2006 revenue: $3.45B– Hardware– Software– Services
• Implementation• Integration• Advisory Services• Program Operations
Prime supplier to core BC service providers:
– SunGard 2006: $1.25B– IBM BCRS 2006: $ .65B
Storage, $5.1
Software, $4.6
Server, $5.5
Consulting, $5.3
BU H/W & S/W, $11.4
Network, $5.0
DR/HA Services,
$3.7
2929
2006 Worldwide Replication Software Market
EMC + Legato, 44.0%
Fujitsu Softek, 1.5%
HP, 10.7%Hitachi, 5.7%
IBM, 10.0%
NetApp, 7.8%
Storage Tek, 3.9%
Sun, 3.9%
Veritas, 3.0%
BMC, 0.4%Other
Vendors, 8.3% CommVault, 0.1%
CA, 0.7%
Replication Mkt. = $1,561M
= Enterprise ScaleEMC Research
80%
15%
5%
3030
Business Continuity Framework
ManageBuildPlan
Assess Program/Service Levels
Define Business Requirements
Evaluate Availability and Recovery Alternatives
Testing and Implement Technologies
Develop Recovery/Failover Plans
Conduct Recovery Testing
Program Management and Integration
Develop/Update Program Definition
Manage Resources, Improvements, Measurement
Design Infrastructure
Conduct Implementation Planning
Managed AvailabilityServices