Disaster recovery strategic planning - Amazon Web … · Disaster recovery strategic planning: ......
Transcript of Disaster recovery strategic planning - Amazon Web … · Disaster recovery strategic planning: ......
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Disaster recovery strategic planning: How achievable will it be?
Prudence Marasigan Ernst & YoungAdvisory Services, Senior [email protected]
Amr AhmedErnst & YoungAdvisory Services, Executive [email protected]
Page 1 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Risk assessment Risk assessment (gap analysis)(gap analysis)
Continuity Continuity strategy strategy
developmentdevelopment
Strategy
Strategy
implem
entatio
n im
plem
entatio
n
Plans exercise Plans exercise and and
maintenancemaintenance
Business impact Business impact analysisanalysis
Dependency Dependency analysisanalysisRi
skRisk‐‐ based
based
Prioritization
Prioritization
Business Business process/apps process/apps identificationidentification
Resiliency touch points BCM program alignment and implementation
AssessAssessphasephase
(Risk(Riskbased based prioritization)prioritization)
Mitigation Mitigation phasephase(Progress (Progress
against plan)against plan)
Business resiliency objective
Business resiliency Business resiliency objective objective
Current technical capabilities
Current technical Current technical capabilities capabilities
Business continuity Business continuity drivendriven
IT DR drivenIT DR driven
Business continuity Business continuity and disaster and disaster recovery plansrecovery plans
Incident Incident response response
managementmanagement
Technical solution Technical solution acquisition and acquisition and implementationimplementation
Page 2 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
What is to be recovered: People, business processes, application critical paths and technical services
How will it be recovered: Technology and technical solution options
Where will it be recovered: Technologies facilities (e.g., data center, data rooms), workplace and/or service provider(s)
When will it be planned: Execute short‐term and long‐term roadmap
How much it will cost:High‐level budget requirements
Disaster recovery strategy approachThe outcomes of the strategy may have more than one solution to fulfill an organization’s recovery and continuity in the face of a business disruption.
1
2
3
4
5
Page 3 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Sourcing alternatives
Technology constraintsTechnology constraints
Business strategy and impact
Business strategy and impact
Disaster recovery strategy
•High ‐level investment•Roadmap and timeline
Disaster recovery strategy
•High ‐level investment•Roadmap and timeline
Current strategy gaps Current strategy gaps
Total cost of ownershipTotal cost of ownership
Infrastructure strategy
Infrastructure strategy
Guiding principlesGuiding principles
People constraintsPeople
constraints
Technical dependencyTechnical
dependency • In‐source• Co‐location• Outsourcing
• Managed hosting• Cloud services
Enterprise riskEnterprise risk
Business constraintsBusiness
constraints
Disaster recovery strategy requisites
Page 4 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Business strategy and
impact
Business strategy and
impact
Infrastructure strategy
Infrastructure strategy
Technical dependencyTechnical
dependency
Enterprise riskEnterprise risk
Disaster recovery strategy requisites
Understand the business direction, criticality and prioritization, and the impact that would arise if a threat became an incident and caused a business disruption.
Identified all dependencies relevant to the critical business processes/applications, including the underlying infrastructure technology, operational resources and suppliers, and outsource partners
Align disaster recovery strategy options with current infrastructure technology strategy (i.e., use the organization’s existing cloud strategy as a disaster recovery options)
Determine the criteria for acceptable level of risk and statutory, regulatory and contractual duties
Page 5 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Disaster recovery strategy requisites Total cost of ownershipTotal cost of ownership
Guiding principlesGuiding principles
Business constraintsBusiness
constraintsTechnology constraintsTechnology constraints
People constraintsPeople
constraints
Issues and obstacles that will affect the future strategy development and disaster recovery (DR) architecture. For Example:the business’s or the country’s political establishment and/or regulation requires that the application and/or data be served from a specific location (e.g., state/providence, country, region) and/or by a specific sourcing service type (e.g., in‐house, co‐location, managed service)
• Guiding principles that provide a clear link to business and technical priorities and define leading practices for technologyarchitecture and implementation
• Current environment cost transparency
Page 6 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Disaster recovery sourcing options
Data center layerData center layer
Networking layerNetworking layer
Device layerDevice layer
Operating system layerOperating system layer
Application Infrastructure layer (tools layer)Application Infrastructure layer (tools layer)
Application layerApplication layer
Business process layerBusiness process layer
In‐house Co‐locationManaged hosting
IaaS/PaaS
SaaS Apps
Complete outsourcing
Client responsibility
Service provider responsibility
Layers/levels of hosting
Understand your alternative service delivery models:
Page 7 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
>10 hours–3 days
>4–10 hours
<= 4 hours
>3 days–2 weeks
Level 2
Level 1
Level 3
Level 4
Time 0 of the outage
Time
Tolerance to service loss
Clusteringand geo‐diverse
Like‐or‐like and virtual servers
Re‐purpose dev/testing and vendor drop‐ship
Recovery time objective (RTO) solutions example
BIA categories Low (hours)
High (hours)
Vital service 0 24
Essential service >24 72
Important service >72 120
Supportive service >120 720
Disaster recovery levels
Vendor drop‐ship
Understand your disaster recovery solutions related to business impact results
Page 8 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
>12 hours–24 hours
>1 hour–12 hours
<= 1 hour
>24 hours–72 hours
Level 2
Level 1
Level 3
Level 4
Last data backup and/or replication
Time
Tolerance to data loss
SYNC/ASYNC replication and VTL backup
VTL backup
VTL or tape
backups
BIA categories Low (hours)
High (hours)
Vital service 0 24
Essential service >24 72
Important service >72 120
Supportive service >120 720
Recovery point objective (RPO) solutions example
Disaster recovery levels
ASYNC replication and VTL backup
Understand your disaster recovery solutions related to business impact results
Page 9 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
• Measure your current IT DR spending so you can effectively improve, manage and control your future DR strategy costs.
• Build and maintain an accurate inventory of hardware, software and appropriate licenses.
• Develop a TCO model that includes a combination of the following OPEX and CAPEX (recurring and non‐recurring) spending:
o Labor; plan, build, test and run
o Facilities, including in‐source or external data centers, data rooms and workspace
o Hardware, data network and other items are for hosting hardware and applications
Labo
rHardw
are
Facility
Data ne
twork
Others
Disaster recovery total cost of ownership (TCO)
Page 10 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Disaster recovery total cost of ownership (TCO)Comparative cost summary (in thousands) example:
Page 11 of 13
April 16‐18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Facility(e.g., power, space, hosting service)
Facility(e.g., power, space, hosting service)
Infrastructure foundation services
NetworkNetwork Active directoryActive
directory DNSDNS Core platform services (Systems/OS, storage)Core platform services (Systems/OS, storage)
Business applicationBusiness
application
Business applicationBusiness
application
Business applicationBusiness
application
Business applicationBusiness
application
Business applicationBusiness
application
Business applicationBusiness
application
Business applicationBusiness
application
Dependencies and sequence of applications recovery
Incident response plan
1
2
4
Disaster recovery strategy roadmap
1. Current facilities to accommodate DR requirements (e.g., space, power, Tier III) and/or address different sourcing options.
2. Infrastructure foundation services recovery capabilities such as networks, AD, DNS, authentication, etc.
3. Service applications and collaboration tools such as email, unified communications, etc.
4. Business application recovery based on criticality, priority, interdependencies, etc.
Develop the strategy implementation roadmap based on your current maturity to address:
Service applications and collaboration tools
MessagingMessaging Unified comm.Unified comm.
Team spacesTeam spaces 3
Desktop tools
Desktop tools
Mobile servicesMobile services
Page 12 of 13
Page 14
Ernst & YoungAssurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
© 2012 EYGM Limited.. All Rights Reserved.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. The opinions of third parties set out in this publication are not necessarily the opinions of the global Ernst & Young organization or its member firms. Moreover, they should be viewed in the context of the time they were expressed.