Disaster Recovery Planning inBusiness Continuity Planning
Faculty of Computer Science Institute of Systems Architecture, Chair of Computer Networks
Dresden, 2/2/2010 Tenshi [email protected]
Agenda
1 Necessity
2 Planning
3 Testing
4 Use-case
5 Conclusion
6 Sources2
1 Necessity
Resuming business operations has been important throughout history.
-Romans used multiple messengers for redundant delivery
-Knights of Templar coded redundant information into billing
-Businessmen create carbon-copies of orders, bills, etc.
-Recent reminder: 9/11-attacks
3
© Reuters
1 Analysis of the 9/11-disaster
4
© Reuters
Directly affected area
Area containing the backup-sites
- Several redundant backup-sites existed
All within WTC or close proximity(within downtown Manhattan)
WTC-buildings designed as mutual backup-site for each other
Nobody expected both buildings to collapse
- Business-Operations (incl. brokerage) were down for weeks
Lead to worldwide financial collapse
1 Results
- US government issued the Emergency Preparedness and Business Continuity Standard
- developed by the NFPA
- endorsed by the NIST and DHS
- also focusing on actions after terror-attacks
- Other standards: BS 25999-1, ISO/IEC 27001:2005
Source: SBA, 2006
5
1 Necessity
- Strategic planning can help
- One must know which risks exist
- After investing into solutions, one shall maintain them!
A BCP is the result of a strategic Business Impact Analysis!
6
Marvin says:
2 Business Impact Analysis
Goals:
- Assess risks
- Evaluate the possible
- Make suggestions for solutions
Limits:
- Can not give a 100% accurate evaluation of costs and benefits
- Is only as good as sense of realism
7
BusinessImpact
Analysis
BusinessImpact
Analysis
Businessoperations
andtransactions
Businessoperations
andtransactions
BCP/DRPBCP/DRP
RisksRisks Costs
Costs
dero
gate aff
ect
affect affect
modify
limit/
mod
ify
limit/
mod
ify
evalu
ate
d b
ygenera
tes
TestingTestingevaluates
determines
2 Knowing the limits
One can never be prepared for everything!
Vogons could decide to build an interstellar highway… And Earth could be in the way!
8
2 Economic Utility vs. Accounting
Economic point of view:
Total Benefit ∙ Probability = Economic Monetary Value
Accounting point of view:
Return on Investment = [(Benefits – Costs) / Costs] ∙ 100%
Putting BCP/DRP down to numbers puts the entire plan at risk of competing for financial resources with other departments!
9
66 no or almost no data-lossno or almost no data-loss
33 electronic vaulting/bunkering
electronic vaulting/bunkering22 data-backup with hot-sitedata-backup with hot-site
11 data-backup with no hot-site
data-backup with no hot-site
2 Share’s 7-Tier model
10
00 no off-site datano off-site data
44 point-in-time copiespoint-in-time copies
55 transaction integritytransaction integrity
77 highly automated and integrated
highly automated and integrated
2 Share’s 7-Tier model
- Higher tiers do not necessary include the lower
- Often leads to misunderstandings
Serious solution-providers won’t suggest solutions of Tier 4 or below
Mostly, ready-to-use solutions with a sort of “turn on; works fine”-guarantee (classified by Tier 6 and 7) are the solutions of choice
11
3 Testing
- Businesses often do not actually have a working BCP/DRP-solution
- Most testing is limited to one initial test
- Periodic testing leads to additional expenses
- Difficult for IT-experts to justify testing-expenses
- “The severity rather than the frequency of loss is what can be used to justify the additional expenses associated with disaster recovery planning and testing. In a worst-case scenario, information critical to the business may be permanently lost.”(Harry L. Waldron, 2008)
12
3 Testing
Mostly forgotten:
- Regular testing leads to a training-effect
- Prepares all affected to face actual recovery challenges
- Optimizes responses to be more efficient
- Testing must be integrated, non-negligible part of maintaining
- Benefit of testing hardly quantifiable, but costs still easier to calculate than the potential loss due improper recovery process
13
determines
evaluates
RecoveryProcessRecoveryProcess
3 Testing
14
DisasterDisasterCounter-Measure
s
Counter-Measure
s
NormalOperationNormal
Operation
AbnormalOperationAbnormalOperation
defi
nes
reco
gniz
es
analyzes
defines & tr
iggers
disturbs
healscounters
and a
naly
zes
evaluates &
learns from
BCP/DRPBCP/DRPTestingTesting
4 Solution-provider: Swiss Data Safe AG
• Facilities placed in hardened bunkers within mountains in the Swiss Alps
• Facilities physically detached
• Each facility has redundant outward-connections
• Self-sustaining, EMP-resistive infrastructure
• “we deliver what you need, but don’t ask how it works”-mentality.
15
16
© Hans Rudolf Schneider
4 Further use-cases
• Plans are considered business-secrets
• Implementation-details are secret
• Fear of attacks against BCP/DRP
• BCP/DRP is a good source of money
17
5 Conclusion
• Government regulations suggest existence of standing plans within “important” businesses
• Many businesses actually do not take the necessary steps in order to have a BCP/DRP
• Those taking steps often have ineffective plans
• Testing is imperative, but often neglected
• Current secrecy of solution-providers and solution-users combined with future demand for disaster-readiness shows necessity of academic research to prepare future system-administrators for tasks awaiting
18
6 Sources
• Miller (Protiviti Inc.). From Expense to Asset. KnowledgeLeader. 2008.
• British Standards Institute. BS 25999-1, BS 25999-2. Standard. 2006.
• International Organization for Standardization. ISO/IEC 27001:2005. Standard. 2005.
• Marquis. The Paradox of the 9s. 2006. http://www.itsmsolutions.com/newsletters/DITYvol2iss47.htm.
• Thinking the Unthinkable - Trading Firms Look for Backups Sites. Traders. 2001.
• United States National Archives and Records. 2006 Annual NARA-report.
• United States Small Business Administration. How to prepare for Disaster. SBA Small Business Resource. 2006.
• Waldron. Windows Tips. Testing Windows disaster recovery plans. 2008. http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1299649,00.html.
19