This document discusses business continuity and disaster recovery strategies using cloud services. It covers key aspects of business continuity planning including storage, databases, applications, networks, and people. The document distinguishes between business continuity and IT continuity. It then discusses various cloud delivery models (SaaS, PaaS, IaaS) that can be used for disaster recovery and business continuity planning. Specific strategies for using cloud services for file storage, databases, and applications in a disaster scenario are outlined. The document also addresses risks, testing approaches, and factors to consider when selecting a cloud provider for business continuity and disaster recovery needs.
2. Continuity of
• Storage
• Database
– SQL
– NoSQL
• Application
• Desktop
• Network
People?
• Business
• IT
• Customers
• Environment
3. Out of scope
• Overall reliability of cloud
• Decision to move “the primary” on to the
cloud
• Private cloud
• Personal backup/DR in cloud
4. Business Continuity vs IT Continuity
• Business Continuity:
capability of the organization
to continue delivery of
products or services at
acceptable predefined levels
following disruptive incident
(Source: ISO 22301) Is about
prevention – not just a cure
• Focused on critical business
processes – not on particular
assets or enablers like IT
systems
• ICT Continuity:
capability of the
organization to plan for
and respond to incident
and disruptions in order
to continue ICT services
at an acceptable
predefined level
(Source: BS 25777)
7. Cloud based delivery
• SaaS – Software as a service (e.g.
Salesforce, gmail, GoToMeeting, Mailchimp)
• PaaS – Platform as a service (e.g.
Heroku, Force.com, Google App Engine)
• IaaS – Infrastructure as a service (e.g.
AWS, Microsoft Windows Azure)
• DaaS – Desktop as a service (e.g.
Dell, Citrix, Deskstone)
• …
8. Why prefer cloud for DR/BCP?
• Cost: No Disaster -> Minimal costs
• Elastic (to different structures + changes)
-> Cost Effective
• Management Flexibility: No control <-> Full Control
• World-class redundant facility
• Up-to-date applications, defined by RTO, RPO
• Cloud service provider support >
local staff + travel
(Source: Cloud Security Alliance)
9. Datacenter Infrastructure
Components & Maintenance
Production
• Applications
– License
• Servers
– OS + Hypervisor (License)
• Storage
– SAN
– Primary Storage
– Backup
• Network
– Router
– Firewall
• Disaster Recovery
– Traditional
• Same as production?
– Cloud
• Snapsot Storage only
• Storage + DB and/or
App
10. Cloud Strategies for Continuity
• Use cloud services as backup (DR).
• Use different cloud services for primary
and DR.
• Use the same (DR ready) cloud service for
primary and DR.
11. DR Strategies on cloud
• Backup & restore (encryption?)
• Pilot Light
– Running replicating database server (no app srv)
• Fully working low capacity standby
• Multi site hot standby
12. File Storage in cloud
• Physical (periodical) physical shipment
• iSCSI Based Archiving/Sync
• Backup to cloud
13. Database in cloud
• Offline file shipment
• Backup & restore
• Log shipment
• DB Synchronization
• Two phase commit
15. Risks with Cloud BCP
• Security and privacy!
• Change management
• Adaptation of new technologies
• Connectivity requirements
• Activation
16. A secure way to store data in
cloud for DR
• During normal operations
– Encrypt and ship data to cloud
• In case of disaster
– Enable computing
– Enter decryption key to servers & use
• Return to normal
– Destroy decryption key on servers
• Change of provider
– Destroy decryption key (& decommission service)
18. Will your cloud provider continue?
Ask:
• Level of redundancy
– N + 50%? N + 1? N x 2?
• Cloud DRP in the redundant locations/power
feeds, circuits, networks
• DR & BCP within contract
• Steady state billing
• Declared disaster billing
• RPO, RTO options and costs
• Regular DR tests
19. Cloud Based Continuity Testing
• Remember KISS
• Start small (unit testing)
• Go big (with your own pace)
• May aim full capacity & automatic failover
– Include shutdown/disconnect primary site
20. Why not to prefer cloud for DR?
• Data security/privacy concerns
• Giving up too much control
• Too much invested in current infra&staff
• Cloud need to mature
• Satisfied with existing infra
Source: Enterprise Strategy Group, 2011
21. Standards and References
• ISO 22301
• ISO 25777:2008 – Information and
Communications Technology Continuity
Management: Code of Practice
• CloudSecurityAlliance.org
• ISACA Journal 2011/2
• Wikipedia.org/wiki/Cloud_computing_archite
cture
Cloud Based Business Continuity Speaker Murat LostarCEOLostar Information SecurityAfter completing this session, you will be able to:• Appreciate the basics of business continuity and its IT footprint• Implement fundamental cloud approaches• Recognise the role of IT and business continuity in choosing cloud solutions• Craft strong open source cloud solutions that can be used for recovery• Understand example continuity crises including successful as well as weak Approaches
SaaS – You are already on the cloud for primary (check your prividers’ resiilience)PaaS – Good integration, ensure redundancyIaaS – Easiest to implement for traditional data center DR solutionDaaS – Important add-on for user layer INCLUDES THICK RICH APPLICATOINS allow BYOD (Bring your own device)