Monthly Archives: November 2015

Risk Mitigation through DR

Timely information is the key to business success and in today’s scenario most organizations are fully dependent on IT enabled services to achieve their business goals. However IT is filled with risks such as viruses, malware, worms, hacker attacks, etc. Hence, it is crucial for organizations to protect information and critical business data in their IT systems. IT risks are managed by implementing comprehensive disaster recovery plans.

Risks in IT are a result of vulnerabilities and their resulting threats. Vulnerabilities are basically the weaknesses in a system or in the infrastructure. For example, not having adequate backup of data and information is vulnerability because in the event of hardware or software failure, important data could be lost. Similarly, not using the latest virus scanners is vulnerability. Threats are understood as a source or event that has the potential to accidentally trigger a misuse of IT systems or intentionally exploit a specific vulnerability. For example, stealing of passwords by hackers, viruses, worms, spam emails, etc. are threats. Threat also includes natural events such as storms, electric outages, high-voltage surge due to lightning, flood, fire, earthquake, etc. IT systems are vulnerable also to natural threats.

Vulnerabilities and threats in IT can be successfully handled and mitigated by developing a comprehensive disaster recovery management plan for the organization. Therefore, risk in IT is a function of threat and its potential vulnerability which always results in adverse impact for the organization. To avoid negative impact, risk management must be commensurate with the organization’s strategic objectives and focus on securing data and systems (hardware and software). IT risks can be managed effectively by security planning as well as disaster recovery (DR) planning.

DR plans will implement policies, procedures and actions to minimize disruptions to business in the event of a disaster and in order to ensure business continuity. The very first step in DR planning is to establish processes for business impact analysis (BIA). BIA processes helps to identifying specific risks and analyzes the impact of all IT enabled business processes. Using BIA as the key, other important elements to consider while developing a DR plan will include,

  • Clarity in organizational responsibilities: Many organizations fall short in determining roles and responsibilities in terms of DR. DR is more than just restoring data on servers or replicating databases, instead DR plan will ensure the applications and systems are able to support business functions. Here the participation of non-IT members is needed to understand the impact to business units while developing DR plans.
  • Define application recovery service levels: Application recovery services can be catalogued based on different levels of recovery provided by BIA. DR offers the insurance for protecting data and critical information however, efficiency in application recovery is also important. Aligning applications according to the levels of recovery obtained from BIA and restoring them with business functions according to their importance must be included in DR plan. For instance, restoring data related to product features immediately after a disaster is important for sales and marketing units.
  • Apply a cost model for DR: It is important to note that IT service levels are highly influenced by cost. The cost model can include items such as hardware, software maintenance, support, personnel and facilities. A carefully developed cost model can significantly result in continued IT services efficiently. Cost models are a must when business organizations hire IT services from data centers. Data centers provide different cost models based on business requirements.
  • Establish secondary facilities and involve experts: Many organizations consider the option of having an additional back-up facility in case the primary facility will experience a disaster. People with skills and capabilities for restoring IT services are needed to assist business users in restoring their data, applications and services without disruptions.
  • Establish standardized procedures: In the absence of DR planning, day to day operations can be disrupted to result in heavy losses for the organization. There are instances where organizations have compromised their mission critical data during a disaster. The need for adequate documentation to highlight risk analysis for key IT enabled business processes cannot be overlooked. Many organizations have embraced and implemented standard frameworks for security such as ITIL to significantly improve their chances of mitigating risks due to disasters (man-made or natural).

Large organizations that are dependent on IT cannot tolerate downtime of their business critical applications. DR plans help organizations to restore applications and data efficiently. In DR plans, provisioning IT services is done in order to ensure business continuity quickly without long disruptions. The objective of implementing DR is to mitigate threats, but it should be noted that DR plans once implemented does not provide all the protection required from new type of threats or attacks. DR plans are dynamic and must be updated and validated regularly whenever new types of threats arise.

IaaS Adoption in BFSI, Healthcare and E-Commerce Sectors

IaaS adoption is advancing in a massive scale by enterprises as years roll by. Business enterprises are quick to capitalize on emerging new markets and potential opportunities through the use of cloud IaaS services offering IT management and service delivery at scale. Recent surveys and expert opinion on adoption of IaaS mention that IaaS deployments are significant in the areas of BFSI, health care and e-commerce sectors.

Cloud computing services stands 4th place in the IT sector after mainframe, PC and internet. Cloud IaaS model is revolutionizing IT by providing new dimensions on how IT resources and technology can be leveraged to exploit potential business opportunities. Industry experts view cloud IaaS model as the most dynamic utility computing service presently available. For instance, the promise of pay-as-you-go pricing model and infinite scalability are some of the key drivers for cloud adoption across different industry verticals.

In India the need for inexpensive and effective IT services is driving cloud services across all types of organizations. In a summit titled ‘Gartner IT infrastructure operations & data center’ held in May 2015, Gartner report explains that IaaS spending in India is $104.8 million which is an increase of 38% in revenue compared to previous year and analysts predict IaaS adoption is expected to grow through 2018 to reach $1.9 billion.

In India, cloud IaaS adoption alone is expected to grow over 40% in 2015, according to a survey on IaaS adoption in India done by Knowledgefaber, an independent research and consulting firm. In India three main sectors namely BFSI (Banking Financial Services and Insurance), Health care and E-commerce sectors are found to be high adopters of cloud IaaS. These three sectors are explored for cloud IaaS deployment benefits in their area of operations.

  • BFSI: BFSI sector require vast IT infrastructures to efficiently handle huge volumes of data on a day-to-day basis. Cloud IaaS offers certain specific benefits to banks for facilitating and servicing customers with latest technologies while reducing overhead cost in their physical branch. In cloud IaaS customers are allowed to access their personal details and perform online transactions using any type of device from anywhere.
    Cloud IaaS service enables efficient mobile banking capabilities and customer relationship management with automatic scaling or descaling based on network or server workloads. BFSI organizations leverage cloud IaaS to enable online transactions for customers and serve customers through ATMs, thus optimizing resources in their branch offices. Further financial institutions, mainly banks and insurance companies are also able to widen their customer base into rural areas due to the availability of internet and mobile services.
  • Healthcare: According to Forbes magazine, over 83% healthcare organizations are using cloud based services and porting a variety of healthcare apps on the cloud. The need for healthcare IT is due to the fact that more and more information (patient conditions, research data, drug information, data gathered from various computer controlled devices in therapy) is immediately available in digital form. To handle this huge volume of data across multiple locations requires robust and reliable IT infrastructure.
    Healthcare organizations continuously face challenges in terms of mining clinical data and historical records, compliance to healthcare regulations, potentially damaging drug recalls and effectively respond to unexpected negative events such as sudden epidemic outbreak, viral infections, etc.
    A cloud IaaS service from a data center allows pooling of IT resources and is easily made available through the internet to hospitals, clinics, laboratories, research centers. This brings experts together with collaboration tools to provide effective healthcare to patients and facilitates health information exchange for effective treatment.
  • E-Commerce: E-commerce is another area of picking up momentum particularly with SMBs and retail business companies. E-commerce applications primarily have functionalities such as automated workflows, online transactions and customer support which require speed and quality of service for customer satisfaction and retention.
    Cloud IaaS enables cost cutting with speed and provides specific benefits such as reliability in transactions and efficiency in handling large number of customer requests. The multiple layers of security in the cloud to ensure transactions and private information are protected. The usage based pricing model and on-demand self-service along with scalability are some attractive propositions for e-commerce businesses.
    IaaS offers the infrastructure to implement and run web based applications thus eliminating the need for costs in building an IT infrastructure. Further data generated in e-commerce software is stored in a centralized servers making it secure from theft or leakage. In summary, e-commerce companies’ benefit from IaaS in overcoming issues related to security, data integrity, scalability and above all allowing customers to access information from different devices.

Cloud IaaS services play a facilitating role for business enterprises by providing hardware and IT infrastructure to manage any type of business functions with agility. IaaS services are available from data centers at a fraction of cost compared to capital expenditure likely to be incurred in building an in-house infrastructure network.

Best Practices in Disaster Recovery and Business Continuity

Business enterprises depend on information to survive and to ensure business continuity. However, in IT protecting information from disasters is a constant challenge. In spite of having adequate data backup and storage, companies face business disruptions and useful data is lost. Thoughtful planning and collaboration of people at all levels in the organization can help to develop comprehensive disaster recovery and business continuity plans to adequately protect critical business data from loss.

The term disaster recovery is relative because disaster has many forms and will occur unexpectedly. IT systems, servers, data and applications are vulnerable to disasters like floods, hurricane, power outage, hardware failure, attacks and hacks on servers or network and also to human error. Inadequate planning in technology and business can compromise critical business data and cause substantial financial downfall. Most of the disaster issues can be mitigated by developing comprehensive DR plans and restore business operations within few hours, instead of days as earlier. DR plans are aimed at protecting data and vital assets in the organization. It is important to note that DR planning is unique for every organization.

Consider a scenario when important notices or information must be sent to specific set of people at a given time. If IT is down, the cost of downtime can result in the company losing its value with customers, stocks decline and stakeholder confidence is lost. Therefore, DR plans in an organization should identify potential risks that exist within their IT environment and define steps to mitigate those risks in order to ensure business continuity.

Business continuity and DR planning is often defined as an ongoing process that is integrated with day to day operations. For example if a C-level executive will notice his email is down or is unable to generate a report for decision making, this cannot be tolerated. The process involved in a DR plan includes certain key elements to ensure efficient and effective restoration of critical business functions in the event of an unplanned disruption. The key elements to consider in BC and DR planning includes,

  • Assessment of critical applications
  • Procedures for Back-Up and Restore, recovery of data
  • Procedures for implementation and testing and maintenance

Some of the best practices which can be considered while defining DR plans are:

  • Catalogue systems and identify all impact: BCDR planning starts with identifying applications and data for their criticality and their cost of downtime. Also, the recovery points and recovery time objectives (RTO) for each component is understood. For example, the negative impact of losing critical customer records or network connectivity must be understood and planned appropriately. The plan must include all the systems and services (servers, storage disks, network components, etc.) participating in business operations must be catalogued and the RTO for each component is understood and plans are defined.
  • Involve people in BCDR: Normally, DR responsibility falls with IT or a single person in the company. If this person is not available during a disaster event, the company has all the recovery plans, but no one to restore the systems. Therefore, several people from different departments can be trained to handle recovery procedures, it will be best to train some people outside the primary data center region or another team of people in another region are taught on applications and data recovery, particularly in a hosted environment.
  • Ensure redundancies to protect mission critical data: The plans will ensure that adequate resources are available for backing up data and applications. In case of availing cloud services from data centers, the company must ensure appropriate SLAs in place for disaster recovery to make sure applications and data are available at all times. SLAs must also define infrastructure redundancy like replicating data in another location for availability in case if the primary data center is down for some reason. Infrastructure redundancies to consider in plans will include power, cooling, telecom, network and other related hardware.
  • Include changes to DR Plan as and when they occur: BCDR plans must include all critical business processes and their associated applications, their SLAs, data sources and steps to recover within their recovery points and RTO. For example, if a new application is implemented, or if applications and data are moved physically to a cloud, the earlier plans are outdated. It will be best to keep plans aligned with changes in the operating environment and documented fully.
  • Periodically evaluate BCDR Plans: BCDR plans are evaluated periodically by running vulnerability tests and appropriate patching is done for protection to systems and infrastructure. Latest technologies are also evaluated for their benefits in ensuring business continuity and to develop a new set of SLAs. The evaluation and testing of plans must consider future requirements and ensure a fail-safe infrastructure for the organization.

In spite of diligent planning and continuous evaluation of BCDR, IT failures are common and hence DR is a continuous process. Companies can consider these best practices in BCDR planning to overcome IT disaster nightmares.

Cloud and the role of SLA

As cloud computing is taking center stage for different IT enabled business enterprises it is highly essential to define policies, procedures and service level agreements (SLA) in order to maximize the value of cloud for both the consumer and the service provider. SLA statements written must be measurable, achievable, relevant and timely and should remain specific for cloud services aimed at minimizing ambiguities for both the cloud consumer and the cloud service providers.

The cloud service models (IaaS, PaaS, SaaS, etc.) offer new paradigms of computing resources and IT enabled capabilities for all types of organizations. IT industry experts claim that over 80% of enterprises have adopted some cloud service in their organization. The key term ‘service’ in cloud computing creates the need to develop contracts named service level agreements (SLA) between the client organization and the cloud service provider (CSP). SLAs are used by companies for a long time, especially when the company hires third party service provider to manage some of their business operations. SLAs will ensure the consumer receives all the services availed as agreed by the provider and of course ensure money’s worth for the client.

Likewise, an organization deciding to hire cloud services for their IT needs, SLAs come into play to make sure the services offered by the CSP are delivered as promised. SLA has become a pre-requisite due to cloud business strategy and provides series of rules and directives that must be taken by cloud consumers to evaluate and negotiate terms with CSP. It describes a set of non-functional requirements of cloud services. An example of SLA can be the return of operations (RTO) in case of any service failure in the cloud.

Cloud SLA is imperative for compelling reasons,

  • Ensure availability and uptime
  • Specific performance benchmarks to compare actual cloud performance
  • Availability of usage statistics for the consumer
  • Informing scheduled changes to consumers in advance (eg., maintenance downtimes)
  • Help desk and support to resolve specific issues
  • To clarify the scope of resources used in cloud service of interest

SLAs are the means of documenting cloud services between the CSP and consumer and play a major role for the following reasons:

    • Roles and Responsibilities: Consumers must understand the roles and responsibilities and business relationships between them and the CSP. For example, an indirect actor namely cloud carrier is an entity providing the carrier or transport for cloud services between CSP the consumer. In this scenario, the SLA must cover provisioning of alternative carrier in case of non-availability our outage with one carrier. According to NIST (National Institute of Standards and Technology) reference architecture, the actors involved in cloud are: Consumer, CSP, Auditor, Broker and Carrier, with unique roles. Cloud consumers must recognize and understand the activities and roles of each entity or service in the cloud as explained by CSP including their own set of responsibilities.
    • Examine Business Level Policies: Business level SLAs would define Guarantees provided by the CSP (for example, guarantees will include 99.99% uptime, measurable performance and usage, etc.). Acceptable use policy is a business level SLA statement where the CSP describes how the service should be used, List of services not covered and Excess usage. Normally, the CSP will encourage the consumer to buy resources that is only required for their business. Other policies will include Payment and penalty models, Activation, Renewals, Transferability, Sub-contracted services, Licensed Software, Industry specific standards and Support.
    • Data Level Policies: Data level policies are critical in SLA. Here CSP will explain on how the consumer’s data is governed and protected in local jurisdiction or other locations where the data will reside or made available. Consumers must carefully evaluate legal requirements on how SLA will handle issues related to movement of data to offer multi-site storage in different jurisdictions for redundancy. The other critical SLAs in data level policies include, Data Preservation – backup, restore, redundancy, etc.; Data Locations – will verify data locations for consumers; Data Privacy – defines how consumer data is secured and used; Data Seizure – in some circumstances the data can be seized by government agencies, etc. Therefore, data level policies in SLA are the most critical policies which must be evaluated thoroughly by consumers.
    • Service and Deployment Model Differences: Service models are categorized as IaaS, PaaS and SaaS. The service models in cloud are unique in terms of service delivery and are defined with unique SLAs. Likewise cloud deployment models are private, public and hybrid clouds which have a unique set of SLAs. According to Cloud Standards Customer Council (CSCC), consumers should understand the nuances of service and deployment models and their corresponding SLAs because their value and risk varies significantly.
    • Describe Objectives for Critical Performance: SLA in performance objective relates to efficiency, accuracy and service delivery. Performance statements in the SLA will help consumers to measure and audit different aspects on cloud performance. Performance metrics are dependent for each service IaaS, PaaS and SaaS. For example, performance considerations for IaaS will include network and compute and so on.
    • Security and Privacy Considerations: SLAs related to security and privacy considerations deals with information assets – data, applications, functions and processes and can be defined based on criticality and sensitivity of consumer data. Normally CSPs offer global security standards defined in standards such as ISO, COBIT, ITIL, etc. The SLA will also cover alternative actions in case of security breaches or data loss for the consumer.

In addition to the above roles, SLAs will also define areas such as disaster recovery, service management, auditing, self-service metering and provisioning, solutions for service failure, remedies and limitations in cloud services. SLAs will also state exit processes followed in case a consumer wishes to discontinue from a service provider.