How 7 Companies Proved IT Disaster Recovery with DRaaS. Drivers for Disaster Recovery-as-a-Service

Transcription

1 How 7 Companies Proved IT Disaster Recovery with DRaaS Drivers for Disaster Recovery-as-a-Service

2 PROOF OF DISASTER RECOVERY Given how much modern business relies on technology, it s important to have an IT Disaster Recovery (DR) plan in place for your IT systems. Imagine if someone asked you today to prove the effectiveness of your DR plan. What if you had to prove it not only internally, but to your constituents as well? Over the past decade, it has become increasingly common, and in some cases required, that companies provide solid evidence of a proven recovery plan as part of their overall availability strategy to stakeholders. As more security incidents and system outages have been publicized by the media, it s also clear that IT teams are responding to a broader set of risks than their original DR plans were designed to address. Security penetrations, DDoS attacks, prolonged network or power outages and hardware or software failures are now far more likely and impactful than the weather-related events that most plans have been designed around. Business-as-usual is no longer sufficient when companies are now required to supply proof of recovery success, recovery quality (data) and recovery time for various reasons. Leaders often change their approach based on the higher level of scrutiny they face from others, which means they must put their reputation on the line when proving their DR plans actually work. This can be a tough situation both for the leaders and the technology teams doing the heavy lifting. COMMON CONSTITUENTS WHO WANT PROOF OF DR STRATEGIES: Auditors Insurers Investors Board Members Regulators Customers/Clients Bluelock has a wealth of knowledge working with companies on modernizing IT resiliency approaches every day, and we ve put together some specific areas of questioning that may help in assessing your current plan for risk. We ve included examples from our client base, scrubbed for privacy and security, to tease out a bit more color and nuance around each point. If you re a business leader, this should help you open a dialogue with your technology team. If you re on the technology team, this should put you in a position of confidence, or at least awareness, as these questions come up. Or, if you happen to be reading this as a constituent, we hope this helps in establishing a more productive dialogue with companies and their technology teams. In the end, we all want the best for business and the technology drivers that support success. 2

3 Proof of Data Protection & Recovery A single test is not proof. Having a copy of your data somewhere else does not ensure that applications can return to service. Being able to power on systems at the recovery site does not guarantee they will come back online within the specific time period that the business requires. Only consistently successful recovery tests will satisfy external parties that the recovery plan is effective. 1 Research Firm Only consistently successful recovery tests will satisfy external parties that the recovery plan is effective. A national research firm needed to gain an insurance renewal with a discounted policy. To do so, they needed to prove continuously successful DR tests for key systems that supported their customer-facing business applications. They chose Bluelock s Disaster Recovery-as-a-Service (DRaaS) expertise to help them achieve this. Each test, done every six months, had to verify that the most recent data and systems could recover within a given timeframe. To show this proof, both our recovery team and a member of the client s leadership were required to sign the testing certificates, which verified consistent recovery success. 2 Law Firm A law firm faced external scrutiny from one of their largest clients when an audit of that client s internal DR plan realized a significant dependency on third-party services. While third-party services were originally out of scope, this newly-identified risk placed legal services also accountable for recovery planning, so the firm had to prove their DR plan worked. For these reasons, they decided to outsource their DR to an experienced provider. They selected Bluelock because of our track record working with broad sets of applications, our project management office, consistently-successful DR testing and recovery expertise in real events. 3

4 3 Wealth Management Firm A wealth management firm had a similar experience. Their in-house staff was focused on supporting a growing business, but their own customers wanted proof of an IT availability strategy. As a result, the firm chose Bluelock as its DRaaS provider to provide the extra headcount and hardware at a fraction of the cost. They wanted a datacenter in a geographically diverse location with the ability to recover with minimal time. Immediately at contract signing, our team of experts worked on the firm s behalf to create a playbook (a comprehensively detailed runbook), controlled access to partners and a responsibility assignment matrix to define whose role did what in the event of a disaster. All of these things proved to the customers that the firm had a working DR strategy. Proof of People & Process This is the most often overlooked aspect of a DR plan. Effective technology is great, but without proven and tested processes, which are performed by experienced people who are available and focused in an event, the plan will fail. It s also important for these individuals to have power and network access for more efficient recovery. IMPORTANT CONSIDERATIONS FOR RECOVERY EVENTS Has your IT team experienced a real-life event before? 4 Financial Services Firm When Hurricane Sandy struck the Manhattan region, a financial media conglomerate was able to operate with little-to-no downtime. Fortunately, their VP of Systems had put in place a modern cloudbased recovery solution running several hundred miles inland and had chosen Bluelock as their partner. They also had the foresight to begin to turn that system up, knowing that an outage was likely, based on the path of the storm. While their neighbors scrambled for weeks to recover, our experienced recovery team was able to continue the recovery process while their team focused on the safety of their families. Who will carry out the recovery if your primary person and/or team is unavailable? How will the recovery process be completed if access to technology is limited or unavailable? 4

5 What no one fully appreciated was the scope and duration of the impact on the people, power and cellular networks. It s important to ask questions about how the recovery process will be performed if key individuals are unavailable or unable to access technology. It s also useful to determine how many disasters that your team has actually experienced in real life and recovered from. For most, your event will be their first. Proof of Integration Being able to modernize all of your applications and technology investments with the push of a button would be amazing. That simply isn t the reality in most businesses and technology environments today. There are a number of wonderful modern technologies that facilitate data replication and automated disaster recovery, but the challenge is that many of them require the applications and infrastructure to be just as modern. Rougly 1 in 3 companies have experienced a technology-related disruption over the past 2 years. 5 Airline (Bluelock. "2016 Perspecitives on IT Disaster Recovery Survey," May 2016). A private airline had the golden standard of business critical: If their flight manifest system went down and was unable to sync with the TSA no-flight list before take-off, strict regulations would force them to ground their planes. To make things even more challenging, this system had strong legacy roots. While we were able to protect the vast majority of the environment with the most modern tools, this specific application required a specialized approach tailored for the way it handled data and service startup automation. These two different technologies were paired together as part of a cohesive recovery solution that leveraged the exact same recovery processes and team members. That pairing ensures the recovery environment, though technically more complex, is operationally simple. 5

6 Proof of Security Shortcuts and DR tend to go hand-in-hand. Last year s hardware, out-of-date software, single node systems, etc. are the norm in most in-house recovery environments due to budget constraints and views of recovery as insurance (rather than a measure to maintain availability). The challenge is that whether a business is using its recovery environment at that moment or not, it most likely contains a complete copy of production data. That s why security for your recovery environment is the last place to cut corners. Recent large-scale data breaches show the intruder community is well aware that it s easier to attack systems that are adjacent to production, rather than the heavily-guarded proverbial front doors. Proving the security of your production environment can be daunting enough, but proving it in recovery can be even more challenging given the system isn t fully running 99% of the time. 6 Regional Bank A regional bank needed to increase the availability and security of their systems. They were worried that, if their website went down, customers wouldn t be able to access their online banking portal and think the bank had been hacked. As a result, security for their DR environment had to be as-good or better than production, both day-to-day and during a failover event. The bank s public-facing applications contained sensitive personal information, and they were required under SOX compliance to meet certain security standards. To harness the most robust security, they leveraged our HIPAA/HITECH compliant platform and controls. Proving the security of your production environment can be daunting enough, but proving it in recovery can be even more challenging given the system isn't fully running 99% of the time. To simplify integration, the bank chose to host both the production and recovery environments in Bluelock s cloud and stretched the service delivery across two distinct locations: Las Vegas and Indianapolis. In addition, they leveraged our HIPAA/HITECH feature sets (encryption and audited controls for ITSM) to achieve robust security that met and exceeded their requirements for SOX compliance. With a working and secured DR solution, the bank proved that they could protect against downtime and cyber threats. 6

7 Proof of Compliance Where there is sensitive information, there are often regulatory obligations for compliance. The rules for HIPAA/HITECH compliance are pretty clear on DR. It is a necessity for any system that is part of the overall healthcare delivery system and it has to work and be proven by the time you are audited. 7 Healthcare Provider A major healthcare provider whose expanding technology environments threatened the risk of non-compliance found it difficult to maintain compliance while also keeping pace with company growth. They needed to prove to regulators that their environments met the necessary requirements, using only their existing staffing and expertise. They also wanted to leverage the funding that was going to be liberated when they closed down their secondary datacenter site. The IT department explored doing DR in-house, but realized the task of building a second site for recovery was too time-consuming with other priorities. They needed a DR solution that would meet their HIPAA/ HITECH regulations and, based on their growth, it had to be flexible enough to scale as the organization expanded its use of technology to provide innovative new healthcare. Leveraging Bluelock's recovery expertise and elastic pay-for-what-you-use recovery platform achieved both HIPAA/HITECH compliance they required and efficiency for growth. Having the test certification process fully-documented and signed by both parties, as well as having the HIPAA/HITECH controls certified and audited under our SOC 2 report, quickly exceeded audit requirements. LEVERAGING DRAAS FOR SUCCESS If you haven t already noticed the trend, many varieties of successful companies leverage our Disaster Recovery-as-a-Service (DRaaS) solutions to accomplish their business objectives. When it comes to proving a working DR environment, sometimes you have to get creative. One client has even expressed to us that, 7

8 to accomplish this proof, they ve gone so far as letting their software engineering team (a separate department) decide when their DR testing should occur. While this approach might not be right for everyone, it s a brilliant way to keep those who manage DR in a state of readiness, while also ensuring proper creative tension is in place to drive an effective recovery plan. Some companies build out their own solutions, and that s okay. The right choice is often dictated by specific priorities, timing, budget and expertise. There s nothing wrong with implementing DR yourself, but if you re short on resources and receiving pressure from someone to prove your plan will work, it may be worth your time to reach out to us. To speak with an expert about your DR strategy, drop us a line at Bluelock.com to schedule a conversation or call A quick 30-minute phone call will help us jointly discover how DRaaS might improve your DR strategy. Read Bluelock's Practical Guide to DRaaS The Practical Guide to Disaster Recovery-as-a-Service is a beginner s resource for understanding the end-to-end aspects of tackling IT resiliency. Learn how to gain company-wide buy-in Understand the 3 types of DRaaS service models Tier your applications for expedited attention during crisis Test your DR solutions for success Get tips for a successful DRaaS implementation Access Now 8