IBM Global Technology Services White Paper IBM Business Continuity and Resiliency Services Transitioning business resiliency to the cloud Cloud technologies and services help improve availability and recovery
2 Transitioning business resiliency to the cloud The cost of downtime is increasing. According to the IBM Global Study on the Economic Impact of IT Risk, an outage of less than 20 minutes can now cost an organization more than US$1 million. A major disruption, one lasting seven hours or more, typically costs more than US$14.2 million. 1 These expenses can be attributed, at least in part, to organizations considerable and growing dependence on technology. No longer a secondary or tertiary enterprise function, IT now drives business. Around the globe, organizations deploy cloud technologies to more efficiently and economically run production workloads. They implement mobility initiatives to forge new revenue streams and improve employee productivity. They employ analytics to glean true business insight from mountains of big data. All these activities provide competitive advantage, and none of them could happen without robust IT operations. As IT becomes ever more important and the cost of downtime increases, it is no wonder that improving resiliency has become a high priority. Organizations are willing to spend money to help make systems, data and applications virtually always available; to protect them from risks ranging from human error to weather events; and to safeguard data. Increasingly, organizations turn to cloud computing to help them achieve these goals. The promise of cloud computing Cloud computing offers several benefits to those seeking to improve resiliency operations. By hastening and easing the restoration of servers, applications and data, it can dramatically improve recovery point objectives (RPOs) and recovery time objectives (RTOs), typically restoring operations with disk volumes and data that are only seconds old at the time of the outage. Cloud computing can aid in solving the intricate problems of restoring heterogeneous server environments. Cloud-based data retention and restoration can also help organizations comply with the data mandates set by government and industry regulations, such as the Heath Insurance Portability and Accountability Act, the Sarbanes- Oxley Act, the Dodd Frank Wall Street Reform and Consumer Protection Act, and Payment Card Industry data protection standards. In addition, many organizations find that cloud-based resiliency solutions especially those offered by third-party technology providers can help them both save money and improve scalability. Typically, third-party cloud solutions are offered with a pay as you go pricing model, requiring organizations to pay only for the capacity and services needed, and only when organizations need them. This billing model can help organizations control resiliency costs while more easily scaling resiliency solutions to accommodate growth or times of peak activity. For example, a retailer that needs more computing power for resiliency operations during the holiday season can simply request it from the organization s cloud provider, then pull back when that additional capacity is no longer required. What to look for in a cloud provider If cloud can help organizations address a host of resiliency challenges while saving money, why aren t all organizations rushing to implement cloud solutions? There are several reasons. First, designing, building and deploying cloud resiliency solutions in-house is a challenging process, demanding significant capital expenditures, proven methodologies, specialized skills and tools, and the time to continually examine and revamp solutions to keep pace with evolving threats. Second, since cloud is a relatively new technology, many organizations lack the experience to determine which data
IBM Business Continuity and Resiliency Services 3 sets, applications and systems have the greatest affinity for cloud resilience, and which should remain in their traditional, physical state. Third, many organizations worry about choosing and implementing the security measures needed to secure data, applications and systems, both in the cloud itself and in the virtual private networks used to transfer data from the enterprise data center to the cloud. Because of these hurdles, many organizations prefer to work with a trusted third-party technology provider for the development and management of their cloud resiliency solutions. In a crowded cloud marketplace offering everything from bare-bones cloud infrastructures with little or no support to highly secure, enterprise-level, fully-managed private clouds, enterprises can sometimes find it hard to know what to look for in a cloud services provider. IBM suggests choosing a provider with acknowledged expertise in strategic visioning and cloud migration, along with the ability to provide a flexible, secure, enterprise-class cloud infrastructure. The provider should be dexterous enough to handle the client s operating system of choice (UNIX, Windows, Linux and others), and to easily mesh cloud and non-cloud environments. The provider should deploy analytics and automation as appropriate to bulk-migrate simple workloads while offering high-touch services to migrate more difficult applications. Deployment models are important, and the technology provider should offer a variety of cloud models (see sidebar, Cloud deployment models defined). The cloud provider should also provide tiered service levels, so that recovery time and the cost of recovery services can be selected based on the tolerance for downtime of a particular application or data set. Service level agreements should align with the client s specific business and usage requirements and cover support levels, performance and security. Cloud deployment models defined There are three cloud deployment models in today s marketplace: Private: A cloud dedicated solely to a single business. It can be hosted on premises or in the cloud provider s data center and controlled by either the enterprise or the provider. Multitenant: A cloud shared by many organizations, hosted in the technology vendor s data center. When using multitenant clouds, security and isolation technologies must be deployed to keep each organization s data, systems and applications segregated and secure. Hybrid: A cloud utilizing the capabilities of both public and private cloud infrastructures, merged with traditional IT. IBM suggests choosing a cloud provider able to offer all these deployment models and any combination thereof in order to meet organizational goals. Since many organizations will also need help once the cloud environment is up and running, it is best to choose a technology provider that offers cloud management services. Ideally, the provider can also offer alternate solutions management services for traditional server environments, as an example for those resiliency challenges that cannot be solved by cloud migration. An orderly approach to transforming resiliency Whether working with a technology provider or building a cloud in-house, there are steps organizations can take now to begin planning their cloud resiliency transformation. IBM s process for developing an end-to-end business resiliency cloud strategy consists of four phases: strategy, design, transition and transformation (see Figure 1).
ISV Applications Oracle Business Suite PeopleSoft Others IT Infrastructure Print and file management Networking Proxy caching Security Systems management Custom Applications Java (typically hosted in web application server) Web Infrastructure Web server Streaming media Collaboration Email Workgroup Custom Web Infrastructure Applications (non-java) Web server C/C++ Streaming media Cobal, Collaboration scripts Email Workgroup Databases DB2, Oracle 4 Transitioning business resiliency to the cloud Strategy and design Transition and transformation Step 1 Step 2 Step 3 Step 4 Data discovery and requirement definition Transformation strategy and design Migration, standardization and registration Remediation, testing and workload transition Collect key business resilience requirements for data and applications and for data dependencies. Profile existing applications, governing policies, strategies and plans. Identify candidates with cloud resilience affinity. Perform financial analysis, propose resilience tiers placement, architectural diagrams, and executable transition plan. Provision target resilience environment. Using methods and tools, automate virtual or physical servers for recovery and configure workloads for resilience testing. Test the resilience strategy, gain customer acceptance, and perform transfer to ongoing management. Repeatable model Factory approach Tools, assets and IBM innovation Figure 1: As illustrated here, IBM implements end-to-end, cloud-based business resilience solutions in four phases: strategy, design, transition and transformation. Strategy Start by examining business direction and aligning and documenting resilience requirements with that direction. Take into account needs for the availability, backup and restoration of data, applications and systems. Analyze workloads to determine which applications and data have the greatest affinity for cloud resilience. Be prepared to leave some systems, data and applications in their traditional state: data and applications housed on legacy hardware, as one example, or applications whose vendors won t offer cloud support. Next, determine which cloud deployment model or models best suit organizational needs for resiliency. Begin designing both the cloud and the networks that will underpin it often, existing networks will need to be reconfigured to support the bandwidth required to continually transfer information to your cloud.
IBM Business Continuity and Resiliency Services 5 Design Begin drafting a cloud transition plan. Integrate the cloud solution and legacy recovery systems into a cohesive whole shaped by which traditional resiliency processes the organization needs to preserve. Determine resilience tiers or, if working with a technology provider, require specific service level agreements for systems, applications and data based on their tolerance for downtime. Typically, mission-critical applications such as customer relationship management and enterprise resource planning have the lowest tolerance for downtime, and service level agreements should reflect that. Begin updating resiliency policies and procedures, then identify and document changes to resiliency processes. Develop architectural guidelines and an executable transition plan. Transition Begin provisioning the cloud, then conduct a pilot program to test the initial installation. Evaluate the melding of cloud and legacy systems. Begin educating personnel on the new resiliency environment and changes to recovery procedures. If working with a technology provider, educate appropriate personnel on the new cloud services available to them. Transformation Deploy the cloud solution and validate service delivery. Begin monitoring the environment. Develop key performance indicators and gauge the solution s performance against those indicators and other performance attributes. Modify the solution as needed to keep pace with changing business needs and evolving threats. Why IBM? The threat of business disruption is forever present, as is the cost associated with it. Only by designing, developing, implementing and managing a business resiliency plan that will safeguard data, applications and systems can organizations obtain the near-constant availability and near-zero RPOs and RTOs needed to keep IT running and business operating under virtually any circumstance. IBM has more than 50 years experience in business resiliency. Our 1,800 IBM Business Continuity and Resiliency Services professionals currently support more than 9,000 organizations worldwide. Our portfolio of cloud-based availability and resiliency services combines deep expertise with cuttingedge technological innovation to protect and recover data, applications and systems. Our services, which have all the attributes discussed in the What to look for in a cloud provider section of this paper, can provide the type of resiliency solutions needed to deliver near-constant availability. These services include: IBM High Availability Services for Resilient Infrastructure: an end-to-end approach to improving availability. These services include a comprehensive assessment of an organization s availability environment and the implementation and testing of tailored, cloud-based availability solutions that align with overall business objectives. IBM Cloud Virtualized Server Recovery (VSR): a resiliency solution designed for organizations that need faster, more reliable and more affordable recovery of their IT infrastructures. VSR provides industry-leading failover and failback capabilities, allowing organizations to quickly failover production servers to the IBM cloud. In doing so, this around-the-clock service dramatically improves RPOs and RTOs. Further, VSR helps recover heterogeneous server environments including those with a mix of virtualized and physical servers. Tiered service levels help organizations strike a balance between performance and economy for different servers and applications. IBM Cloud Application Resiliency: a resiliency solution for mission-critical applications including enterprise resource planning, supply chain management and customer relationship management applications. As with VSR, this service uses IBM best practices and skills to provide dramatically improved RPOs and RTOs, and allows organizations to differentiate applications based on their tolerance for downtime.
IBM Cloud Managed Backup: data protection solutions for organizations that need cross-enterprise information resiliency and data recovery. Cloud Managed Backup is a security-rich and highly scalable solution that helps organizations to simplify backup with automated and standardized tools and processes that consolidate dispersed information onto a single cloud infrastructure. Solutions can be tailored to meet backup priorities and retention, retrieval and security goals. IBM Cloud Data Virtualization: a resiliency service that enhances data protection by using cloud and snapshot technologies to provide virtually instant recovery of critical data without generating multiple copies of it. One data copy can be used for data backup, data and application recovery, server replication, analytics, development and testing, and many other use cases. Available on a pay-asyou-go basis on your premises or an IBM recovery center, the service can also help save network bandwidth, decrease application lags and lessen dependence on tape for backup and recovery. For more information Individually or combined, IBM cloud services can help your organization attain the levels of resiliency needed to meet the demands of an always-on business world. To learn more, please contact your IBM marketing representative or IBM Business Partner, or visit the following website: ibm.com/services/continuity Copyright IBM Corporation 2014 IBM Corporation IBM Global Technology Services Route 100 Somers, NY 10504 Produced in the United States of America September 2014 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. 1 Understanding the economics of IT risk and reputation Implications of the IBM Global Study on the economic impact of IT risk, IBM, 2013. Please Recycle BUW03028-USEN-03