By Furqan Hashmi, Head of IT Security and Operations, Emirates Investment Authority
My discussion at R3: Resilience, Response & Recovery 2017 is mainly about how we can successfully execute and manage enterprise wide (including extended enterprise) business continuity and disaster recovery (DR) plans. We can have different business continuity and DR models. Decision on the criteria i.e. which model should be deployed depend mainly on business requirements, CAPEX and OPEX.
Disaster recovery invocation should be the enterprise’s last resort. Enterprise technology environment should be resilient and secure enough that DR invocation is required only for testing purposes or a limited period of time. The successful management of business continuity and disaster recovery can be achieved through a strong integration of people, process and technology.
Cyber threats: it’s not if, it’s when
On the people front, a proper communication plan should be in place. Responsibilities of each individual participating in the plan should be defined and communicated. Individual should have necessary skills and qualifications required for their role. Necessary training (by using 3rd party or as part of drill testing) should be provided to the users involved.
On the process front, a governance framework should be in place that will provide assurance on enterprise business continuity and its associated controls. Furthermore, it also provides assurance that controls are operationally efficient and effective and aligned with business objectives. This could be achieved by performing audits, periodic testing of controls including DR invocation, backup integrity checks, periodic restoration testing, incident management tests, identify risks during and after test, and risk mitigation through controls. This is an ongoing process and works on a continuous improvement basis.
On the technology front, following are mainly the controls that can be used for successful disaster recovery planning and execution. We can have different disaster recovery models. Selection of model is dependent on business requirements and CAPEX and OPEX enterprise is willing to spend.
Secure SAN based replication: It provides continuous real time replication between the production and DR site at Storage level. This model is useful when enterprise wants to invoke the DR at storage group level. From costing point of view, this solution is more costly than others as it requires dedicated replication and storage devices at the DR site along with a tool to manage DR invocation.
Secure System/ Application based replication: This model works a level above than SAN based replication for DR invocation. One of the flexibility enterprise can have in this model is to invoke specific set of applications/systems for business continuity and disaster recovery purposes rather than all systems within the storage group. Additionally, this model is more economical than secure SAN based replication.
What if the breach goes undetected under GDPR?
DR as a Service (DRaaS): This model works in a cloud environment. Cloud providers setup enterprise DR virtual infrastructure in the cloud. This model works on continuous or period replication basis (depends on the RPO enterprise requires from business, legal and regulatory perspectives). DRaaS is the most economical option and provides us greater flexibility as cloud providers can accommodate enterprise current and future compute requirements easily.