Monthly Archives: January 2015

4 ways to improve recovery point objectives

Mapping out a disaster recovery plan is no simple task, and at the enterprise level, the countless applications and databases that must be restored in an interruption scenario can pose a challenge to even the most experienced tech teams. For executive leaders, however, another issue comes into play – determining the value of a DR strategy and the investments therein. As business decision-makers, choices surrounding restorative hardware, software and support all factor into the ultimate question: Is this plan worth the amount of capital it demands?

For this reason, business leaders need as many practical, quantitative metrics as they can gather when provisioning their disaster recovery plans, especially if the continuity of their companies' operations rely primarily on their IT environments. Recovery point objectives are an essential measurement of the reliability and functionality of a DR strategy overall, and must be a top consideration for any organization looking to evaluate its continuity investments. Here are four ways that business leaders can shore up their RPOs and enjoy greater value for their DR dollar.

1. Establish restoration priorities: Not even the most advanced recovery platforms can ensure the complete restoration of an IT environment at the drop of a hat, and decision-makers will have to weigh their options when determining which digital assets are truly critical to their operations when a disaster strikes. With a well-considered lineup of restoration priorities in place, a company can create stronger RPOs and avoid any confusion when it comes time to bring systems back online. Working closely with a service provider to establish these parameters can help leaders make optimal choices. 

2. Reduce data duplicationEvery byte of data makes a difference when it comes to refining RPOs, and with so many servers underpinning the average IT infrastructure, unwanted duplicate apps and information can be a wasteful burden when executing a DR plan. Companies must proactively identify and eliminate these unnecessary replicas and ensure that their targeted assets are as lightweight as possible for quick recovery. According to Business 2 Community contributor Doug Hanley, the following definition offers insight into the importance of efficiency when developing RPOs.

"The maximum amount of data that may be lost when service is restored after an interruption. The RPO is expressed as a length of time before the failure. For example, an RPO of one day may be supported by daily backups, and up to 24 hours of data may be lost."

3. Procure plenty of archives: A substantial portion of an enterprise's application and data sets are not vital to the core functionality of its teams and stakeholders, meaning these assets can be put on hold when recovery is underway. However, less-critical systems must also be made accessible within a reasonable timeframe and given a dedicated set of RPOs if a business wants to be fully prepared for an interruption scenario. Organizations must orchestrate archive backups that deliver accurate, timely restoration without placing unwanted burdens on budgets or IT teams. 

4. Remember recovery time objectives: RPOs go hand in hand with recovery time objectives, which offer a broader snapshot of an organization's restorative capabilities. According to InfoSec Island, these two metrics must be considered in tandem when developing a DR strategy, as RTOs take into account other factors that play into the total recovery picture. The source compared the two in the following definition:

"RTO has a broader purpose because it sets the boundaries for your whole business continuity management, while RPO is focused solely on the issue of backup frequency."

With these considerations in mind, business leaders should be able to shore up their RPOs while developing a more coordinated, effective DR strategy overall. 

Disaster recovery demands security and compliance

Organizations tend to focus on the obvious, visible components of their disaster recovery plans – and for good reason. Facilitating strong recovery point and time objectives, prioritizing application restorations and creating reliable archive systems are practical efforts that actively bolster a company's ability to bounce back from a business interruption. Not all aspects of disaster recovery are about moving parts, however, and organizations need to recognize that promoting resilient security and compliance standards are just as important in achieving a well rounded continuity strategy. 

Recovering securely 
As the digital environment becomes more vulnerable to cybercriminal efforts and regulatory organizations crack down on compliance, companies need to make sure that their disaster recovery plans also defend their information from malicious groups lurking across the Web. As a recent article from Bank Info Security explained, security is a multi-tiered effort, and organizations can't overlook any aspects of their IT environments when shoring up defenses in this generation of digital hazards.

In addition, the monumental cyberattacks of the past several years prove that there is no such thing as being over prepared. 

"What we're learning from Sony is what we've supposedly learned from Target and [others]," said Alan Berman, president and CEO of the Disaster Recovery Institute, according to the source. "We really do need better security. We need better sharing of knowledge, which doesn't take place. Did they have the backups they needed? How do you run with limited technology?"

Many organizations have internalized the lessons of the Sony breach as they evaluate the strength of their security acumen, but decision-makers must remember to look at the big picture when fortifying their network defenses. This includes securing recovery environments and promoting security best practices even when navigating a business outage scenario.

Moments of vulnerability
Cybercriminals will stop at nothing in their malicious quests to infiltrate networks and come away with valuable digital assets, and unfortunately, a company is at its most vulnerable when its attention is focused on overcoming interruptions. Business leaders must consider security breaches as not only a potential cause of network downtime, but also as an additional concern during the recovery process itself. Attackers will leap at the chance to infiltrate a network when its guard is let down.

In other words, network protection must remain a priority during restorative phases if organizations want to develop a disaster recovery plan that ensures complete resilience to risk. Rather than viewing IT strategy as a series of isolated discussions, organizations must take a panoramic view of their network environments and gauge security in a variety of contexts.  

Promote total continuity
While strengthening the security of a disaster recovery plan might not be an intuitive task for IT leaders, regulatory parameters put forth by organizations such as the Payment Card Industry can help guide decision-makers toward a more complete standard of protection, TechTarget recently explained. With the release of PCI DSS 3.0, companies have a reliable framework on which to build a recovery plan that prioritizes security as well as speed and precision. 

"The new version of the standard [will] make sure merchants ingrain PCI compliance with a lot of the changes that are often made in an environment," Greg Rosenberg a security engineer with Trustwave, told the news source. "The idea is to have IT staff ask the question, 'How will this change impact security, compliance and risk?'"

Because more than 100 adjustments and additions have been made in this latest PCI DSS iteration, organizations would be wise to seek the guidance of a dedicated disaster recovery service provider to ensure that they stay on top of these complex compliance demands. 

Shadow IT: What it means for disaster recovery

Every now and then, the IT world gives rise to a trend that disrupts convention and rewrites the rule book across the entire digital landscape. Perhaps the most significant disrupter to recently sweep this arena is shadow IT, a movement in which departments and business teams are purchasing their own tech solutions without the consultation or authorization of internal IT operations. As one might imagine, these developments have dangerous implications for the health of an organization's infrastructure, particularly in regard to the creation and maintenance of an effective disaster recovery strategy.

Unstable IT foundations
Just how serious is the shadow IT phenomenon, and what are the risks that expand with its growth? Data security and control are the top concerns for decision-makers who have become increasingly wary of an evolving threat matrix, as applications procured outside the tech department tend to lack the defensive measures necessary for the protection of information in transit. Furthermore, the fragmented nature of shadow IT has destabilized corporate structures built to ensure a system of secure, cost-effective resource procurement, sending ripples of uncertainty throughout the boardroom and beyond.

Aside from these widely acknowledged pain points, decision-makers must recognize the negative impact that shadow IT can have on an organization's disaster recovery planning and execution. With 76 percent of organizations reporting some form of shadow IT, according to BT, it's important that business leaders take a 360-degree view of risk factors, including DR. Here are a few areas in which an expanding footprint of unsanctioned applications and computing resources can hamper a company's ability to restore its digital assets in case of an emergency:

  1. Unseen data and apps: How can a recovery strategy possibly achieve its goals if administrators don't know what resources are being used by employees across the enterprise? This is the fundamental conflict existing between DR and shadow IT, and should serve as a primary motivator for decision-makers to snuff out the unsanctioned applications hiding in the dark corners of their infrastructures. BT pointed out that shadow resources account for around 25 percent of an average organization's budget, bringing greater urgency to the situation by ramping up the financial stakes of lost applications and databases.
  2. Fragmented restoration: Even if an IT department is able to track down all the disparate components that make up its shadow footprint, the restorative processes necessary to bring these systems back online in a crisis scenario are highly demanding, unreliable and inefficient. Tech teams should be able to restore data and applications in a unified manner, with the assurance of recovery point and time objectives that offer certainty in unpredictable times. Furthermore, there is no possibility of SLA-defined support for technologies that aren't easily identified or necessarily compatible. When resources are strewn about the network, recovery takes on an additional – and heavy – layer of risk.
  3. Disconnected action plans: Decision-makers must remember that although disaster recovery is only one aspect of an organization's business continuity strategy, data and applications are vital to the productivity and performance of the modern workforce. That means that shadow IT, if left unaddressed, can cause an entire continuity action plan to crumble, regardless of the precision with which employees are instructed or trained for a crisis situation. Business leaders must acknowledge the big picture when confronting their shadow IT problems and consider how their continuity strategies may be affected on a larger scale.  

Communicate to innovate
As decision-makers develop strategies to eliminate shadow IT for the sake of their security, budgets and disaster recovery plans, they must remember that a creative and collaborative mindset is critical to solving such sensitive internal issues. For instance, CIOs should consider branching out across departments to uncover the hidden practices taking place within each segment, then framing the solution in a way that synchronizes the interests of individual teams with the risk-averse goals of the organization at large. 

"CIOs are perfectly placed to nurture creative uses of technology throughout their organizations while keeping a strategic view," said Luis Alvarez, chief executive officer at BT Global Services."I've been a CIO and to me it feels as if we're on the verge of a renaissance of the profession with greater opportunities than ever before.

An article from CIO recently pointed to IDC research revealing that 54 percent of business leaders viewed the IT department as an obstacle to their goals rather than a helpful asset in reaching their objectives. As these decision-makers craft their disaster recovery plans in the new year, they must ensure that these internal rifts don't threaten the cohesive and collaborative methods that must be employed for success in this critical arena. The lessons of shadow IT should serve as a reminder for the ongoing development of business continuity from a healthy and holistic point of view.

The power of a layered continuity strategy

While business continuity is rarely a neglected boardroom conversation topic, executive leaders often designate the bare minimum of attention and effort to this function. Even if a company boasts a fairly robust recovery suite or has a seemingly firm grasp on the details of its employee action plan, there are still many aspects of continuity that don't receive the urgency and support they need in an age when downtime is a business death knell. As companies come upon the end of the year, it's a perfect time to evaluate the shortcomings of their recovery plans and fill in all the blanks. 

Successfully patching up a continuity strategy, however, requires an understanding of what a comprehensive blueprint entails, as well as the technology and techniques to bring make these aspirations a reality. The first step in this process is recognizing that effective continuity outlooks aren't comprised of piecemeal tactics and tools, but rather a layered structure of support that accounts for every aspect of the business' ongoing productivity and performance. Here is a look into three of these key layers and how they should be factored into a company's continuity strategy.

"Effective continuity outlooks aren't comprised of piecemeal tactics and tools, but rather a layered structure of support."

Data and app restoration: The actual disaster recovery portion of a business continuity plan covers much less ground than the typical boardroom may think, but there is still a great deal of complexity within this facet of the program. Today's organizations must take into account factors such as the restorative capabilities of their backup environments, the prioritization of key apps and data, as well as the control they exert over benchmarks such as recovery time and point objectives. 

If decision-makers feel that the IT portion of their continuity is lagging behind, there are a number of technologies available to ramp up their efforts with minimal alterations to the infrastructure. Virtualization, for instance, facilitates the creation of incremental snapshots that preserve virtual machine images in a frequent and highly accurate manner, according to TechTarget. This ensure relevant and timely restoration of key digital assets.

A clear staff action plan: Even with a completely restored IT environment at the ready, an organization needs to shore up continuity procedures for personnel by developing highly detailed action plans that lead individuals and teams through chaotic scenarios toward safety and resumed productivity. This means not only mapping out the step-by-step protocols for any conceivable disruptive situation, but also fortifying the blueprint with notifications sent directly to the appropriate parties in a crisis. 

Physical workstation support: Remote access policies may prove convenient for a time immediately following a disaster, but the use of personal devices in an off-premise environment is simply too risky – and out of sync with the pulse of the business – to be reliable for any significant stretch. The most resilient organizations, according to Channel Partners Online, are built with a layer of long-term continuity assurance that will account for the days and weeks following an interruption – not just the succeeding hours.

Dedicated workspaces are a powerful tool to drive mid- and long-range performance when primary office environments are offline for an unpredictable length of time. With the addition of equipment delivery and power services, additional workstations can be set up wherever – whenever – the need may arise. 

Turn to the pros to master disaster recovery

When it comes down to it, who is really responsible for disaster recovery in the corporate environment? Is the IT department tasked with the technical aspects of the data and application restoration process? Should the executive board map out the action plans that determine the trajectory of continuity during a crisis scenario? What about the employees who need to complete their tasks despite facing obstacles both physical and technological? These are the questions that often get organizations hung up on disaster recovery – and prevent them from crafting an effective strategy.

In fact, a recent CIO Insight article highlighting research from Axcient revealed that the DR conversation can even cause rifts within an organization, as stakeholders often point fingers at one another in the blame games that typically follow a business interruption. IT staff were held responsible for lost data in 69 percent of situations, while executives and end users were blamed 41 and 33 percent of the time, respectively. To avoid in-fighting and other destructive forms of disunity, organizations should leverage expert guidance and technological support in their disaster recovery efforts. 

"Organizations often get hung up on disaster recovery – and prevent them from crafting an effective strategy."

Clarity and confidence
Because disaster recovery is such a nuanced yet vital part of an organization's continuity footprint, the benefits of leveraging a dedicated service are many, especially for organizations struggling to piece together an effective plan in-house. As an article from Redmond Magazine recently pointed out, more companies are recognizing that consultation and hands-on assistance are necessities in developing a dependable, dynamic recovery platform – a movement that has given rise to the rapidly expanding disaster recovery-as-a-service market.

Business leaders that hand over the reigns to expert service providers not only boost the reliability of their restorative functions, but also gain greater visibility and control over key performance metrics such as recovery point and time objectives, as well as in the prioritization of data and app recovery. Features such as SLA dials provide decision-makers with precise command of these elements, down to the granular management of virtual machines and backup environments, according to Enterprise Storage Forum.

Continuous support
Decision-makers can't forget that disaster recovery is only one variable in the business continuity equation, and companies often find themselves with lopsided support if they fail to recognize this truth. Companies need to ensure that staff members have the equipment, connectivity and working environment they need to make the most of the assets recovered in the DR process. Comprehensive continuity partners will account for both the technological and human elements of the strategy, creating a holistic system of support that holds strong in any crisis scenario. 

Cybersecurity and continuity: 3 Key connections

While the IT environment is segmented into an endless array of physical components, software assets and everything in between, big-picture infrastructure management often reveals connections between seemingly disparate parts of the network. The links between cybersecurity and business continuity, for example, may not be apparent to the average IT onlooker, but someone familiar with the tools and techniques used to promote these strategies could see the two as closely connected, if not inseparable.

That's why executive leaders should attempt to look deeper into the IT ecosystems they have created for their organizations, especially in an era when second chances with business partners and consumers are becoming increasingly hard to come by. Here are three ways that cybersecurity and business continuity shine light on some unexpected – but critical – management connections.

1. A never-ending responsibility: As 2014 comes to a close, the importance of network protection is more glaringly obvious than ever before. According to Dark Reading, one Radware study described the past year as the most pivotal ever in this area of IT strategy, calling it "a tipping point in terms of quantity, length, complexity and targets." Nearly one-fifth of respondents in the survey revealed that they have experienced attacks lasting as long as one month, while the recent Sony Pictures intrusion proved that cybercriminals are more organized and well-funded than ever. 

"Stakeholders within and external to the organization will be looking for leadership in a worst-case scenario."

The non-stop pressures of today's security landscape tie back clearly to the core tenets of continuity, as decision-makers must view both facets of IT as a constant work in progress. President Obama even recently codified the Federal Information Security Modernization Act, which requires government agencies to continuously monitor their networks, according to GovInfo Security. Whether scanning the horizon for threats, backing up new stores of data for recovery or fine-tuning restoration tools for a test scenario, the pressure is always on to improve and refine these strategies. 

2. The crux of crisis management: Whether a company is sustaining a flurry of cyberattacks or gets caught up in a literal snowstorm, stakeholders within and external to the organization will be looking for leadership in a worst-case scenario. Employees in every department will need clear, concise directions to navigate a chaotic environment, while customers and business partners expect to be fully informed as to the events taking place – and procedures moving forward. Painstakingly precise action plans are key to both cybersecurity and continuity situations.

Unfortunately, research has shown that a substantial number of organizations don't have a data breach response plan, or an emergency preparedness blueprint. Radware pointed out that more that one quarter of companies aren't ready to bounce back from a breach, while Solar Winds found that 20 percent don't believe they could recover from a disaster. These findings suggest that preparation is not just a luxury – it's a necessity. 

3. Awareness = preparedness: Knowledge is power when it comes to overcoming business interruptions of any kind, and business leaders must educate themselves thoroughly with respect to the threats that face their organizations. Only decision-makers who know exactly what dangers lurk in the shadows will know how to properly respond when the moment arises. This, of course, goes for security as well as disaster preparedness. 

"Only decision-makers who know exactly what dangers lurk in the shadows will know how to properly respond when the moment arises."

"A lack of quality and reliable information complicates a decision-maker's ability to respond to events in an appropriate and timely manner," said Michel Herzog, security researcher at ETH Zurich's Center for Security Studies, according to TechRepublic.

Education doesn't just pertain to top-tier leaders, either. CSO Online recently noted that insufficient end user training and a lack of security awareness may actually be the big culprit in the current cyberdefense crisis. Businesses must bolster these programs to ensure safe, continuous operations moving into the new year.