Business disruptions take many shapes and forms, from hurricanes and earthquakes to man-made problems such as transit strikes. No matter the nature of the disaster, they all have the potential to prevent employees from getting to their place of work — if not to render that place of work uninhabitable.
Dealing with such business disruptions requires proper business continuity planning, such that the business can continue to operate in the face of a disruption. Such a plan typically includes detailed disaster recovery plans for servers and data. But it also should consider the human factor: how will workers securely access company data from an alternate location, such as their homes or a temporary office? This requires remote access that can provide secure access to users no matter where they are, at a moment’s notice, with the kind of performance they are used to in the office environment.
Too often, when the time comes, businesses find that their remote access solution doesn’t adequately address the challenges that a real-world business continuity event presents. Common problems include first-time remote access users requiring hand-holding from an already overburdened IT staff, remote access hardware that can’t handle the sudden surge in users, and an inability to quickly get additional licenses for new users. In implementing remote access for business continuity, organizations need to consider the full spectrum of threats to their business – and need to ask solution providers some hard questions in order to determine whether their products and services can meet the demands of a widespread business disruption.
Business continuity plans should also take into account disruptions caused by humans. Consider events such as transit strikes, which can leave thousands of commuters without access to busses and trains for days and even weeks.
Unfortunately, terrorist attacks are also on the list of events for which companies must have contingency plans. Such plans must address the possible loss of a building as well as transportation disruptions.
Disaster recovery experts are also encouraging companies to plan for pandemics, such as an outbreak of avian influenza.
Even fully expected occurrences can put a strain on business systems and threaten business continuity. Examples include seasonal bumps in usage, such as a university registration system experiences when thousands of students arrive on campus each fall, or that online retailers can expect around the holiday season.
The bottom line is that threats to business continuity are many and varied and can affect any business in any region. Ignoring them is simply not an option.
Keeping in Compliance
In some cases, regulatory compliance and government mandates dictate that companies have secure, auditable access to key information, even during unanticipated events. Requirements like Sarbanes-Oxley, HIPAA and others still apply, even if an organization is working under less than ideal conditions. Consider a health insurance provider that suffers a business disruption which forces key employees to work from home. If any of those employees access sensitive data that falls under HIPAA regulations, the company must be able to prove those employees were authorized to do so. While such safeguards and audit trails may be in place at the headquarters office, companies need to ensure they also apply to employees who access the data remotely.
Indeed, compliance is one reason some government agencies are now mandating that private sector organizations they do business with demonstrate they have a credible business continuity planning implementation.
From a competitive standpoint, most companies can’t afford to let an event such as a snowstorm inhibit their ability to respond to customers, suppliers and other partners. If the storm should rage on for two or three days, competitors may well pick up the slack for any company that can’t keep getting business done.
Finally, without a business continuity plan that includes secure remote access, companies may leave themselves exposed to hackers and other security threats during an unanticipated event. For example, if an employee accesses company resources from a home PC infected by a virus, and winds up unleashing the virus on the corporate network, it may cause as much damage as the business disruption that kept the employee at home in the first place.
A Few Points To Consider
While most solutions claim to provide the ability to have burst capacity, it is important to look a little bit closer and ask the right questions to avoid getting stuck with a solution that doesn’t do the job when the need arises.
Anyone evaluating remote access for disaster recovery needs to ensure that the following areas are covered in their plans:- Secure anytime, anywhere access
- Zero service interruption
- Maximum capacity
- Maximum performance
- Automated VPN provisioning
- Global redundancy
Secure Anytime, Anywhere Access
The foundation of any business continuity plan is the workforce’s ability to get at the applications and resources they need even when they can’t make it to their normal place of work. It does no good to keep servers, applications and databases up and running if the workers who need them can’t get access to them. Access should also be available when the office is no longer functional and the server infrastructure has been moved elsewhere. Similarly, if workers lose their primary access device they should be able to access resources from any alternate device with a functioning Web browser.
All the while, however, the business has to be mindful that during an emergency it is especially susceptible to a security breach, whether from internal users or unauthorized intruders attempting to take advantage of the relative chaos. In such a situation, strong encryption, access controls and end-point security are a must.
Zero Service Interruption
Service interruptions often occur after events that are either completely unforeseen, such as an earthquake, or for which there is little time to plan, such as a snowstorm. Just as you can’t be sure workers will be able to make it into the office during such events, you can’t assume that your IT staff or outsourced solution vendor will either. Given that, your business continuity plan must be able to be implemented without IT help of any kind.
That means the plan can’t rely on being able to reach the IT department by phone, e-mail or Web. And it can’t assume that workers or IT will be able to add any additional hardware that may be required, such as additional remote access devices to support new users. To be truly effective, the business continuity plan must provide the capacity and performance you require with no IT intervention – and no downtime.
During an unanticipated business disruption, it’s likely that your remote access product or service will be taxed far beyond its usual capacity, perhaps by as much as an order of magnitude. Businesses must select a solution that not only easily supports day-to-day remote access needs, but is able to instantly scale to accommodate an entire workforce if needed.
While scaling to increase capacity, a successful business continuity plan also demands a remote access solution that doesn’t sacrifice performance in the process. Metrics to consider include the amount of bandwidth available for each user, latency and per-user response time. With many remote access solutions, performance in each of these areas degrades as the number of active users increases.
Automated VPN Provisioning
Workers who don’t normally have cause to use their organization’s remote access solution pose a special problem for business continuity planning. During a business disruption, these workers will be using laptops or workstations that may not be outfitted with required virtual private network (VPN) software or other critical components. They are also likely to be unfamiliar with the remote access solution and how to use it.
This makes it imperative that the business continuity plan include a remote access solution that can deliver any necessary software components “on the fly” as they are required. It must also provide interactive “smart” training that makes it intuitive for new users to set up.
Ideally, businesses should only pay for what they use on a daily basis, with perhaps a small premium for the reserve capacity. That way you don’t have to procure all those extra license capacity that don’t get used on a daily basis, but have it available for instant deployment when it is needed.
Of course a remote access solution that meets all of these requirements won’t do any good if the applications and resources normally present in the company data center are no longer functioning.
A business continuity plan, then, must ensure that applications and other resources are available from multiple sites in case the primary site fails. And the backup data center must work in conjunction with the remote access plan so that workers can get at the servers they need no matter where they happen to be.
Business continuity and disaster recovery solutions are essentials in today’s corporate world; the risk of being unprepared are simply too great to ignore. While storage, data replication, failover and application consistency form the central core of business continuity and disaster recovery, addressing the human factors by providing uninterrupted user access to data and applications is equally important. Unless it ensures that employees, partners and customers are able to securely access data and applications, anytime, anywhere, the business continuity plan will ultimately fail.
To get this critical piece of the overall business continuity plan right, organizations must perform due diligence across two key areas. First, they must evaluate all business continuity threats, including natural and man-made disasters, and their potential impact in terms of daily operations, compliance and competitive advantage. Second, organizations must look at a broad range of remote access solution providers and thoroughly evaluate each on the basis of their ability to deliver across seven critical deployment considerations: secure anytime, anywhere access, zero service interruption, capacity and performance, automated provisioning, cost-effectiveness and global redundancy.
When it comes to disaster recovery and business continuity, the devil is in the details. To ensure a desired result when the chips are down one must look at the human and technical details that make the difference between success and failure.
Sunil Cherian is a vice president of product marketing at Array Networks, (http://www.arraynetworks.net) a leading enterprise secure application delivery vendor who specializes in high performance SSL VPNs, universal access controllers, application delivery controllers, traffic management and public key infrastructure solutions. He may be contacted at firstname.lastname@example.org or 408-240-8700. A member of the founding team at Array, Cherian has served as senior director of product management, and director of engineering at Array. Previously, Cherian served as senior architect for Alteon WebSystems where he was responsible for several layer 4-7 technologies. Before that Cherian worked with Lucent, Octel and VMX. Cherian holds a bachelor’s degree in computer science and engineering from College of Engineering, Trivandrum, India, and a master’s in computer science from the State University of New York, Albany, NY.
"Appeared in DRJ's Spring 2009 Issue"