Tagged in: Cloud
By Eric Thompson, solutions architect for Rentsys Recovery Services, Inc. Originally posted on Rentsys Recovery Services' blog.
Today, almost every newspaper or tech magazine you pick up is either singing the praises of the cloud or pointing out its shortcomings. The challenge is transitioning from talking about cloud to actually implementing a cloud-based solution so you can judge its usefulness for yourself.
If you're ready to take the cloud plunge, follow these three steps to be best prepared.
Step 1: Complete a Business Impact Analysis
In a business impact analysis (BIA), you identify your most critical business functions, map out the applications that support each function and then designate maximum allowable downtimes for each function. To classify downtime, we typically use the periods defined in the FFIEC IT Examination Handbook:
- Nonessential — 30 days
- Normal — seven days
- Important — 72 hours
- Urgent — 24 hours
- Critical — less than 24 hours
As you assess the maximum allowable downtime for each function, consider designating separate recovery time objectives (RTOs) for each function depending on if you experience a regional disaster (e.g., hurricane, flood) or an operational interruption (e.g., crashed server, power outage).
By separating the functions into these two categories, you can significantly reduce the cost of recovery. The reason is that if a regional disaster like a hurricane hits your organization, people are more likely to be empathetic to your situation and understand that it may take you a couple days to be up and running again. Instead of allocating resources to maintain a short RTO, you can designate a smaller set of resources for these scenarios.
On the other hand, customers tend to be less forgiving when a server crashes and they don't have access to their accounts. Fortunately there are many recovery solutions you can use to restore applications for a short period that don't require the expensive resources needed for a full-blown disaster.
Step 2: Categorize Data and Data Size
Once you've completed a BIA, the next critical step is determining if there are any legal or regulatory obligations dictating how data must be handled. If your critical business data is defined as sensitive, your cloud vendor must prove that it can back up and restore your information within the laws and regulations governing your organization. Here are some basic questions to ask when evaluating a cloud recovery provider's ability to safeguard your customers' information:
- Is the cloud service provider familiar with your industry's legal and regulatory requirements for safeguarding customer information and other sensitive data?
- Has an auditor evaluated the vendor's internal controls to determine if those controls are functioning appropriately?
- Does the provider appropriately encrypt or otherwise protect nonpublic personal information (NPPI) and other data that could harm your business or customers if disclosed?
- What controls does the vendor have to ensure the integrity and confidentiality of your institution's data?
- Is customer data stored or processed overseas?
After determining that your cloud provider can securely back up and restore you and your customers' information, evaluate the amount of data that you'll need to recover after an interruption. The following charts provide a guideline of how long it takes to move different amounts of data across a variety of common connection types (note that these figures don't factor in latency or regional problems affecting bandwidth speed).
Estimated Data Transfer Speeds
Step 3: Align Cloud Recovery Solutions With Business Functions
After completing a BIA and categorizing your data, you'll better understand costs as they relate to recovery time, enabling you to make informed decisions about the solutions that are right for your business.
If you're concerned about equipment failure and need quick recovery for a single server, an ideal solution is to back data up to an appliance hosted at your primary site in addition to vaulting data in the cloud. If a server crashes or data is accidentally deleted, the data can be immediately pulled from the on-site appliance across a local area network instead of over the wide area network, which significantly increases recovery speed. This solution allows you to handle less complicated recoveries without declaring a disaster and taking on unnecessary fees.
For high-priority applications with a recovery window of 24 hours, a traditional cloud recovery model in which backup data is vaulted directly to the cloud may be sufficient. At time of event the data is recovered to virtual machines within the same cloud network, significantly improving the recovery time. The data moves at local area network speeds and you don't have to acquire physical hardware, deliver a tape or transfer people to an alternate location to start the restore. However, if the system is critical during a major disaster and the recovery time remains less than four hours, you should consider a solution using replication with standby virtual resources. For a more in-depth analysis of how cloud services can help you meet your business's specific recovery times, work with your cloud vendor's solutions architect to identify a solution to best fit your recovery needs.
Implementing cloud solutions doesn't have to be daunting. Follow these three steps, and soon you'll be singing the praises of the cloud.