image not found image not found
image not found
image not found

How to implement a cloud-based business continuity plan

02 July 2020 | Rene Duettra & Tuhin Goswami

Introduction

Safety of employees and the continuation of core business operations are two key objectives which underpin an organisation’s approach to survive a crisis. In most cases, the survival of the organisation is at risk due to the loss of critical resources (people/systems/budget) during and after a crisis. Could and is the same thing happening to your business?

Preparing an organisation well ahead through Business Continuity Management ensures organisational resilience but is dependent on its BCM maturity and deployed model. The requirements to achieve such business continuity system proficiency (for Availability, Integrity, and Confidentiality) are governed by an underlying system which is:

  • Accessible
  • Scalable
  • Reliable
  • Compatible
  • Secure

Having a cloud infrastructure to achieve an organizational BCMS site adds many more benefits to the above requirements.

Importance of Business Continuity

Environmental change has increased the occurrence of natural disasters across the globe. Organisations have endured during these times, but have come with significant losses. Pandemics, earthquakes, floods, massive fire outbreak have a longer sustained effect on the functioning of the business. Many organisations face challenges with business operations as employees are stranded in various locations with uncertain return dates.

image not found

Moreover, it has been observed that malicious entities have started exploiting organisations with targeted attacks, using social engineering (i.e., phishing), ransomware, and Advanced Persistent Threats (APTs).

Any disruption in business will impact financial growth or profitability, customer satisfaction or experience, and reputation. It is paramount that organisations respond to such a crisis with a comprehensive action plan to increase resilience against future disruptions and prepare for rebound and growth. Implementing a robust, secure and efficient Business Continuity Management System (BCMS) within the organisation is imperative.

While disruption is mostly seen in numbers of hours and days, concerning the CV19 outbreak, its impact will be protracted, potentially for many months. Disruption has come in various forms to organizations such as:

  • Unavailability of employees
  • Inaccessibility of premise
  • Network downtimes
  • Servers denying access
  • Government notices

An organisational BCMS ensures a holistic approach to guarantee the safety of the employees and the continuation of business-critical services. A typical BCMS will provide necessary guidance in the domains of Crisis Management (People Safety), Disaster Recovery (IT Systems), Business Recovery Process (Critical Business Systems), and continuous operational support (through People, Process and Technology).

As part of BCMS, the organisation performs Business Impact Analysis, Gap Assessment, Business Continuity Planning, Maximum Tolerable Period of Disruption, Recovery Time Objectives, Recovery Point Objectives, IT Resource Availability, and much more. A detailed Short-term and Mid-term objectives from a CIO perspective is covered here.

A Crisis Management framework, highlighting the essential requirements are covered in another blog.

It is not possible to implement a BCMS without considering IT Systems availability. IT Disaster Recovery, a subset of BCMS ensures that IT objectives are met by being able to support business and to meet and even exceed the set SLAs during the time of crisis. Traditionally an organisation uses a different allocated BCP Site away from the main offices. These remote sites have the IT Systems such as Laptops, Desktops, and Printers etc. available, secured and ready at the time of crisis. These systems should have access to organisational data seamlessly. Also, IT System’s access from these remote sites to the datacenters should be in place.

Also, an alternate IT DR site is required for hosting the critical applications, thus ensuring the availability of the applications and access to live data of the organisation in case the main Data Center goes down.Implementing Business Continuity Management Systems are mentioned as a requirement in many of the Information Security standards such as ISO/IEC 27001:2013, UAE Information Assurance Standard, HIPAA, Cloud Controls Matrix etc. There are some standards which depict a detailed framework on the implementation of BCMS within your organization, such as ISO 22301:2019, ISO/IEC 27031:2011.

In case you want to check how resilient your organization is towards a disruption, kindly visit Digital14’s assessment page here.

The Ever Evolving Architecture - Cloud

Organisations are exploring innovative ways to use technology platforms that will benefit their business, e.g. hosted corporate and business applications, virtual hosts, and serverless computing.

There has been a significant increase in the demand for implementing cloud infrastructure as it benefits the organisation in multiple ways. The confidentiality, integrity and availability embedded in cloud services help the organisation to streamline their values, processes and technology from legal regulations, ethics and due diligence perspective.

Benefits of having organisational data on cloud:

An organisation cannot afford to have it's business continuity system compromised during a disaster. Major cloud players assure uptime of 95 to 99.9% in their respective SLAs which fits the requirement of supporting a BCMS site. The following are key benefits for implementing an organisation's application in a cloud infrastructure:

  • CAPEX Reduction: Facility to ensure pay as you go model for lesser operation expenses (OPEX).
  • DATA Governance: Contractual agreements controlling the accessibility of the organization’s data.
  • Defence In-Depth: Controls within the cloud, ensuring the organisation's data systems are secured.
  • Maximized SLAs: Cloud Service provider (CSP) ensures an uptime through SLAs.
  • Vertical & Horizontal Scalability: Flexibility to create as many replicas through availability zones in different regions.
  • Ease in Replication: Production data can be replicated or recovered through automated means.
  • Open APIs: Integration of heterogeneous critical business applications.
  • Monitoring & Control “at your fingertips”: Inbuilt supporting tools to ensure additional soft wares are not required
Drawbacks of having organizational data on cloud:

Management may be reluctant to having organisational data stored within the cloud because of the risks associated with data location and control. If sensitive or organisational data is stored on a global cloud platform, it can be stored beyond the local/national law enforcement's jurisdiction. The following are some of the Drawbacks of having organisational data on cloud:

  • Data Control Loss: Loss of data control and lack of ownership.
  • Data Sovereignty: The usage of Information being subject to a country's law and the potential implications.
  • OPEX miscalculation: Cost fluctuations on the pay as you go model may discourage management.
  • Security Misconfiguration: Lack of implementing security controls or misconfiguring the cloud infrastructure may lead to data loss.
  • Lack of working knowledge: Reliance on cloud service provider’s functions.
  • Contractual obligations: Complexities arising in rigid contracts of cloud service providers.
  • Resource Requirements: Technical cloud subject matter experts needed to handle operations.

Considering the above drawbacks, it is a good practice to consult experts when designing and deploying your organization’s enterprise architecture and to apply appropriate security controls. Please refer to Blog1 and Blog2 for further details on managing the challenges of data sovereignty through UAE sovereign cloud approach and the requirements to be considered.

How does Cloud services assist to achieve BCMS requirements?

The traditional method of BCP requires the People, Process and Technology available in remote sites to ensure that the organisation remains resilient during the crisis. The following are some of the benefits considering the organisation’s BCMS is managed in the cloud infrastructure:

1. People:
  • Dedicated resources are not required to be working from remote areas waiting for a calamity to occur.
  • Subject Matter Experts are not required
  • Cost-cutting in terms of Training, Knowledge Sharing and resource utilization.
  • No man efforts required on the uptime of the infrastructure.
  • At the time of crisis, there is no fear of transportation of people.
  • New systems can be created rapidly as per request to access the BCP/DR Site.
2. Process:
  • Crisis Management becomes a lot easier as the system is accessible in the cloud infrastructure.
  • Automation can be performed to support the organization’s BCMS process (e.g. Call tree can be automated)
  • Segregation of Duties, Authentication, and Authorization ensures the organizational data remains to the dedicated employees.
  • Cloud Service Providers guarantees uptime between 95 to 99%, thus ensuring the availability of the BCMS Site.
  • Agreements, Due diligence, Right to Audits are in place to assure security
3. Technology:
  • Third parties managing the BCMS site are not required anymore, thus ensuring security of the data.
  • Cloud-based additional security controls, e.g. Firewalls, WAF, IPS, log management, Telemetry monitoring etc. which may not be possible in traditional BCP/DR facilities.
  • Cloud service can scale vertically and horizontally, thus can quickly provide as many systems or server resources required
  • Robust Key Management services to ensure the security of the data.
  • Real-time replication can also be achieved thus minimizing data loss.
  • Compliance to a lot of security certifications by the CSP, e.g. ISO, SOC2 type2, PCI DSS etc.
  • CSP and other third-party vendors have offerings on Disaster Recovery as a Service (DRaaS) solutions or platforms to build your own Business Continuity Sites.

Conclusion

With the onset of your esteemed organisation’s objectives to drive a business continuity management program, possibility of utilising cloud services should be considered in light of its advantages for an organisation from a cost as well as Information Security perspective.

A guided approach is required to achieve a robust Business Resilience and Continuity program through the usage of cloud services. With high expertise in the domains of Business Continuity and Cloud Infrastructure solutions, Digital14 team would be delighted to support you in your desired journey to enhance business continuity planning, maintain security, compliance, and achieve your business goals.

We, at Digital14, have a strong background rooted by our subject matter experts in the area of cloud infrastructure and BCMS to ensure your organisation’s safety and security during any crisis. Visit Digital14.com today to learn more about our cybersecurity services, advisory services, and assessing your cloud strategy in accommodating organisational Business Continuity and Resilience.

Connect with Digital14 to help you achieve security.

We Are Digital14

Connect with us

© Digital14. All rights reserved.