A look at the challenges, red flags, risks, and benefits involved in putting together a Business Continuity Planning and Management framework on the cloud.
Disaster Recovery (DR) as a concept gained traction in the 1990s when companies were in the second phase of automation where they were moving their business critical applications to various computing platforms. DR planning and management involved building mirror sites away from their data centres that would back up company transactions and data, and eventually take over during a disaster, natural or manmade, without disrupting the business. Business Continuity Planning and Management (BCPM) is an extension of the DR concept wherein companies can continue functioning irrespective of a hardware failure, network outage, a security breach or a natural calamity. BCPM is also about being able to proactively identify incidents before their occurrence and take proactive action.
BCPM has assumed significance as disruptions have the potential to inflict loss on companies. Considering the world has gone digital today and e-commerce happens in real time, businesses just can’t afford disruption. Unless they have a sound BCPM program in place their businesses are vulnerable to all types of outages. As companies are now embracing the cloud model, taking BCPM to the cloud brings its own benefits. However, there are hurdles to be overcome even there.
BCPM adoption and challenges
While BCPM is critical to an organisation’s success—given the way the digital economy is shaping up and the kind of risks that businesses need to mitigate— research reveals that 48 per cent of business owners have no business continuity plans in place, let alone a business continuity management mechanism. The moderate uptake of BCPM is due to numerous challenges that enterprises face while going about the task. According to RLS Tammineedi, a BCPM expert, the key hurdles to implementing BCPM include senior management commitment and involvement. He notes that many organisations tend to delegate BCPM to mid-level executives who may not have the wherewithal to make an organisation-wide impact with a BCPM program. In many cases BCPM practitioners lack a thorough understanding of the data dynamics and dependencies involved in data recovery. Many organisations that have not experienced disasters or serious outages don’t find a business case for implementing a comprehensive BCPM mechanism considering that their resources are scares. Tammineedi observes that this often results in a lackadaisical approach to business continuity where it is implemented to satisfy some regulatory requirements or audits.
A number of organisations are still trying to properly align IT with business objectives. Consequently business managers who are under pressure to deliver more with less often do not provide adequate notice to infrastructure teams on capacity related issues. This disconnect between IT and business also hinders the implementation of BCPM programs. Some organisations, as Tammineedi points out, tend to adopt an IT only approach towards BCPM and fail to factor in other organisational resources like people, premises, data, processes, and supplies. This can prevent organisations from tapping into the full potential of BCPM. In some enterprises, the BCPM framework adopted may vary from one office to another. Only an organisation-wide common framework can deliver the desired results. A fragmented framework will add to complexity and might lead to confusion at the time of a disaster or an outage. Tammineedi recommends that organisations achieve consistency in approach and BCPM documentation by adopting an international BCPM standard or framework across the enterprise.
Business Continuity on the Cloud
Cloud is being regarded by many as a platform that will make disaster recovery and business continuity simpler. This is because the cloud is powered by virtualization that’s not hardware dependent. On cloud enterprises can back up data, applications, and even operating systems faster and move them to a remote data centre. However, one of the biggest challenges enterprises will have to address, before moving BCPM on to the cloud, is security. They must have a way of measuring the effectiveness of security measures and performance even before transitioning workloads to the cloud. Enterprises should deploy tried-and-tested cryptographic techniques to secure their assets on the cloud. Companies that are looking to move to the cloud should also put a robust risk assessment mechanism in place.
Enterprises looking to move BCPM to the cloud should have a business continuity plan that factors in the loss of the cloud provider’s services. The plan must clearly outline who the enterprise will have to contact in the event of a breach or any other incidents. It should also have clarity on events that require investigation, identification, retaliation, and notification or even legal recourse. Enterprises should also demand the cloud provider make available documentation on assets, and resources and information on how frequently they are assessed or audited. There should be total transparency into the cloud service provider’s incident management, DR, and BCPM in addition to various policies and procedures pertinent to business continuity. Enterprises should also undertake a thorough review of the cloud service provider’s colocation and backup infrastructure. There should be transparency in terms of the service provider’s critical services offerings and the way service delivery is measured. Before taking a decision to transition BCPM on to cloud, enterprises will do well to assess and compare the risks involved on premise vis-à-vis the cloud.
Business Continuity benefits on the Cloud
While issues like security and data privacy may be a cause for concern, business continuity on cloud offers numerous benefits that are expected to significantly enhance an enterprise’s business continuity program while reducing the impact of incidents.
Minimising downtime: SaaS ensures that data, like emails, are never lost and the end user is unaffected by system outages that may occur in the background.
Improved network and security: Enterprises can move their non-critical applications to the cloud, while their in-house departments can focus solely on business critical functions. While non-critical functions benefit from the improved performance offered on cloud, IT teams can focus on improving network performance and information security.
Back up management and recovery: Successful recoveries from a disaster or outage rely on the frequency and quality of back ups. As cloud offers a superior, layered approach to backup, the quality of recoveries will be much better than in an on-premise scenario.
Geographic redundancy: Cloud service providers offer built-in geographic redundancy in the form of regions and availability zones. This will decrease the time taken to recover data.
Enhanced scalability and availability: Cloud services are highly scalable and cloud service providers have built ample redundancy all across their cloud environment. Their on demand resource capability increases service availability.
Shielding against DoS attacks: Redundancy and on demand scalability also help enterprises guard themselves better against denial of service attacks. This will also help them recover faster in the event of an attack.
To conclude, cloud is the way to go for enterprises that are looking to put in place a robust business continuity framework. While security and risk management continue to be serious concerns, enterprises can be jointly addressed by the enterprise availing the cloud service and cloud service provider. And of course, cloud, with its OpEx model, will help optimise the costs involved in putting together a BCPM framework while offering performance benefits.