The New Standard – How will you measure up?

May 15, 2012 Andrew Sinclair No comments

Over the last decade Business Continuity has become a management topic and has become prevalent in many organisations.  This was largely due to the external events (e.g. terrorism, floods, power-outages) which increased management awareness of how brittle many of their business processes are.  The arrival of the BS 25999 standard in 2005 created a benchmark by which an organisation could measure its readiness to face the unexpected.

Now, some 6 years on from the launch of BS 25999 it is to be withdrawn and replaced by the international standard ISO 22301.   So what does this mean for your organisation?   The answer is “It depends…”

…If you are starting to think about Business Continuity planning and management then you should be looking at the new standard.  There are certain to be many training and awareness courses becoming available as the standard is launched.  We will be providing further guidance and advice on this in future blog entries.

…If you are seeking accreditation against a standard, then you should be looking to use the new standard ISO 22301.  This will be available from the BSI by Mid-May 2012.  In the meantime, if you are just starting, then BS 25999 remains the most appropriate accreditation to use.

…If you have already gained accreditation against BS 25999 then you will need to transition to the new ISO 22301 standard.  Although ISO 22301 covers almost everything which was in BS 25999, it places new requirements and emphasis on the planning and understanding of the risks within an organisation.  Accordingly, you may need to revisit the planning methodology you have in place and review it against the new standard.  Certainly, your existing accreditation will be withdrawn and you will be measured against the new standard going forwards.

So, there’s a new standard, but it’s almost the same as the old standard. The main area of change is the need for greater evidence of the involvement of senior/top management in the BC process.

Watch this space for an update when the standard is released in mid-May.

 

Business Continuity , , ,

Are you fit for the Olympics?

January 23, 2012 Andrew Sinclair No comments

So we’re in the year of the Olympics in London. What does this mean to you and your business?

If you’re in the east of London it probably means a month of travel disruption. If you’re outside of London you perhaps don’t really care so much. Yet this event in July/August will have a national impact and unless you pro-actively think about and plan for it now, you might be left on the back foot reacting to events when something unforeseen happens. Even if you’re not in London, perhaps one of your suppliers is or someone you supply to. An incident which impacts them could then impact on you too.
Let’s consider the travel and transport issues which are highly likely to occur. Transport For London (TfL) is giving advice which in a nutshell suggests that if you normally commute to the Olympic areas of London then it would be wise for you to investigate working from alternative sites if you can. This is a sensible suggestion as the number of additional passengers expected to be using public transport at the peak times is approx. 800,000. If you’ve ever travelled on London’s public transport at peak hours I’m sure you can imagine the impact of this additional number of passengers.
Security is obviously a major concern with the Olympics being the focus of the world’s media. Again there is useful information for businesses and individuals being provided by the Home Office and by local authorities. Follow this link for the latest guidance : http://www.homeoffice.gov.uk/publications/counter-terrorism/olympics/london-2012-public-booklet

So what can you do now? Plan, Prepare, be Pro-active.
If you’re in London – ask your staff how they commute to work. Map out their journeys and compare that with the information available from TfL. If key staff are travelling on the routes which are forecast to be busy – then look into alternative working arrangements. Can your staff work from an alternative site? Is your IT capable of supporting remote working?

 

If you’re not in London, take a look at your critical suppliers and customers. Maybe they’re in London and will be directly impacted.
Above all, don’t be complacent and think that “it won’t have any impact on me”.

If you’re not sure where to begin – call our Olympic Line on 0845 867 2012 and speak to one of our experts for their advice.

Business Continuity, Onyx Group , , ,

Data Backup Compliance

November 1, 2011 Andy MacLellan 3 comments

How long does your data need to be backed up for?  It’s a question most businesses take for granted, working on the assumption their IT department have taken care of things.  In the real world,  backups are the last job to sort out in a system deployment project and will typically involve using default settings in the backup software itself.  Technical staff are rarely told what’s required for compliance and regulatory purposes and to be fair it’s not their job to know.  So when was the last time you checked with them to make sure that your understanding of what’s important data matches to theirs?

YOU have a problem!

If you’re not even thinking about this you’re building yourself up for a fall.  A ‘head in the sand’ approach won’t help when you actually need to restore data from backup but can’t.  And here’s the news – backups have moved on since tape and you’re still relying on old fashioned rotation schemes you’re already well behind your competitors who are using online backups with automated off-siting of data and advanced retention policies.  “That’s up to them – I’m backing up to tape, I’m covered, it’s not a problem.” – WRONG!  To understand exactly why you do have a problem let’s get back to basics.

Why backup?

Back in the day before everything was electronic, you would follow best practice without even thinking about it.  You’d write a letter, you’d take a copy before sending it and there’s your backup.  You would then change the letter, take another copy of it, there’s  your backup – pretty simple.  Then everything became electronic, so you would backup to tape because that’s all you had.  Backups were run once every night and a well managed IT department would ensure some tapes were taken off site, month end tapes were retained somewhere secure and so on.

So why are we backing up stuff in the first place?  Well there are many reasons and the reasons vary from business to business.  Here’s some examples:-

1.  Accidental deletion of data
You’re bidding on an important contract and some buffoon deleted your final version of the bid document thinking it was something else.

2.  Virus outbreak
It’s not unheard of for a virus outbreak to be so bad that the only option is to restore your systems to a time before the virus existed.

3.  Disaster recovery
What if your main file server has a disk failure and all data is lost?  Or what if you have a flood or fire that destroys your data?

4.  Theft or malicious deletion
In most companies it’s relatively easy for a disgruntled employee to cause catastrophic damage with their ‘delete’ key.  This is a big problem if it occurred yesterday.  It’s an even bigger problem if it happened a month ago and nobody noticed.

5.  Litigation
This is probably the most important point and one rarely considered.  Like it or not we’re in a litigious society and if you don’t prepare for having appropriate evidence available should the situation arise, you’re probably going to lose.

6.  Compliance
Compliance and regulation is a bit of a red herring since generally it’s advising to protect against all of the above but puts the ball firmly in your court to decide exactly how you’re going to do it.

So, coming back to the fundamental point of why do we backup data, well ultimately it’s to ensure the commercial or functional success of your organisation.  Whether this is to help you make money by restoring that contract after someone deleted it, or to stop you from losing money through that law suit you had no evidence for.

I backup to tape – where’s the problem?

Well, it’s a start I suppose… but tape is very old technology.  It’s cumbersome, expensive, a management nightmare, prone to failure and, above all, very limiting in terms of data retention.  Let’s take an example:-

You have a fairly well managed IT environment.  Data on the systems is backed up every night to tape.  At the end of each week a tape is held for the period of 1 month, so there are 5 end of week tapes to cover the last Friday in every month (assuming the month has 5 Fridays).  To give some added longevity there’s also a month end backup – so at the end of each month a different tape is used – this month’s would be labelled ‘October month end’.  This tape is put to one side for 1 year (and hopefully taken off site).  Finally at the end of each year a year end backup is taken and kept for 7 years.

So here’s a scenario.  Let’s say on 2nd August John created an important document and e-mailed it to a client.  2nd August this year was a Tuesday so it would have been backed up on the daily ‘Tuesday night’ tape.  Towards the end of the month  John decides to have a bit of an e-mail clear-out and accidentally deletes this particular e-mail from his Sent Items.  Come the end of the month the ‘August month end’ backup faithfully runs – but as this e-mail was already deleted it won’t be on the backup.  The only tape it was on was the daily tapes and the week end tapes.  The daily tapes have already been recycled but there’s still four possible tapes you can get the data back from – the 5th, 12th, 19th or 26th.  HOWEVER John didn’t notice he’d deleted this e-mail until 3rd October when the client claimed something had happened that John had clearly warned them about in this e-mail.  By then all of the daily and weekly backups have been recycled – i.e. the week-end tapes now contain backups from September week-ends.  John searches and searches but it’s no use – this e-mail is gone.  A law suit ensues and John can’t provide the evidence needed to win their case.

And the above is quite a comprehensive tape rotation scheme.  Many companies don’t use anything as sophisticated as this.  I’ve seen one company, who shall remain nameless, who just left a backup tape in their server for well over a year – backing up every night to the same tape without it ever being taken out the server or checked for consistency.  Their server had a catastrophic disk failure and when they tried to restore data from backup it was no great surprise that the data on the tape was corrupt simply due to wear and tear.  The only option was to send their disks off to a specialist data recovery company – they got the data back, it cost upwards of £20,000 but the alternative was to shut up shop.

Here’s another scenario – you delete a file but this time it was on the end of month tape  - the tape was faithfully taken off site and stored in a secure location.  Unfortunately you need that file back NOW.  You have a customer who needs that quote and if they don’t get it today they’re going elsewhere.  By the time IT have got the tape back, re-indexed it and restored the file you needed several days have passed – too late.

So is it the end of the line for tape?  Yes.  Or at least I seriously hope so.  Tape has one thing going for it and that is that it can hold a relatively large volume of data.  But even that’s not a good thing!  Take, for example, these fundamental principles of the Data Protection Act 1998:-

  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

There’s a famous case relating to a large airline who stored all of their backup tapes in a warehouse – tens of thousands of tapes.  The company were presented with a class action suit alleging securities fraud.  When the plaintiff’s attorney learned of the e-mail backup tapes they naturally demanded the tapes.  The company were unable to tell who’s e-mails were on which tapes without restoring the data first.  They had no option but to restore the data from every single tape.  This was further complicated by the fact that they used several e-mail and tape backup systems throughout the world.  It was a mammoth and costly task.  They retained far more information than was needed and retention was disorganised.  They settled for $92.5m in the end.

Tape really is old technology and whatever online or disk-to-disk platform you use it has to be an improvement.  The important thing to remember is that, generally speaking, tape just gives you a snapshot of what your data looked like at the point that backup ran.  So even with a pretty comprehensive 21 tape rotation scheme, best case you’re only going to be able to roll back to 21 out of 365 days in a year.  I’ll not get in to benefits of running differentials and incrementals to tape as the management overhead of this is prohibitive for most companies.  So over a year that’s about a 6% chance of being able to roll back to any one particular day and over 7 years (assuming year end tapes are retained) just 1%.

The Pros and Cons of Online Backup

The big advantage of disk-based or online backups is that you can backup at any time.  You’re no longer reliant on someone putting the right tape in for any given day.  You can backup as often or infrequently as you like.  Backups are still normally run at night, to minimise network load during production hours, but you could backup every minute if you wanted.  Or even better, the second a file changes ensure it’s backed up.

I’m really trying to avoid the whole sales pitch for online backup here, but I’ve worked with the Asigra product for a long time through various employers and it’s genuinely a fantastic product.  I first started using it in a pilot study for a large insurance company back in 2001.  We put the product through its paces over a 6 month period throwing all types of data at it.  We tested for everything from speed to data integrity and robustness -  it passed with flying colours.  For the purposes of this blog I’m going to try to remain relatively unbiased.

Another big advantage of online backup is the ability to introduce retention policies to suit the type of data being backed up.  The big problem is that the market doesn’t understand what they need to backup and for how long, never mind how retention policies work.  So this key point is often overlooked, making do with the default settings of the program.

But here’s the point.  You need to forget everything you know about backups.  Forget about tape rotations, forget about incrementals and differentials.  Forget about finding the right tape to carry out a particular restore.  Online backup works completely differently and it’s important you understand the implications of this for your business.

For a start, after your first full backup everything is incremental, generally at disk block level.  So if your 10MB Word document changes it’s only the additional 5KB or so of changes that gets sent up the line.  Secondly, data retention is on a time AND/OR generational basis.  So you can say “I want every generation of this data kept for 5 years, and this less critical data I just want the last 3 generations kept for 1 year – after that delete it from backup”.  Finally, as touched on before, you can configure your backups to run whenever you want.  If a critical set of data has been produced you can call your IT department and say “See the folder on the S: drive called ‘Critical’ – can you back it up now please?”.  Couple of clicks and it’s done.  Oh and of course all encrypted to certified standards way beyond that of most tape systems.

So from a compliance standpoint all of the limitations of tape have been removed.  You can be as compliant or non-compliant as you like.  Backup every second, hour, day, week.  Create different backup sets that backup at different times.  You don’t even need to worry about backing up the same data twice as the system looks after deduplication automatically (although that’s a topic in itself for another time!).

Sounds complicated – why bother?

Well that’s the million dollar question.  Just remind yourself of point 5 in the reasons to backup mentioned earlier.  Whoever is most prepared wins and the good news is that you can be prepared as you like.  The bad news is that you need to take data backups more seriously than ever and that means attributing a much more sensible cost to protection of your data.  Of course I’m going to say that, we sell online backup.  But this isn’t a sales pitch.  If you can’t restore critical data and your competitor can you’ve potentially got a big problem on your hands.  Up until quite recently companies spent the bare minimum on putting backup systems in place.  As an extreme example we’ve seen organisations spending £10,000 on a new IT system and then backing it up to a USB memory stick – crazy.  But businesses are catching on quick.  In the age of Big Data and reliance on electronic systems for every aspect of your business, having sensible, well thought out data backup and retention policies is essential.

What can I do?

First of all set aside a reasonable budget for data backup – at least 25-50% of the overall production system value.   This is a reasonable assumption – remember you’re probably going to need to store much more information on backup than on live systems.

Secondly, devise a sensible data retention policy.  Only you can decide on an appropriate retention policy for your business.  If you’re not sure escalate the question to someone who will make this decision.  Remember to think outside the box – don’t just mimic what you did on tape.  Here’s an example data backup retention scheme:-

  • Operating system / application files and non-critical user data:  Keep the last 3 generations
  • Critical user data:  Keep the last 5 generations and also 1 generation every 3 months for the last year
  • Move all files older than 3 months to archive storage.
  • Keep all deleted data for 1 year
  • Backup critical data every 3 hours
  • Backup non-critical data every week

Remember this is just an example to show the flexibility now available – you need to come up with an appropriate plan that meets any regulatory or compliance needs for your organisation.

Finally, let appropriate people know the retention plan you’ve elected to use.  If possible ensure this information is passed to board level or at least senior management.

With some initial thought and investigation you can put together a self-managing data backup policy that keeps you covered for the vast majority of situations.  Here’s some final points to bear in mind:-

  • Don’t treat all data the same
  • Come up with folder structures that segregate critical data from non-critical, making it easy to apply an appropriate backup policy to each
  • Assess the value of your data and what would happen if you lost it
  • Plan for the worst case scenario
  • Publish your plans internally
Cloud, Cloud Computing , , , , , , , , ,

Everyone thinks they’re a cloud provider!

August 23, 2011 Andy MacLellan 3 comments

Another day and another set of companies, who up until a couple of weeks ago didn’t know what a hypervisor was, are now claiming to be cloud providers. The amount of companies, big and small, jumping on the cloud bandwagon is a concern. To profess you’re a cloud provider when actually you’re reselling someone else’s service (without telling the customer) or running it using not entirely legitimate software on consumer-level equipment isn’t the most ethical of approaches.

Unfortunately the market is still quite naive as to what constitutes a cloud service, so when provided with a quote the vast majority go with the cheapest and hope from the best. The number of customers prepared to sign up for a service without so much as glancing at an SLA, which often doesn’t exist in the first place, is gravely concerning. You’re talking about taking all of your most critical data, giving it to someone else and then running your business off it without doing some basic background checks? So what happens then? The ‘pseudo cloud providers’ have a service failure, because they’re not really cloud providers, and it’s ‘cloud’ that gets a bad name.

Setting up a respectable cloud service is complicated. It involves some substantial infrastructure in the form of data centres, network connectivity, redundant network connectivity, power, redundant power, the list goes on; you need very good technical skills in a wide range of technologies such as VMware (or your hypervisor of choice), Citrix, network configuration, firewalls, authentication mechanisms, backup systems, data storage, server configuration, replication … I could go on; you need a support network to handle all of the technical stuff; and, probably most importantly, you need some fairly expensive legal paperwork – to cover everything from the ordering process through to SLAs, vendor terms, general terms etc. All of this takes a lot of time and resource and it’s not something that can be set up overnight. So if the price looks too good to be true it’s probably because some part of the above service doesn’t exist.

So what are the implications of using a ‘pseudo cloud provider’? Well for a start you have nigh on no legal comeback if something goes wrong. Where is the SLA that say’s you’re entitled to 99.99% uptime? Where is the clause that says you can get your data back any time if you want it? And of course where exactly is your data? And who owns the data centre where your data is ultimately stored? You may have carried out the usual battery of credit checks on your pseudo cloud provider (or have you?) but have you checked their suppliers? And what are the contractual terms between your pseudo cloud provider and their suppliers? I’ve seen pseudo cloud providers offering 100% uptime on cloud yet their data centre provider’s SLA is 99.95% – how does that work?

In most cases data centre hosting contracts prohibit access to anyone apart from the customer (i.e. the ‘pseudo cloud provider’). It’s very unlikely the data centre would allow the customers of their customers to have access. So you can’t just visit the data centre and collect your data whenever you like. “Why would I want to do that anyway?” you ask – well what if you want to change supplier? What if you want to move to a physical solution? or what if you just want an off-line copy of your data? “It’s OK – I’ll just copy it over the internet!” I hear you say, and that’s absolutely fine. It will take 46 days to download 1TB of data over a 2Mbps connection.

Of course I’m not criticising smaller providers here. You can do cloud on a small scale but you need to be honest with what you’re giving the customer. In most cases it makes much more commercial sense to re-sell an existing established cloud offering – and tell your customers you’re doing so!

Cloud, Cloud Computing, Onyx Group , , , ,

Every cloud is different

July 28, 2011 Andy Broumley 3 comments

Cloud has become a popular IT buzz word over recent years and with it has come much confusion as to what it actually is. To put it simply, cloud computing is where you store data on somebody else’s computer server and access it by using the internet.

Just like fluffy, white clouds that reside in the sky, cloud computing can also take many different forms. There is Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS), which you can all have sitting on a Private Cloud, Public Cloud or a combination of the two, known as a Hybrid Cloud. So although the basic concept is easy to understand, the many variations of cloud computing make it as clear as looking through fog.

Neil Stephenson, CEO of Onyx Group, said: “Companies that use cloud computing are putting a lot of trust into the businesses who supply it, so they must be sure of exactly what they are getting. There are a number of simple questions that anyone looking to invest in cloud can ask a supplier to help them make the right decision on who to use.”

So when thinking about switching to Cloud what should you be asking and what do you need to know?

What are the advantages of cloud? Many forward thinking organisations are already using cloud and are reaping the benefits that it can bring. As well as increased flexibility and greater operational advantages, cloud computing negates the need for capital investments in hardware and software, which can often be prohibitive for many companies in the current economic climate.

Where is my data being stored? The whole concept of cloud computing means that your data can be stored on a server outside of your business premises, providing better access and safety of your data and files. There are many data protection laws that stipulate that it should be stored in the UK if that’s where your business is based. If a cloud provider doesn’t own their own data centres and network, you may be getting an inferior product.

Is my data secure? If your provider doesn’t have all the necessary precautions in place to secure your data thoroughly then it could be at risk to malicious activity over the internet. Ensure that it is stored in data centres that are ISO27001 and ISO9001 accredited, it is encrypted to the highest levels and that it sits behind enterprise level firewalls.

How do I get my data back if I need it? You can gain access to your data at anytime, anywhere. When there is a mass of data saved within the cloud and you decide to change provider or solutions, it is important that you can get all of your data back. To ensure that you don’t face any problems, confirm that your provider has a ‘data out guarantee’ where they will either ship your data to you or allow you to visit one of their physical facilities to remove it. At Onyx, we have 5 data centres throughout the UK whereby you can visit and speedily get your data to take away.

Will my solutions grow as the business grows? One of the key benefits of cloud computing is that it should grow or shrink as your company’s needs do. Make sure that you are not stuck in a long term contract that you can’t back out of if you need to scale down and that the provider you are using has the infrastructure in place to be able to grow your solutions if you need to.

Can you guarantee service? With cloud computing you are reliant upon your service provider’s uptime for availability of your data and applications. Ensure that this is guaranteed by having robust Service Level Agreements (SLAs) in place, 99.99% uptime is a good place to start. Also ask for case studies or references from current clients to confirm that they provide what they say they can.

What technologies are you using to provide your cloud solutions? Always use the best technology, for example; Asigra for backups and VMware for virtual servers, and make sure the company has the people and experience to implement them properly. Many cloud solutions are based on existing software platforms so you need to ensure that they suit your needs.

Neil added: “Once you have got feedback from these key areas you should not only have a better understanding of what cloud services suit your needs, but it should also confirm if you have chosen the right supplier. Here at Onyx Group we have an extensive portfolio of cloud solutions, along with the experience, infrastructure and technology to support your on-going needs and because of this, have recently been named one of the top 3 cloud providers in the UK.”

For information about Onyx Group’s Cloud offering please visit: www.onyx.net/cloud or call 0800 970 9292 where one of our customer representatives will be happy to talk you through your options.

Cloud, Cloud Computing, Onyx Group , , , ,
 
Get Adobe Flash playerPlugin by wpburn.com wordpress themes