Disaster Recovery Plans Need to Reflect Increased Natural and Intentional Threats

By Christian Lappin, Senior Sales Engineer, TierPoint

Last week, I had the privilege of speaking about disaster recovery (DR) planning at the annual Virtualization Technical Users Group (VTUG) event in New Hampshire. Environmental threats are on the rise as are intentional attacks, which mean organizations have a lot more to account for in DR plans today. My talk was about elements that should be included in a modern DR plan and some of the common mistakes you can avoid. I want to get people thinking about things they do not ordinarily think about when it comes to DR.

VTUG PIC

Pay Attention to the Weather
Flood zones change. Your data center may not be in one, but a storm could change that. The U.S. Federal Emergency Management Agency (FEMA) has a terrific resource called the Flood Map Service Center. After you input your address, it shows you the flood zones in your area. Knowing your facility is (or is not) located in a flood zone helps you make better planning choices.

Severe drought in California has increased fire risks. We just ended one of the snowiest winters on record in the Northeast. And although predictions are for a moderate hurricane season this year, there is precedent for a big surprise or two. The increase of potentially serious weather events and the power outages that can stem from them means it is a good time to evaluate your risk tolerance. If you have hedged on a secondary site in the past, consider if weather issues should change your thinking.

Terrorism and Intentional Damage
Perhaps it is my experience with the FBI’s Infragard Task Force, but I do share concerns about how technology can be used to execute acts of terrorism. There are instances for example where drones are being used as delivery vehicles for a myriad of attacks in addition to surveillance. So don’t presume that you will never be a target for a digital cyber attack. Keeping physical threats as a possibility can shape your DR plan. For example, when designing your data center, keep your servers as far away from the road as possible. Why? If a VBIED [vehicle-borne improvised explosive device] detonates on the street, you will want to minimize damage to your servers by adhering to the appropriate fallout distances.

Virtualization as a Threat
A common thread to almost all of the talks I give at various events is that as great as the benefits of virtualization are, too much of it introduces risk. Virtualization oversaturation happens when your data density becomes so big that you create a single point of failure and make it easier for a hacker to locate and attack. “Never put all your eggs in one basket” is good virtualization advice. This virtualization threat is one of the reasons for the explosive growth of hybrid cloud because it allows you to keep the virtualization benefits while reducing data loss risks. In addition the oversaturation can easily overload your DR location as many situations use equipment they once used for production and will continue to overload the new production systems moving away from the ability to protect those workloads at the DR location.

Three Oft-Overlooked DR Questions
When consulting with clients about their DR plans, three questions seem to spark the most discussion.

Are You Recoverable?
Lots of folks focus on backup as part of their DR plan. Backup can take multiple forms using different types of media including tape. Asking whether you are backed up is not the right question to measure whether an organization is prepared for a disaster. Instead, ask are you recoverable. If your servers are down and you need to get back online quickly, being backed up only counts if you can recover quickly. You also have to have a destination to recover to. Being backed up is never enough.

Do you have a big testing gap?
It is vital to test your environment for vulnerabilities and other issues on a regular basis. The time between testing is called your testing gap. If you have a large testing gap, you could miss viruses and potential incompatibility issues that could take your network down. Testing also helps make sure you have the latest patches, firewall and software updates. Frequent testing can also help pinpoint the source of problems when network changes are made.

Where are You Going to Put Your People?
Most DR plans that I have seen are incredibly detailed, including all kind of redundancies. Then you ask the owner, where are you going to put your people? Too often I hear silence. Are they able to work from home? Do you need to have workspace setup where they can access corporate data and applications? When creating a DR plan, make sure you account for where your people can continue to work.

Thanks to VTUG for having me. It is a good group of folks to network with and to chat about virtualization and information infrastructure. You might want to consider attending their next event, which is a Maine lobster bake.

Connect with me.