Too little recognition for the importance of rapid recovery
A business continuity plan and the right infrastructure are crucial in reducing downtime to a minimum
With a greatly increased risk of infection from ransomware, good disaster recovery provisions to safeguard business continuity are more important than ever. Yet the subject is still far from getting the attention it deserves. We talked to Wim De Meyer and Mathias Caluwaerts of Orange Cyberdefense Belgium.
The number of cyberattacks has doubled since the start of the corona crisis, as many employees are forced to work from home outside the relatively secure corporate network. These circumstances are the starting point for today’s topic of conversation, but there are of course other disastrous issues that could have an impact on business continuity. Something as trivial as a power failure, for example. Whatever form it takes, sooner or later an organisation will be confronted with downtime: ‘it not a matter of if, but when’. Regardless of the nature of the “disaster”, De Meyer (Business Developer) and Caluwaerts (Solution Architect) aim to ‘keep the gap between downtime and restoring functionality as short as possible’, as the two men succinctly summarise it.
The disaster paradox
The challenge in creating good disaster recovery provisions is not primarily technical, but almost psychological: a disaster is not evident until it happens. It doesn’t raise interest, certainly not outside an organisation’s IT department. Downtime involves greater costs than an organisation might first think: not just direct costs (temporary loss of sales, for example), but also indirect costs such as damage to reputation, and in the event of ransomware, possibly also ransom costs. Awareness of these total costs is obviously important when determining investments in disaster recovery. Comparing these total costs with those of investing in a good recovery solution and prevention is a proposition that will be clear to the decision-makers in an organisation.
A business continuity plan is crucial in limiting downtime. Establishing such a plan involves more parts of the organisation than IT alone. ‘Recovery often remains shut away in IT,’ say De Meyer and Caluwaerts, yet it has an impact on the entire business. So it’s crucial that they subscribe to the importance. When it comes to disaster recovery in IT, the discussion is logically around technology (e.g. about arranging replication to another location), but starting with that means anticipating the issue.
Analysis as the starting point
De Meyer and Caluwaerts thus seek connection with other parts of the organisation to map out an organisation’s current situation using a tool kit developed by Orange Cyberdefense. By using so-called BCP and DRP Maturity Scorecards based on ISO standards 22301 and 27031, an organisation can gain insight into where it sits in terms of preparedness in the event of an acute and large-scale problem. A business impact analysis then brings clarity regarding what the impact of this would be on the applications and different parts of the organisation. Ranking these on the basis of how critical they are for business continuity creates a set of priorities for recovery following a disaster; a disaster recovery plan allows the minimum recovery time (RTO) and the volume of data loss that is acceptable per application (RPO) to be determined for each application. This analytical phase is what truly differentiates Orange Cyberdefense Belgium, according to De Meyer and Caluwaerts. ‘We can carry out this analysis in a fraction of the time the competition needs. That’s crucial, too, because if you spend too long compiling a lengthy report, it will be out-of-date by the time you’ve finished it.’
Ignore gut feeling
With the analysis in mind, it is time to talk to the representatives of the organisation: although every company would prefer to have zero data loss and no recovery time in the event of a disruption, from a cost perspective this is seldom profitable. By making a breakdown per application, a reasonable balance can be found, although an objective view from the outside remains valuable here: a customer who has invested a lot in a mail system may initially see this as a top priority, but for business continuity it is probably a tier-3 rather than a tier-0 application. As Caluwaerts puts it, ‘we need to ignore gut feeling.’
Orange Cyberdefense plays an advisory role in this. ‘We try to simplify it and make it transparent,’ says De Meyer. ‘We want to get the discussion started, provide tools and a roadmap, but it is ultimately up to the customer to choose the solution that suits him best.’ Orange Cyberdefense provides support here, brings the right people together and ‘helps the IT department to present the most responsible picture for the business,’ but at the end of the day, the company itself knows best which applications are critical.
Orange Cyberdefense’s aim is therefore not to fill the order book to the maximum following the consultation process: ‘If we put 12 projects in a roadmap, there’s every chance we won’t do 7 of them ourselves,’ says De Meyer. Instead, the company focuses on the areas it specialises in, such as establishing failover data centres. For this it works with Nutanix which delivers clear benefits in terms of replication to a second location. That might be a second data centre, but also in the cloud with help of DRaaS: disaster recovery as a service.
Replication – essential to have a second location that can take over when the primary site is down – is a challenge in a traditional infrastructure where applications, servers and storage form separate layers, possibly also with virtualisation in-between. Certainly for relatively small teams, it is very cumbersome to duplicate and synchronise such a structure, which is logical considering that all these elements need to be updated and can all change independently of each other. It is more transparent within the Nutanix infrastructure: all you have to think about is synchronising applications that run on a hypervisor of your choice. The underlying technology is hidden from view, but seamlessly linked – synchronising applications and their data is therefore no problem whatsoever, something that is quite a headache with a traditional infrastructure.
In terms of security, too, De Meyer and Caluwaerts value Nutanix approach, with end-to-end encryption and embedded network segmentation (Nutanix Flow), and standard multi-factor authentication and role-based access management.
How synchronised does it have to be?
A further strong point of Nutanix replication is that several forms of synchronisation are supported that can be deployed per application. Asynchronous, nearsync and sync can be used according to the importance of the application. As the Orange Cyberdefense guys put it: ‘the final architecture is a patchwork of synchronisations aligned to cost price, geographical and technical limitations in line with the business needs.’
As well as the possibility of replication between data centres, Nutanix also supplies the aforementioned DRaaS with Xi Leap. For the time being, this is only asynchronous, but in many cases, with the right set-up, this can be quite sufficient. De Meyer cites a large Belgian client as an example, who has been using Nutanix infrastructure satisfactorily for some time, but thanks to a switch to Xi Leap, Nutanix’s DRaaS solution, has been able to close its second data centre. With this new Xi Leap implementation, the client achieves the targeted SLAs and at the same time saves costs and resources. In addition, this solution enables test recovery plans to be carried out in an isolated bubble.
Simple and speedy
Nutanix offers a further benefit in terms of speed. Once everything is set up properly, a failover to the second site in the event of downtime on the primary site simply means a click in the interface This single click disaster recovery is ‘far simpler than Site Recovery Manager, for example, for which you virtually need a degree,’ says Caluwaerts. In addition to simplicity, single click recovery also makes testing achievable, adds De Meyer: ‘Disaster recovery without testing is pointless, but generally no one wants to do it, certainly not where critical services are concerned – people prefer to give it a wide berth.’ Related to this: planned failover is easy to set up thanks to the Nutanix platform. And following recovery of the primary location, reversing the synchronisation is just as easy, as is restoring the initial parameters when everything is back in sync.
The simplicity of the Nutanix solutions – Caluwaerts and De Meyer are also enthusiastic about other Nutanix applications such as Frame, a SaaS-based VDI solution – is sure to be valued by clients. IT departments are increasingly expected to provide solutions and knowledge; complex applications thus often require external expertise to be brought in, whereas the Nutanix vision allows this to be simply managed in-house.
Important for all
When asked from which size a company should start to think about disaster recovery with multiple locations, De Meyer and Caluwaerts are unanimous in their response: ‘It’s not really about size. If the data are no longer available, a company’s chance of survival decreases dramatically. BCP and disaster recovery should be top-of-mind for everyone. It’s just as critical for a construction company as it is for a bank.’
Share the post