Mark Eggleston, CISSP, GSEC, CHPS, Vice President, Chief Information Security and Privacy Officer, Health Partners Plans
Throughout my career, I’ve seen business continuity planning and disaster recovery approaches becoming more agile, engaging and cloud-focused. Gone are the days of static, cumbersome continuity manuals exceeding a hundred pages and supported with cold/warm-site technology. Customers and customer-centric organizations are no longer willing to tolerate application downtime. After all, there is rarely downtime before customers leverage social-media platforms to vocalize their disdain. Progressive-minded business continuity professionals are now more likely to align themselves with this new reality and ensure their skillsets are better aligned to cloud technology.
When we implement new technology or applications, we first explore SaaS (Software as a Service) options or systems we can install into an IaaS (Infrastructure as a Service.) Doing so helps us ensure high availability while minimizing investments we would make if the application was hosted locally. This shift to cloud has downstream implications important to business continuity professionals. Instead of building detailed plans for in-house recovery efforts, we now focus on due diligence with the cloud vendor.
As part of this effort, a continuity professional should focus on contractual provisions to ensure resiliency. Also important: items, such as code escrow, that will ensure the software can still be used if the SaaS vendor becomes insolvent. Although highly unlikely, vendor insolvency would be devastating. Contracts should also include the capping of renewal costs at CPI (Consumer Price Index); with this provision in place, your company will not be price-gouged in future renewals. Continuity professionals should also ensure seamless SaaS authentication via federation. You want to avoid resetting passwords in a downtime scenario; negotiating this up front helps ensure you get this important feature. Professionals should also prioritize contractual provisions that will ensure that their companies retain ownership of data, including prompt and full access if migration to another platform becomes necessary. Perhaps most important: securing contractual Service Level Agreements(SLAs) for uptime which do not exceed your company’s tolerances for recovery timeframe objectives. Business continuity professionals should jump in here to add value!
The vast array of remote working solutions has also impacted continuity planning. Ensuring workforce enablement is paramount for continuity professionals. We did intense rapid planning several years ago, as our business was impacted by the Pope’s visit to Philadelphia (“Popenado” in our vernacular).We had to plan for public transportation issues and street closures, so we ran impact assessments to ensure we had appropriate bandwidth for several hundred concurrent connections. We also had to account for VPN (Virtual Private Network) licenses for each user, supporting critical and necessary work functions. Nowadays, most employers offer some level of work-from-home enablement beyond VPN, including remote productivity tools. These tools can double as continuity communication tools. In fact, technology advancements in virtualization have shifted continuity professionals’ planning efforts for workspace recovery. Gartner predicts that by 2019, 50% of new Virtual Desktop Infrastructure (VDI) users will be deployed on DaaS (Desktop as a Service) platforms. DaaS allows a third party to host desktop applications, operating system and system upkeep, all with predetermined SLAs. This can help defray or even replace workspace recovery space, so the time and costs of conducting workspace recovery capacity planning are, in many cases, becoming obsolete.
The above tactics will help business continuity professionals work in the evolving digital world, bringing both resiliency and efficiency to their planning efforts.