Prepared By: Charles F. Curran Al Khobar, Kingdom of Saudi Arabia

Transcription

1 Prepared By: Charles F. Curran Al Khobar, Kingdom of Saudi Arabia

2 Table of Contents 1.0 Introduction Phase I Create a Baseline for Analysis Inventory the applications Identify the data bases or feeds they access Identify the business objectives for which the applications access the data Phase II Establish Priorities for Recovery Time Objectives Appraise (or valuate ) each objective s process by performing a risk assessment on it Standard Risk Assessment Methodology Confidentiality, Integrity, and Availability (CIA) Analysis Prioritize the business objectives and their processes based on their value Brainstorm possible mitigation alternatives Phase III Identify Design Objectives and Boundaries Cost-Benefit Analysis of Mitigation Alternatives Relevant Engineering Design Variables Execution... 5 List of Tables Table 1: Qualitative Data Classifications... 3 ii

3 1.0 INTRODUCTION The purpose of this paper is to recount the steps involved in classifying or characterizing data for the purpose of disaster planning, specifically in support of determining system requirements for system back ups and back up data storage in particular. The paper shows how data classification naturally transitions to the identification of performance specifications to support engineering design. Corrective measures in the event a disaster impacts computer data important to business continuity include creating back up storage for the enterprise s data. The first step in determining data storage requirements for disaster recovery is to classify and prioritize the data. 1 This is a function of the business processes for which the data is used. The process to characterize data for design and business decisions concerning disaster recovery logically breaks down into a three phase process: creation of a baseline for analysis, data prioritization, and establishment of design parameters for implementation. The first phase describes what is. The second establishes the priorities for later engineering and business decisions, and the third prepares the organization to proceed into formal design of disaster preparedness engineering. 2.0 PHASE I CREATE A BASELINE FOR ANALYSIS This first phase describes what is. It defines the body of data targeted in data recovery efforts. It consists of three discrete steps: 2.1 INVENTORY THE APPLICATIONS. First, all the applications owned by the enterprise or organization within the enterprise must be inventoried. Applications have uses and use data. The relationship of the uses ( business purposes ) to the data will define the importance of the data and drive the decisions on how to back it up to support disaster recovery preparation. 2.2 IDENTIFY THE DATA BASES OR FEEDS THEY ACCESS Once the applications are identified, it is important to link the applications to the data they process to arrive at their output in support of business objectives. Given the business silos in which processes can operate, this step ensures that all are aware of the uses to which particular data bases are put. Real time data feeds drawn into processing should be associated the same as static data bases. This ensures that both data at rest and data in motion are associated with their respective applications, such as for enterprise service bus operations. While the focus for disaster recovery traditionally is on recovering data bases to support business processes, one finds that including data in motion this calculus supports Recovery Point Objectives in Phase II and identification of special recovery software that might need to be developed in Phase III. 1 Whitewater Cloud Storage Gateway Disaster Recovery Best Practices Guide. October Riverbed Marketing, Riverbed Technology, Inc., San Francisco. Accessed 19 April 2014 at YAxWRhSnd595RZFoY769z- 34iMW9JTyJaecQTcOcWVfzpAumv5IZokgdMtg!ac6ceodo1W0JDzc3NKvJ79L7M5!wvscXXb9bzYmmwTyTuR 5M=&answerid= &searchid=

4 2.3 IDENTIFY THE BUSINESS OBJECTIVES FOR WHICH THE APPLICATIONS ACCESS THE DATA Association of business objectives to applications need not wait for completion of the above steps, but it logically follows and is likely a more mature determination if it is performed after association of data automation processes to data bases and data feeds. In complex cases involving hundreds of discrete applications, it often proves beneficial to group applications that support the same or similar business processes. Indeed, it is not unusual for a single business process to require several applications working in concert to bring about the desired result. 3.0 PHASE II ESTABLISH PRIORITIES FOR RECOVERY TIME OBJECTIVES 3.1 APPRAISE (OR VALUATE ) EACH OBJECTIVE S PROCESS BY PERFORMING A RISK ASSESSMENT ON IT With the baseline inventory in place, priorities of processes can be addressed. Two mechanisms for prioritization are widely practiced: STANDARD RISK ASSESSMENT METHODOLOGY Risk is normally computed using the following equation or a variation of it: Risk Value = Consequences X Threat X Vulnerability. In order to avoid highly subjective results, this approach requires the construction of threat tables and vulnerability tables to evaluate threat and vulnerability based on agreed to criteria. The value of this approach is that it can provide a financial valuation of the data and process on which to base financial investment alternatives in cost-benefit analysis. For purposeful human threats (as opposed to natural disaster or safety related threats), threat and vulnerability can also be expressed as Likelihood of Attempt and Likelihood of Success by a given adversary. 2 This latter would be applied, for example, to address recovery from a disaster induced by a successful cyber attack. Once the valuation is complete, a rank order of business processes can be listed and Recovery Time Objectives (RTOs) can be established for each one. Again, it might be beneficial for the organization to group Recovery Time Objectives, but this risk-based analysis does support the identification of discrete RTOs for data particularly critical to business operations CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY (CIA) ANALYSIS A simpler format used by many is to assess each item based on the typical data evaluation criteria of confidentiality, integrity, and availability. Again, it helps if tables are constructed with evaluation criteria assigned for relative levels of importance of confidentiality, integrity, and availability. Availability will be the primary driver of disaster recovery solutions as it relates strongly to currency of the data and how quickly the enterprise needs it reconstituted. Availability values might be set based on specific Recovery Time Objectives. Integrity will play in that it influences how data is backed up and how readily that form of back up data can be reused in the event of a disaster. Integrity will be an item worth focusing on later in disaster preparedness exercises and drills after a disaster recovery plan becomes operational. Finally, 2 This approach to risk valuation for disaster recovery is based on the American Petroleum Institute Security Risk Assessment standard, adapted to disaster recovery analysis and recognizing that disasters can be natural as well as manmade. See Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries (API 780) Ed. 1. May American Petroleum Institute, Washington, DC. 2

5 confidentiality influences where data is backed up and the security of the technical means utilized for doing so as well as the mechanisms used for reconstitution of operations. In conclusion, the most important element for this stage of the process is Availability, but this is a convenient point at which to also assess Confidentiality and Integrity as those determinations will guide later activities in the disaster preparedness process. Finally, peer review of the decisions is important as stakeholders will naturally fight for their data, but objective criteria for prioritization will need to be agreed upon. One approach for establishing objective criteria for prioritization is to use both the Risk Based approach and the CIA approach to determine availability requirements. This requires more labor, but it does establish an objective basis for deciding availability priorities. For example, there might be a data operation that cannot be reconstituted without a very short Recovery Point Objective (RPO) that is, the data needs to be very recent in order to avoid a business loss. However, that business loss might be miniscule in comparison to the cost of adding this data to the group of data elements with very short RPOs. Likewise, there might be a piece of data that can support post-disaster reconstitution of very valuable business process despite a relatively long RPO. Performing a Risk Based analysis of the data helps prioritize within Availability classes. If computing risk is too resource intensive, another way to dive more deeply into availability classes is to build qualitative tables for assessing the value of the data. A sample set of qualitative descriptions for classifying data follows: 3 Data Classification Description Critical Important Semi-Important Non-important Application data critical for business processes that provide minimum acceptable levels of service in the event of a disaster, or data which must be available for regulatory audits (Example: Customer orders and financial data). Application data for standard business processes, which is impossible or extremely expensive to recreate, or data that has significant operating value (Example: Classified data). Application data for normal operational procedures, but can be cost effective in recreating from original data sources at minimal to moderate costs (Example: Support documentation). General data which can easily be recreated from original source data (Example: Reports). Table 1: Qualitative Data Classifications PRIORITIZE THE BUSINESS OBJECTIVES AND THEIR PROCESSES BASED ON THEIR VALUE Whether a Risk Based or CIA approach is used, the previous step produces a rank ordering of data based on business importance. In the Risk Based approach this list reflects financial value of 3 Whitewater Cloud Storage Gateway Disaster Recovery Best Practices Guide. 3

6 reconstituting the data operation. In the CIA approach, data are identified with broad ranges of availability requirements and importance equates directly to availability requirements for data operations. The CIA approach can be further analyzed for relative value of availability if necessary. As noted, incorporating Risk Based analysis is one way to analyze classes of availability more deeply, but broad qualitative assessments can also do the job BRAINSTORM POSSIBLE MITIGATION ALTERNATIVES Exploring possible mitigation alternatives transitions the process from data classification to implementation of disaster recovery strategies and particular mitigation techniques. In the absence of alternative approaches, the Seven Tiers of Disaster Recovery described in Phase III below could be used as a guide to brainstorm implementation alternatives. 4.0 PHASE III IDENTIFY DESIGN OBJECTIVES AND BOUNDARIES Deciding how to recover from potential disasters involves a number of business and, by extension, engineering decisions. Paring down the universe of possible mitigation alternatives to an actionable set of alternatives supports execution of formal cost-benefit analyses. 4.1 COST-BENEFIT ANALYSIS OF MITIGATION ALTERNATIVES Perform a cost-benefit analysis of the mitigation alternatives. A useful framework and best practice for cost-benefit analysis is to apply the Seven Tiers of Disaster Recovery as formulated by SHARE and IBM in the 1990s. The Seven Tiers of Disaster Recovery are methods of keeping duplicate copies of business data as a means of providing for business continuity when disaster strikes. Assessment in the above phase enables all data items to gravitate to one of the tiers based on whether it is critical to the business, operationally important, or of an archival or historical nature. 4 The Seven Tiers of Disaster Recovery are: a. Tier 0 - Do Nothing The data item does not need to be backed up. b. Tier 1 - Offsite Vaulting Back up data is periodically moved to off site storage for safekeeping. c. Tier 2 - Offsite Vaulting with a Hotsite The off site location includes facilities with which to resume processing. d. Tier 3 - Electronic Vaulting Some data is automatically backed up into an electronic vault so that processing can resume without the need to wait for backups to be prepared. e. Tier 4 - Electronic Vaulting to Disaster Recovery Hotsite The facilities at the Hotsite are continually running to receive the Electronically Vaulted data. f. Tier 5 - Two-site Two-phase Commit - Data consistency is proactively maintained between production and Disaster Recovery sites. g. Tier 6 - Zero Data Loss Practices such as disk mirroring that produce high levels of data currency without dependence on applications or applications staff for confirmation. As noted in Phase II, critical data is that without which an important business function ceases it has the highest referential value and requires the highest level of access. Operationally important data is of moderate referential value and is used daily. It supports decision making, but loss of such data is viewed as only an inconvenience, not a showstopper. Archive data is likely 70% of a 4 A useful summary of cost-benefit analysis for disaster recovery alternatives is: Omar H. Alhazmi and Yashwant K. Malaiya, Assessing Disaster Recovery Alternatives: On-site, Colocation or Cloud. Colorado State University website, accessed 23 April 2014 at 4

7 business s storage. This is data that can be useful, but waiting for it to be recovered does not cause the business function to stop. 5 Critical, operational, and archive data types can bin most data elements, thus simplifying the process of selecting a disaster recovery strategy. 4.2 RELEVANT ENGINEERING DESIGN VARIABLES Additional aspects to consider when addressing the engineering design variables of data backup are: a. How often is the information accessed and modified? b. How quickly does the information need to be recovered? This is the determination of the Recovery Time Objective (RTO), a fundamental consideration in allocating disaster recovery resources. c. What are the capabilities of the inventory of existing backup tier(s)? d. Who is responsible for recovering the information? e. When s the right time to back up the information? This is the determination of the Recovery Point Objective (RPO) for each data item, a function of the Recovery Time Objective (RTO), above. f. Will the backup tier require an offsite component? 6 g. Will electronic vaults be required? h. Will hot backup be required? Once the financial cost-benefit is concluded, an enterprise might also consider an appropriate qualitative assessment in parallel with the financial rankings, such as Indirect Marketing Benefit or Training Value. When the candidate alternatives are arrived at, the enterprise is in a position to author a Design Basis Scoping Paper for the universe of acceptable mitigation alternatives. This step is the point at which the essential design parameters, boundaries, and budget limits are complete and the formal design process can proceed. 5.0 EXECUTION The above outlines the steps for ascertaining the importance of data so that resource allocation decisions can be made. Once complete and project execution is underway, the qualifiers to ensure a technically acceptable outcome exceed the usual past performance factors of a solicitation of interest. The ability of candidate suppliers to succeed comes down to the skills of individuals involved and their current ability to execute. One can make the case that trusted partnership would be a preferable alternative to competitive award. The technical differentiators and qualifiers are so detailed that they do not lend themselves to the high level qualification information normally elicited in solicitations of interest. Solicitations of interest simply do not delve into details like transaction logging, transaction backout and file reload with applied journaled transactions, and the intimate understanding of the relationships between applications 5 Scott Baker, Data Characterization Part 3 of 3. VM Maverick, the Lone Dissenter, 5 February Accessed 19 April 2014 at 6 Variables a-f come from: Scott Baker, Data Characterization Part 1 of 3. VM Maverick, the Lone Dissenter, 1 February Accessed 19 April 2014 at 5

8 and their data necessary to implement methods that support Recovery Point Objectives (RPO) reliably. Indeed, a necessary part of all business continuity management is the feedback loop of key performance indicators that comes out of regular drills or exercises of recovery procedures using data files retrieved from disaster recovery storage. The appropriate contract model for such activities is level of effort support from recognized subject matter experts to guide design, execution, and analysis of the results of the exercises and drills. 6