Business Continuity 2010: How Cloud Computing and Virtualization Change Business Continuity and Disaster Recovery - A collaboration between the Disaster Recovery Journal (DRJ) and the Wikibon Project.
The March 2, 2010 Peer Incite meeting brought together the DRJ and Wikibon communities and featured two practitioners who are active as DRJ advisors.
- Randall Till, MBCP, Executive Council Member on DRJ's advisory board; currently vice president, global business continuity management for MasterCard International; who has been implementing BC programs within several organizations during his 18-year career.
- Michele Turner, MBCP, FBCI, CISA, ITIL, Editorial Advisory Board DRJ Editorial Advisory Board Member and Sr. Mgr of IT Risk Management and IT Governance at Microsoft Corporation. Mrs. Turner has managing editor 16 years' experience in Business Continuity and Risk Management efforts.
The purpose of the call was to explore how virtualization and cloud computing are impacting disaster recovery (DR) and business continuity (BC).
The key premise put forth to the DRJ and Wikibon communities was the following:
Virtualization is driving efficiencies and increased utilization. While delivering substantial savings to organizations, ironically, from a recovery perspective, virtualization consumes spare resources that often can be applied to business continuance; and hence organizations that aggressively pursue virtualization risk constricting agility from a BC standpoint. Cloud computing provides an opportunity to improve business flexibility and remove constraints by delivering elastic capacity for DR and business continuance.
Further, while bringing potential advantages, cloud computing carries risks that need to be understood and managed, including security, compliance, privacy and other operational risks related to business alignment. Examples include the ability to provide adequate recovery speeds due to the potential increased latencies of cloud computing and transparency of operations related to gaining visibility on key metrics (e.g. backup failures, system performance, RPO, RTO etc).
Several key points emerged from the call, including:
- As organizations increasingly pursue virtualization and cloud computing, demand for traditional business continuity expertise is on the rise. This is directly a function of the fact that BC and risk-management practitioners have visibility across an organization’s entire business technology portfolio and can provide a comprehensive view that is invaluable to cloud initiatives.
- Organizations aggressively pursuing virtualization and cloud computing need to exploit this expertise and cohere cloud initiatives with key BC metrics and disciplines, including risk management and, importantly, governance.
- It was the opinion of the DRJ and Wikibon communities that CIO’s need to set the overall strategy for virtualization and cloud computing, and from a DR and BC standpoint set the goal to build resiliency in as a fundamental part of business operations, as opposed to a “bolt-on” afterthought. A key component of this responsibility is the creation of an awareness of both opportunities and risks (see The CIO's Risk Management Role in the Adoption of Virtualization and Cloud Services).
- A key finding from the call was that organizations that want to drive virtualization and cloud computing deeper into their operations should start with governance to put in place a process to assess risks and identify/track metrics that are important to the organization.
- Scorecarding or other rating and ranking mechanisms were cited as preferred techniques to help identify high-visibility opportunities and risks and drive alignment. Keeping such approaches simple- and easy-to-understand is more important than developing sophisticated quantification methodologies that won’t be widely accepted.
- Facilities are an often-overlooked aspect of cloud computing, but as organizations increasingly outsource activities they should be mindful to choose suppliers that follow Best Practices in 21st Century Business Continuity Services.
- Vendors that desire to sell DR and BC services to organizations aggressively pursuing virtualization and cloud computing should understand that a one-size-fits-all offering is not advisable. Variances in size of company, industry, and key priorities can be best addressed (either directly or with partners) with robust assessment and implementation services that can help align BC initiatives to organizational objectives.
On balance, the consensus of the communities is that while there is plenty of uncertainty with regard to how to best leverage cloud computing, the potential for improved DR and BC is tremendous and organizations should begin to plan now.
Action Item: Virtualization and cloud technologies, in the context of disaster recovery and business continuity, are outpacing organizations’ ability to absorb the new model of computing. Nonetheless, opportunities to add business value are substantial. Specifically, organizations aggressively pursuing virtualization should task governance and risk management functions to develop plans and protocols designed to leverage cloud computing and enable DR and BC to become a fundamental component of business operations versus a one-off application-by-application afterthought.