Security Blog

Your source for information security news and views.
Tags >> disaster recovery

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters that would results damages and minimal disruption has been reported among data centers within range of the quake, however, the most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.