Business continuity planning (BCP) helps maintain one of the three pillars of security: availability. Traditional planning assumes use of a second data center or a disaster recovery service to restore business processes following business continuity events. However, the business information landscape is changing rapidly. Mobile devices, both employee- and organization-owned, are becoming the standard platforms for accessing business applications. In addition, cloud services inserted into or replacing business process infrastructure add an additional dimension to BCP. These shifts in design, operation, and delivery of information resources require a corresponding shift in business continuity events (BCEs).
I won't spend much time on the positive general business results related to BYOD and cloud; this information is available in many articles, including "Leveraging the cloud for IT Innovation" and "Research: What Leaders Say about Cloud Capabilities and Limitations." Instead, this article examines BYOD and cloud challenges as well as their contributions to BCP. In a follow-up article, I will explore ways to strengthen related gradual weakening of business continuity (including disaster recovery) plans.
BYOD and cloud services create a set of three new challenges for security, business, and IT managers:
- Wider distribution of data onto devices not completely controlled by the data owner
- Liability confusion as cloud service providers take on a larger role in business process delivery
- Shift in what contributes to a business process' maximum tolerable period of disruption (MTPOD)
- Expanded incident response
#1 Wider data distribution
Laptops introduce easy movement of data beyond the organization's trusted internal network. New tools have emerged to help protect the data, including centrally managed encryption solutions. While many organizations took laptop data protection to the next level with mobile device backup, the increasing use of smartphones and tablets creates a gap between valuable distributed data and the contents of organization-managed backups. Closing the gap is critical to protect spreadsheets, documents, etc., containing information created and maintained only on a mobile device.
#2 LiabilityMoving business processes to the cloud means relying on the cloud service provider (the provider) to ensure availability of infrastructure (IaaS), platforms (PaaS), or software (SaaS). As shown in Figure A, this reliance results in an external supply chain relationship with your provider. Any external provider of products or services critical to business operation is a link in your supply chain. Ensuring continuous supply chain support for your business requires close attention to supply chain design and management.
Manufacturing managers have dealt with supply chain issues from the first days of relying on third parties for portions of the finished product or service. This is a more efficient means of providing customers with what they expect. Carrying this one more step, your organization might serve as a tier one and tier two supplier for one or more organizations. When a provider BCE disrupts the flow of critical products and services to your customers, who is liable for customer costs associated with production stoppages? How do you make up lost revenue due to provider failure?
#3 MTPODEach business process possesses a specific MTPOD, as shown in Figure B. The MTPOD includes both the time needed to recover failed information resources (RTO) and the time required to start producing output (cycle time). Failing to recover a process within the MTPOD typically results in irreparable damage to the organization.
In the past, all resources resided in the internal data center. IT was responsible for managing all disruptions: from software failure, to a bad cable, to a catastrophic event. This is rapidly changing. With the introduction of cloud services into business processes, providers are now an important component in BCP. Infrastructure, platforms, and software in the cloud increasingly create links between the start of a business process and its output. In some cases, a cloud service might be the key element in process recovery.Incident response
Incident response is integrated into an organization's ability to recover within the MTPOD. However, it is so crucial to recovery, it deserves a separate look.
Incident response has four primary goals (CSOonline, n.d.):
- Minimizing BCE business impact
- Addressing human safety
- Mitigating organizational liability via practicing due diligence
- Maintaining compliance during detection, containment, and recovery operations
The accuracy of documented recovery documentation for each component of a critical business process has a direct impact on MTPOD. Organizations must support recovery documentation with monitoring leading to quick identification of a disruption.
Response teams, for both malware infections and hardware/software failure, must practice the steps in the recovery documentation. Practice activities include, among other targets unique to your organization, restoring connectivity, repairing a failed server, recovering a damaged database, recovering a failed switch, recovering from a catastrophic event, etc. Practice results in faster response and adjustments to recovery processes BEFORE an actual BCE.
BYOD and cloud services extend incident response from internal teams to BYOD and cloud service providers. For example, if a home health employee uses a personal laptop to access health care information from a patient's home, what happens when if cellular connectivity (3G/4G) is lost? Who do you call? Have you discussed this potential BCE with relevant carriers? More importantly, has management evaluated the risk associated with this and similar BCEs?
Cloud service disruptions can be a little easier to control, if you address incident response during contract negotiations.
- Does the provider maintain up-to-date incident response plans for all information resources for which it is responsible?
- How do you ensure incident response documents are maintained and practiced by provider response teams?
- Have you clearly defined recovery time objectives (RTOs) for each of your cloud-based information resources? Do you include provider personnel in practice BCE response activities to ensure RTOs are met? What sanctions are in place if providers consistently fail to meet RTOs during practice or actual BCEs?
The final word
Even the best-prepared response teams will fail if BYOD and cloud service ramifications are missing from recovery documentation. Further, internal response teams must work with provider teams to ensure seamless recovery of failed hardware and software: before an actual BCE occurs.
Provider agreements failing to address incident response fail to meet the standards of due diligence required for BCP. Both BYOD and cloud services have become critical components of many organization's business processes. Extending BCP to include these additions to an organization's information resources is not an option.
In the next part of this series, I address how to meet each of the challenges above.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.