Michael Miora, CISSP-ISSMP, FBCI continues with the second part of his thoughts on business continuity planning (BCP) and cloud computing. Everything that follows is entirely Michael's work with minor edits.
Your data, not your head in the clouds
Despite the widespread rejection of practical implementation of All is not lost. The secret to success in this endeavor is to make backups and disaster recovery protections a natural consequence of something else that makes computing better and more convenience. That has been the Holy Grail of the business continuity and disaster recovery planning (BC/DR) world. Unlike that mythical and unsuccessful, however, we have found the magic, we just have not fully yet realized that we found it.
Cloud computing, in the form of virtual machines with expandable computing capacity, together with cloud storage have the potential for lowering the cost of business computing by removing or lowering the cost of resizing computing needs or migrating platforms. Cloud storage, for example, empowers the small business to keep its most current data in the cloud (with appropriate security precautions, of course) so that all employees have instant and accurate information anywhere, any time and on any computer or device they are carrying.
Gone is the need to synchronize copies of price lists, availability or specifications. Gone is the necessity to boot up, sign in and access central files. Sales people, technicians and professionals of all stripes can access data that is stored safely and securely in the cloud.
Cloud storage providers are generally professionally managed. They cannot afford outages and data losses. That means that if a business stores its data in the cloud, the business will have little more to do to achieve de facto resiliency and protection.
There are many companies that offer cloud-based data storage and computing. Some are very well known and some are not. Interestingly, few of them call out business continuity and disaster recovery as a benefit of cloud computing; and, those who do cite BC/DR do so in very limited ways. Why don't they scream out that their solution includes a viable, inexpensive and effective solution for BC/DR?
Here are a few examples.
• The biggest player in the field is, according to TechTarget, (Free Registration Required) Amazon Web Services. Amazon Web Services is a full service and robust offering that includes dedicated and virtual computing as well as storage. They offer many pages of explanations and guidance for how to sign up and use their services. They even provide an online calculator that yields pricing results that are as good as your estimate of your own needs.
They do not, however, appear to consider BC/DR as a significant benefit. They do not delve into the strong benefits their offering could provide to SMB and larger enterprises for BC/DR. They do ask on one Web page the question, "How can I implement reliable, cost-effective back-up and disaster recovery plans?" The answer, however, is not so easy to find.
• RackspaceCloud is another major provider of cloud services. They are, according to TechTarget (Free Registration Required), the second largest cloud provider. Like Amazon, they also have many Web pages describing their services and how they can help lower costs. Also like Amazon, they give short shrift to BC/DR. RackspaceCloud dedicates a page to BC/DR, but the page has very little content.
• There is even a player that offers a streamlined capability that includes storage, calendaring, communications and some utilities, but they do not even present themselves as a cloud services provider and certainly not as a BC/DR solution. Apple has its MobileMe services that supply e-mail, calendaring, storage and sharing. Although they have not yet tweaked their offering for the business marketplace and do not yet offer the computing element, any small business would do well to consider MobileMe for their enterprise e-mail and calendaring solutions as well as for central storage of critical files and databases. For the individual or a family, MobileMe already offers a well packaged disaster recovery option. One only hopes Apple invents a business version of MobileMe. That would change everything for SMB BC/DR.
What is missing?
There are key missing elements in each of these providers as well as in the many other providers not listed in this article. One missing element is the acknowledgement of BC/DR as a problem they solve. One wonders why these providers, fighting for market share and looking very much alike (except Apple's MobileMe), do not seize the opportunity to distinguish themselves by offering a formalized BC/DR track to their customers.
There is another missing element: None of these providers offer a simple way for their customers to build a BC/DR plan. I'm biased, because my company makes such a software-based product to simplify and streamline BC/DR planning, but nevertheless I do wonder why none of these giants has brought on board a product to build a plan and then implement it.
A problem and a solution waiting for combination
We have a problem: Small and midsized businesses do not protect themselves adequately against failures and disasters.
We have a solution: Today's cloud services and storage capabilities can solve the BC/DR problem as an ancillary benefit to solving other problems. It is almost a fringe benefit.
When this problem and this solution come together, we will see a quantum leap in the security and resiliency of our businesses and information. I look forward to that day.
* * *
Michael Miora has designed and assessed secure, survivable, highly robust systems for industry and government over the past 30 years, and has become an internationally recognized expert in InfoSec, Business Continuity and Incident Response. Miora, one of the original professionals granted the CISSP in the 1990s and the ISSMP in 2004 was accepted as a Fellow of the Business Continuity Institute (FBCI) in 2005. Miora founded and currently serves as president of ContingenZ, a specialty consulting firm and the developers of ContinuityCommander, a BC/DR planning software package. He can be reached via e-mail. He frequently serves as a course developer and an instructor in the Master of Science in Information Assurance (MSIA) and Master of Science in Business Continuity Management (MSBC) programs at Norwich University.