CDC Cyber Defence Center Recovery Security Disaster Recovery
Home Securiy Playbooks Security Disaster Recovery Security Root Cause Analysis
Disaster Recovery involves a set of policies, tools and procedures to enable the
recovery or continuation of vital technology infrastructure and systems
following a natural or human-induced disaster. Disaster recovery focuses on the
IT or technology systems supporting critical business functions, as opposed to
business continuity, which involves keeping all essential aspects of a business
functioning despite significant disruptive events. Disaster recovery can
therefore be considered as a subset of business continuity.
IT Service
Continuity
IT Service Continuity (ITSC) is a subset of Business Continuity
Planning (BCP)[6] and encompasses IT disaster recovery planning and wider IT
resilience planning. It also incorporates those elements of IT infrastructure
and services which relate to communications such as (voice) telephony and data
communications.
The ITSC Plan reflects Recovery Point Objective (RPO - recent transactions) and Recovery Time Objective (RTO - time intervals).
Principles of Backup sites
Main
article: Backup site
Planning includes arranging for backup sites, be they
hot, warm, cold or standby sites with hardware as needed for continuity.
In 2008 the British Standards Institution launched a specific standard connected and supporting the Business Continuity Standard BS 25999 titled BS25777 specifically to align computer continuity with business continuity. This was withdrawn following the publication in March 2011 of ISO/IEC 27031 - Security techniques — Guidelines for information and communication technology readiness for business continuity.
ITIL has defined some of these terms.
Recovery Time Objective
The Recovery
Time Objective (RTO) is the targeted duration of time and a service level within
which a business process must be restored after a disaster (or disruption) in
order to avoid unacceptable consequences associated with a break in business
continuity.
Schematic representation of the
terms RPO and RTO. In this example, the agreed values of RPO and RTO are not
fulfilled.
In accepted business continuity planning methodology, the RTO is
established during the Business Impact Analysis (BIA) by the owner of a process,
including identifying options time frames for alternate or manual workarounds.
In a good deal of the literature on this subject, RTO is spoken of as a complement of Recovery Point Objective (RPO), with the two metrics describing the limits of acceptable or "tolerable" ITSC performance in terms of time lost (RTO) from normal business process functioning, and in terms of data lost or not backed up during that period of time (RPO) respectively.
Recovery Time Actual
A Forbes overview noted that it is Recovery Time Actual
(RTA) which is "the critical metric for business continuity and disaster
recovery."
RTA is established during exercises or actual events. The business continuity group times rehearsals (or actuals) and makes needed refinements.
Recovery Point Objective
A Recovery Point Objective (RPO) is defined by business continuity planning. It
is the maximum targeted period in which data (transactions) might be lost from
an IT service due to a major incident.
If RPO is measured in minutes (or even a few hours), then in practice, off-site mirrored backups must be continuously maintained; a daily off-site backup on tape will not suffice.
Relationship to Recovery Time Objective
Recovery that is not instantaneous will restore data/transactions over a period
of time; the goal is to do so without incurring significant risks or significant
losses.
RPO measures the maximum time period in which recent data might have been permanently lost in the event of a major incident; it is not a direct measure of the quantity of such loss. For instance if the BC plan is "restore up to last available backup", the RPO is the maximum interval between such backup that has been safely vaulted offsite.
Business impact analysis is used to determine RPO for each service; RPO is not determined by the existent backup regime. When any level of preparation of off-site data is required, the period during which data might be lost often starts near the time of the beginning of the work to prepare backups, not the time the backups are taken off-site.
Data
synchronization points
Although a data synchronization point is a point in
time, the timing for performing the physical backup must be included. One
approach used is to halt processing of an update queue, while a disk-to-disk
copy is made. The backup reflects the earlier time of that copy operation, not
when the data is copied to tape or transmitted elsewhere.
How RTO and RPO values affect computer system design
RTO and the RPO must be
balanced, taking business risk into account, along with all the other major
system design criteria.
RPO is tied to the times backups are sent offsite. Offsiting via synchronous copies to an offsite mirror allows for most unforeseen difficulty. Use of physical transportation for tapes (or other transportable media) comfortably covers some backup needs at a relatively low cost. Recovery can be enacted at a predetermined site. Shared offsite space and hardware completes the package needed.
For high volumes of high value transaction data, the hardware can be split across two or more sites; splitting across geographic areas adds resiliency.
History
Planning for disaster recovery and information technology (IT)
developed in the mid- to late 1970s as computer center managers began to
recognize the dependence of their organizations on their computer systems.
At that time, most systems were batch-oriented mainframes. Another offsite mainframe could be loaded from backup tapes pending recovery of the primary site; downtime was relatively less critical.
The disaster recovery industry developed to provide backup computer centers. One of the earliest such centers was located in Sri Lanka (Sungard Availability Services, 1978).
During the 1980s and 90s, as internal corporate timesharing, online data entry and real-time processing grew, more availability of IT systems was needed.
Regulatory agencies became involved even before the rapid growth of the Internet during the 2000s; objectives of 2, 3, 4 or 5 nines (99.999%) were often mandated, and high-availability solutions for hot-site facilities were sought.
IT Service Continuity is essential for many organizations in the implementation of Business Continuity Management (BCM) and Information Security Management (ICM) and as part of the implementation and operation information security management as well as business continuity management as specified in ISO/IEC 27001 and ISO 22301 respectively.
The rise of cloud computing since 2010 continues that trend: nowadays, it matters even less where computing services are physically served, just so long as the network itself is sufficiently reliable (a separate issue, and less of a concern since modern networks are highly resilient by design). 'Recovery as a Service' (RaaS) is one of the security features or benefits of cloud computing being promoted by the Cloud Security Alliance.
Classification of disasters
Disasters can be the result of three broad categories of threats and hazards.
The first category is natural hazards that include acts of nature such as
floods, hurricanes, tornadoes, earthquakes, and epidemics. The second category
is technological hazards that include accidents or the failures of systems and
structures such as pipeline explosions, transportation accidents, utility
disruptions, dam failures, and accidental hazardous material releases. The third
category is human-caused threats that include intentional acts such as active
assailant attacks, chemical or biological attacks, cyber attacks against data or
infrastructure, and sabotage. Preparedness measures for all categories and types
of disasters fall into the five mission areas of prevention, protection,
mitigation, response, and recovery.
Importance of
disaster recovery planning
Recent research supports the idea that
implementing a more holistic pre-disaster planning approach is more
cost-effective in the long run. Every $1 spent on hazard mitigation(such as a
disaster recovery plan) saves society $4 in response and recovery costs.
2015 disaster recovery statistics suggest that downtime lasting for one hour can cost
small companies as much as $8,000,
mid-size
organizations $74,000, and
large enterprises $700,000.
As IT systems have
become increasingly critical to the smooth operation of a company, and arguably
the economy as a whole, the importance of ensuring the continued operation of
those systems, and their rapid recovery, has increased. For example, of
companies that had a major loss of business data, 43% never reopen and 29% close
within two years. As a result, preparation for continuation or recovery of
systems needs to be taken very seriously. This involves a significant investment
of time and money with the aim of ensuring minimal losses in the event of a
disruptive event.
Control measures
Control
measures are steps or mechanisms that can reduce or eliminate various threats
for organizations. Different types of measures can be included in disaster
recovery plan (DRP).
Disaster recovery planning is a subset of a larger process known as business continuity planning and includes planning for resumption of applications, data, hardware, electronic communications (such as networking) and other IT infrastructure. A business continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities, crisis communication and reputation protection, and should refer to the disaster recovery plan (DRP) for IT related infrastructure recovery / continuity.
IT disaster recovery control measures can be classified into the following three types:
Preventive measures – Controls aimed at preventing an event from occurring.
Detective measures – Controls aimed at detecting or discovering unwanted events.
Corrective measures – Controls aimed at correcting or restoring the system after
a disaster or an event.
Good disaster recovery plan measures dictate that
these three types of controls be documented and exercised regularly using
so-called "DR tests".
Strategies
Prior to
selecting a disaster recovery strategy, a disaster recovery planner first refers
to their organization's business continuity plan which should indicate the key
metrics of Recovery Point Objective and Recovery Time Objective. Metrics for
business processes are then mapped to their systems and infrastructure.
Failure to properly plan can extend the disaster's impact. Once metrics have been mapped, the organization reviews the IT budget; RTO and RPO metrics must fit with the available budget. A cost-benefit analysis often dictates which disaster recovery measures are implemented.
Adding cloud-based backup to the benefits of local and offsite tape archiving, the New York Times wrote, "adds a layer of data protection."
Common strategies for data protection include:
backups made to tape and sent off-site at regular intervals
backups made to
disk on-site and automatically copied to off-site disk, or made directly to
off-site disk
replication of data to an off-site location, which overcomes
the need to restore the data (only the systems then need to be restored or
synchronized), often making use of storage area network (SAN) technology
Private Cloud solutions which replicate the management data (VMs, Templates and
disks) into the storage domains which are part of the private cloud setup. These
management data are configured as an xml representation called OVF (Open
Virtualization Format), and can be restored once a disaster occurs.
Hybrid
Cloud solutions that replicate both on-site and to off-site data centers. These
solutions provide the ability to instantly fail-over to local on-site hardware,
but in the event of a physical disaster, servers can be brought up in the cloud
data centers as well.
the use of high availability systems which keep both
the data and system replicated off-site, enabling continuous access to systems
and data, even after a disaster (often associated with cloud storage)
In many
cases, an organization may elect to use an outsourced disaster recovery provider
to provide a stand-by site and systems rather than using their own remote
facilities, increasingly via cloud computing.
In addition to preparing for the need to recover systems, organizations also implement precautionary measures with the objective of preventing a disaster in the first place. These may include:
local mirrors
of systems and/or data and use of disk protection technology such as RAID
surge protectors — to minimize the effect of power surges on delicate electronic
equipment
use of an uninterruptible power supply (UPS) and/or backup
generator to keep systems going in the event of a power failure
fire
prevention/mitigation systems such as alarms and fire extinguishers
anti-virus software and other security measures