Guest Blogger: Chris Seib, Co-Founder & CTO, InstaMed
Last week, I highlighted some common oversights by businesses when leveraging a private cloud that increase the risk of long-term data outages, and detailed the best practices and tips to use in discussions with current or potential vendor partners in order to protect your business. Below is Part 2 of this post, focusing on disaster recovery, business continuity and security.
Even with high degrees of local redundancy in a private cloud data center, you need to be prepared for significant disasters with a comprehensive disaster recovery plan. Disaster recovery sites should be in geographically disparate areas. Having a data recovery site in close proximity to the primary site is basically pointless (but still surprisingly common!).
Many vendors take a very low-cost approach to disaster recovery. They may back up their data offsite, but it would take days or weeks to bring the site online. The best practice is to have a site exactly like the primary site “ready to go” at any time. Many vendors simply back up their data offsite and contract an IT company for equipment rental in the event of an emergency, which would take days or weeks to receive – with no guarantee it will work. This can greatly affect the recovery time objectives (RTO) and recovery point objectives (RPO).
- RTO: how long it will take to restore services from when a disaster is declared
- RPO: how far back the point of data restore is from when a disaster is declared
As a best practice, you should look for a RTO and RPO of a few hours or less. This requires a significant investment, so many vendors skimp.
Many vendors have a plan, but it may only be tested once per year or not even tested at all. When tested, there are often multiple flaws found, but commonly there is little or no action taken (but the vendor can still claim that the plan was tested!).
It’s important to consider the human factor as well. Many vendors have a disaster recovery plan that involves putting people on a plane or bus to go to an offsite location. In the event of a disaster, what are the chances that planes and busses will be operational in the immediate area? As a best practice, it is important to have adequate staff in the alternate locations to operate critical functions.
- Tip: Ask your vendors about their disaster recovery plans. How often are they tested? What were the test results? What are the RTO and RPO? Were those objectives met in the most recent test?
Business continuity extends the concept of disaster recovery by ensuring that all business functions, not just IT systems, can remain operational with minimal disruption in the event of disaster.
For vendors you use, what are these critical business functions? Often, it is more than just a website or file transmission; it involves customer service and other human interaction. As a best practice, vendors should have multiple business locations with adequate, trained staff capable of handling non-IT related business functions, such as customer service. Don’t rely on bussing or flying staff to an alternate location.
- Tip: Ask your vendors about their business continuity plans, specifically if they account for customer service and other critical functions.
Security breaches can cause significant disruption to your business either through data leakage, which may have significant HIPAA and HITECH act implications, or by causing downtime and disruption of services. It’s important that your vendors take a robust and comprehensive approach to security threat management with multiple layers of security, a robust security policy, proactive monitoring and alerting and independent auditor verification.
Multiple Layers of Security
Best practices include both host-based and network-based anti-virus, anti-malware, intrusion detection and prevention, integrity monitoring network firewalls, and application firewalls configured in an active, inline state. This means that security components will “take action” to block or prevent attacks before they happen, not just alert that there is a problem.
Your vendors (and you) should have a written security policy outlining all aspects of the security program. This needs to be reviewed and updated at least once a year by trained security personnel. This should also include a regular security risk assessment.
Companies also should have a designated security officer. This is often not the case, and security is more of an afterthought of the IT department.
Independent Auditor Verification
Don’t take your vendor’s word for it. Ask how they prove their security with independent audits. The Electronic Network Healthcare Accreditation Committee (EHNAC) is a good start, but it doesn’t cover security in a detailed manner. In addition to EHNAC, look for a Payment Card Industry (PCI) Data Security Standards Level One audit performed by a QSA, an SSAE16 Type II audit and regular external and internal vulnerability detection by third parties.
Get It in Writing
If your vendors are down for days, or even weeks, the costs to your business are serious. It is crucial to ensure that your vendors are able to offer “True Availability” for the services they provide. Many vendors claim to have availability and disaster recovery, but they take shortcuts to save money, resulting in single points of failure and poor disaster recovery. Vendors should commit to these things in their contracts and publish this commitment on their website.
As businesses in all industries transition to the cloud, it’s crucial to ensure that your data will be safe when disaster strikes. I encourage all types of businesses to use these best practices and tips as a checklist when discussing disaster recovery and security with current or potential vendor partners. Leveraging the cloud can significantly enhance the way you conduct business, but you must first take these precautions to protect yourself and your business.
Click here to read True Availability: Best Practices on the Cloud (Part 1).