Topics
Availability

Availability

Availability relates to ensuring that information is accessible to the intended users when needed. There are three interrelated concepts in this topic. While each topic is a separate entity, each relies on processes implemented by the other. Current conventional IT concepts apply but are differently implemented in a cloud environment.

The first and most basic concept is backup of data that resides in the cloud. This concept should not be confused with uploading data such as photos, contact information, documents, etc. to the cloud and using it as a backup mechanism. It is about customer data that is already in the cloud and is actively used or updated by applications. The customer must ask the cloud service provider many questions about their data backup implementation specific processes and procedures. From a conventional IT viewpoint this will look familiar, but the cloud provider will eliminate much of the cost of skills, effort, planning, and IT purchase. However, the user remains responsible for all the critical data as if it was locally available.

The second concept is Disaster Recovery (DR). DR is essentially focused on IT technology - hardware, networks and software. Most cloud service providers will provide a DR service but again the customer is responsible for how this is implemented.

The third concept is Continuity of Operations (COOP). A COOP plan is broadly focused on all aspects of business operations, especially on people, process and functions. In other words, COOP is how the business operates during a major disruption, while DR is how you reconstitute an IT system after a major disruption. Both DR and COOP incorporate the basic concept of backup. Essentially COOP is a plan which relies heavily on a smoothly operated and all-inclusive backup and disaster recovery implementation. However, the COOP plan, that should already be an essential component in a conventional IT environment, is different than a cloud environment COOP plan in many ways.

Backup and Retore

As in a conventional IT environment, data backup is a critical process. Most cloud providers will include this as a service within the cloud, but it is the users responsibility to ensure, and continuously monitor, that it is done according to customer requirements, which should be well documented. This should include encryption of data while at rest and in transit, how often it is done, which data is backed up (and the schedule may be different for specific data types), and where it is stored (employing multiple geolocations to avoid potential disasters happening at adjacent locations this is another benefit of a cloud environment).

Disaster Recovery (DR)

Disaster recovery is also often included as a service in the cloud and in some ways is more robust and probably less expensive overall than in a conventional IT environment. In simple terms DR (conventional IT or cloud computing) is an infrastructure service that backs up designated system data to an offsite location. For a short time use of cloud base DR system (e.g. a power outage) the restoration process to return to normal operations is most likely much shorter (probably measured in minutes) than in a conventional IT environment. In a long term disaster recovery (e.g. an earthquake) it may take some time to fully return to normal operations. While this is ongoing, the customer is relying on the information stored in the cloud providers DR systems remote site. It is the customers responsibility to ensure that, for both short and long operations, the DR will work by: a) ensuring that the DR cloud service will produce backups that might be stored (which for geolocation reasons of diversity may reside in a different cloud environment) can operate against strongly customized business applications; b) is not subject to unacceptable latency or low response time issues for normal operations; c) connectivity to the DR site is operational and as robust as needed.

And finally - TEST the DR system at least once a year.

Continuity of Operations (COOP)

As previously stated, a COOP plan is not just a technology issue. It describes business practices and the people and processes that perform them and places where they are (and particularly will be) performed. The question then is how could a cloud service provider possibly determine how the customers people and process will recover and continue to work. The answer is - they cannot and it is the customers responsibility. Given this situation, the questions to ask to create a COOP plan for a cloud environment would include (many would also apply to DR) but would certainly not be limited to: a) identify the stakeholders, b) how and from where will the organization operate; c) how do these answers impact the level of risk, particularly all aspects of security including the necessary network connections; d) how will the COOP plan be communicated throughout the business. With answers to these question: a) create a COOP plan based on a business impact analysis and put it in place; b) TEST the COOP plan at least once a year.

Continue to Compliance.