Cloud computing is not always helpful in data recovery
Post-disaster data recovery is easier now, but it still can be difficult to get managers to buy in, says a former CISO for DOJ.
Newer technologies such as cloud computing can be a boon for post-disaster recovery of data, but they don't always help much, Dennis Heretick, former chief information security officer for the Justice Department, said at a FOSE trade show session today.
“Cloud computing can provide more reliability, but that should not be assumed,” Heretick said. How a specific cloud application fits within an agency’s or company’s disaster recovery strategy should be assessed by each organization individually, he added.
Overall, in the last five years, disaster recovery and business continuity planning have become easier and less costly because of the availability of automated electronic storage processes for critical data, Heretick said.
Even so, there are hurdles to overcome in developing and implementing a disaster recovery plan and process. Some of the main obstacles include the difficulty of obtaining management support for disaster recovery goals and identifying and obtaining support for roles for individuals to perform in executing the plan, Heretick said.
For the typical manager, “disaster recovery planning is important, but not as important as the day-to-day operations,” Heretick said. He suggests gaining support for continuity plans by linking them to specific high-priority missions of the company or agency. For example, assessing the business impact of the loss of specific types of data can show the effect on the agency mission if the data were to be lost or unavailable.
Heretick and Bill Nichols, senior systems engineer for Mitre Corp., outlined seven tiers of disaster recovery. In the lowest tiers, there is a loss of data, little or no backup, and limited recovery. In the middle tiers, there is manual or automated backup of data. In the upper tiers, there is fully automated backup of data and of applications.
One of the most important first steps in planning is accurately classifying the data by its importance. The next step is drawing up a plan and identify roles. Too often, people may be identified for a role without being knowledgeable or committed to performing the role. Those are issues that will be worked out through discussion and exercises, Heretick said.
A simple strategy that can be executed effectively is more worthwhile than a complicated strategy for which managers and IT employees are not fully on board, Heretick said.
“The pitfalls of a disaster recovery plan are too much detail, too much information, and people don’t ‘own’ their roles,” Heretick said.