By Joe Starzyk, Kyndryl Business Resiliency Services:
The increased concern over protecting against cyber-attacks has produced a major focus as to how to best secure your business or organization. Business Continuity and Disaster Recovery have served this purpose over the years; however, the nuances of a cyber event have generated the need for a more robust design for not only risk prevention and mitigation, but likewise to enhance the capability to recover more quickly and effectively from a malicious attack.
This is not to say that the fundamentals for Business Continuity and Disaster Recovery are going away any time soon as they continue to serve their designed purpose for recovering from a catastrophic event. The idiosyncrasies associated with Cyber – targeted attacks, specific in nature that interrupt single or multiple components of the business – require that the basic resiliency principles be revisited and ultimately repurposed to address the varying degrees of identification, mitigation, and recovery from a cyber event.
The convergence of the Security and Disaster Recovery disciplines is critical in elevating the overall Resiliency efforts as we look to meet these ever-changing business requirements. When considering what is required to take the next step in the Resiliency cycle, it is key that we first study the current functionality associated with both production operations and disaster recovery design. This would include completely understanding the ability to:
- Fully operate both critical and non-critical workloads
- Provide continuous, uninterruptible processing in accordance with Business and User expectations
- Communicate internally and well as externally with partners and clients (B2B, B2C)
- Manage and secure data in all forms – what data needs to be recovered versus recreated, how it will be protected in the form of replicated copies, backups, archives, etc.
Once the fundamentals for sustained Resiliency are defined and documented they can be used to develop the various enhancements that need to be put in place for cyber design, implementation, validation, testing, and recovery. It should be noted here that the most effective strategy for cyber protection should not be limited to one aspect – data or networks for example – as we move to more of a Zero trust paradigm that focuses more holistically on users, assets, and resources.
A complete and thorough cyber design should include protecting the end-to-end infrastructure comprised of:
- Hardware and infrastructure to support the workload to include microcode, firmware, configuration data, etc.
- Software, applications, and data bases that include application binaries and source code
- Network design and infrastructure for both online production and isolated DR testing
- Data in all forms – disk mirroring, point in time copies, electronic backups, and physical archive
The actual Cyber design begins with a focus on the business requirements that will serve as the basis in establishing the level of implementation that will be architected. These parameters will be based upon the cyber risk profile that will be developed to protect against all current and future cyber threats. Variables such are regulatory requirements, industry mandates, past cyber-attacks, and overall risk tolerance will all play heavily in the level of deployment that will be undertaken.
General guidance as to what needs to be addressed include:
- What will be protected – hardware, software, network, infrastructure, data?
- What critical business functions will be considered? Will this also include other ancillary support functions such as archive, analytics, test and development?
- What form of testing and frequency will be required? Daily verification of air-gapped, isolated, and immutable copies with quarterly system and application testing for instance
- What expectations for effectively responding to an attack and recovering are to be put in place? Recovery of a specific, critical workload versus entire site recovery as an example
- What budget has been set aside for the design, implementation, and on-going steady state for the Cyber effort? And is this budget in addition to on-going Resiliency support?
The design of a robust Cyber strategy should be an extension of the existing Resiliency deployment whereby current process and procedures for Disaster Recovery must be leveraged and ultimately transformed to address newly evolving cyber needs. While there are varying degrees of urgency, and differing approaches to how systems and data are managed and protected, it should be quite clear that while both serve their own unique purpose, each is critical in keeping the business viable and always available. As such, it is evident that the combined efforts and collective gain of merging Disaster Recovery and Cyber protection will lead to the highest levels of Resiliency within the organization.
About the Author: Joe Starzyk is a Senior Consultant and Business Development Executive with the Kyndryl Security and Resiliency Practice and an Emeritus Member of the IBM Academy of Technology, with over 40 years of experience in the IT and Resiliency industry.