expectations in draas from csp

Continuity and Resilience (CORE)ISO 22301 BCM Consulting FirmPresentations by speakers at the

4th India Business & IT Resilience Summit 7th October, 2016 | Hotel Hilton, Mumbai India

Our Contact Details:

INDIA UAE

Continuity and ResilienceLevel 15,Eros Corporate TowerNehru Place ,New Delhi-110019

Tel: +91 11 41055534/ +91 11 41613033Fax: ++91 11 41055535

Email: [email protected]

Continuity and ResilienceP. O. Box 127557

Abu Dhabi, United Arab EmiratesMobile:+971 50 8460530

Tel: +971 2 8152831 Fax: +971 2 8152888

Email: [email protected]

Prof. Venugopal IyengarVisiting Faculty, JBIMS (University of Mumbai)Director –International Organization for Trust Management (IOTM) Independent Director-Allied Digital Services Ltd, AAA Technologies PL

M.Sc; DIRM; DTT; DCS; DCM;Certified Information System Auditor [CISA - ISACA]Certified Information Security Manger [CISM – ISACA]Certified in Governance of Enterprise IT [CGEIT – ISACA]Certified in Risk in Information System and Control (CRISC-ISACA)COBIT5 Foundation, Implementation and Certified Assessor (ISACA)Certified Information System Security Professional [CISSP - (ISC)2]Attended Certified Business Continuity Advanced Course leading to CBLE2000 by DRI AsiaCertified Data Protection Specialist - DMICertified Auditor - Quality Management System (QMS) ISO 9001:2008Certified Auditor - Information Security Management System (ISMS) BS ISO27001:2013Certified Auditor – Business Continuity Management (BCMS) ISO 22301:2012Certified for Information Technology Service Management (ITSMS) ISO 20000-1:2011Criteria for ‘Certification of Inspection Lab’ ISO/IEC 17020Associate Member, Association of Certified Fraud Examiners (USA) [ACFE]Member of QAT, TEC, JPA and CSE for Education Board of ISACA, Illinois, USAMember, Govt. and Regulatory Authorities Board Task Force-ASIA ISACAMember of the Expert Committee for eSecurity Program, Dept. of IT, MC&IT, GoIPresident Emeritus, ISACA Mumbai Chapter (2005-06)Recipient of Microsoft MVP award in 2006 for contribution to global security communityRecipient of “Pillar of Hindustani Society” award in 2008 for contribution to IS Audit and InfoSec

Global Professional Community from TACCI & IMCCEx-Test Supervisor, (ISC)2 Asia Pacific, India OperationsLife Member - Computer Society of IndiaLife Member - Quality Forum-NetherlandsLife Member - Cine Technician Association of South IndiaLife Member - National LibraryInternational Member – ISACA, ISC2, CFE, IEEE, ISA (Internet Security Alliance), Associated with BCAS, BCC&I, BSI, CII, EU Council, IBA, ICAI, ICSI, IRQS, MAIT, NASSCOM, TLF, UL

Expectations in DRAAS from CSP

4th INDIA Business & IT Resilience Summit : October 7, 2016, Hilton - Mumbai

Prof. Venugopal IyengarDirector, IOTM

Can we eradicate downtime & data loss in cloud environment?Problem of Traditional DR

Most Businesses are ill-equipped to quickly respond to outagesRef: Infrascale

If the above statement is true then, Can we expect a newer approach to recovery?

1.When an Outage occurs2.Can we expect a technology to recover and virtualize3.Users continue to work as if nothing has happened

Reality: In Cloud environment, they continue to work for some time till they realize that there is some problem.

Problem gets linked to ISP, Local disc issue, etc and not the CSP

Failover In Action - SLAGOOD

Backup to disk or tape at onsite and store at off siteSoftware snapshotsInstant VM recovery and Quarterly DR Testing

BETTERFull backup, with multiple daily incremental backups to disk & TapeSoftware snapshotsInvocation of DR Site, Local/ Remote virtual standby for key systems

BESTMulti site replication, with global backup to disk and tapeHourly software snapshotFunctional mission critical systemsAutomated DR testing with reporting

Can we move DR to Cloud? Classic expectations:Enterprise

o Low RTO/RPOoData Consistencyo Fallback

One touch deployment & maintenanceAutomated testabilityEasy scalability

What does Endure Say?

Most CSP including Azure say similar.. Moving to the cloud can drastically reduce the amount of

effort and maintenance costs associated with IT infrastructures. But as an enterprise, how easy is it to get there? Find out why having a well-managed, on-premises deployment will save you headaches and resources in the future..

Weapon of Math Destruction is on the anvil…

Does that mean you get into Cloud without headache and worry about it in future?

About DR from virtualization & Cloud vendors•Some server virtualization vendors argue that high availability (HA) architecture trumps the need for DR planning…

•Echoed by vendors of software-defined storage and cloud-based infrastructure services…

•Even the value of data being called into question…

IT•Application Developers – Agile on cloud: Development system of engagement, interaction, prototyping

•Operations – focus on systems of record, resiliency and reliability of platform

Data is GROWING …… will continue growing !!!

How do we protect it all? 3-2-1 is the mantra

Replicating data is still the first step Make 3 copies

On at least 2 different media types Store 1 copy off site

But the modality for copy is varied Continuous Data Protection Block snapshots Volume Cloning Bare metal backup Synchronous Mirroring Asynchronous Replication

All DATA is not the same… Is Ap an important element Is version an important element Is time an important element

Besides these cross-referencing data to application to business process – Own or third party

All these are also in a way DATA for CSP Can’t leave stating not in SLA

New technology is a two-edged sword… • In a virtualized, software-defined, cloud-enabled world,

the application and infrastructure are data…

In short, you are still going to need DR / BC Planning… • Aligned to business processes, not hypervisor

workloads or HW/SW stacks…

• Built on a clear-headed assessment of risks/costs, relative criticality, and recovery requirements…

• Leveraging common sense and dogged testing and validation…

• And constructed in a business-savvy way: respectful of the sensibilities of senior management,

In short, you are still going to need DR / BC Planning… • Can we have Disaster Avoidance Strategy?

Look at the structure of a business continuity planning project • Beginning with Specification and Design • Then Implementation and Validation

Specification and Designwhich are ultimately the determinants of plan success

Do Customer understand their DR /BC requirements?Or it is suggested by the Vendor?

Just deploy our offering and all business continuity needs will be met

Only 5% of downtime may be due to big D… disaster

The methodology is called business process deconstruction… • The business process is the proper focus of

DR/BCP… – Not the application – Not a server or storage array – Not some data

• Business processes contain tasks and workflows that must be “deconstructed” and examined separately

• You many have thousands of business processes: ask management to point you toward those that they see as “mission critical” to establish a starting point…

Lead to bogus quantitative risk analysis .. Understand your Risk

Source: DMI

This is true for …• The Internet of Things• Mobile Commerce• The Hybrid Data Center• The Digital Democracy

• And Many

This is true for …

Cloud backup needs to be considered carefully…

Role of SOC and NOC

Input and Output Modules Technology Specific ModulesInference Engine ModulesMaster Correlation Engine Secure Transmission

Protocol Storage Technology ModulesFunctional Specific ModulesEVM Processor Core

Security Event Manager Core Architecture

N-Tier SIEM: 3rd Party SIEM Correlated Integration

Expectations in DRAAS from CSP

Synopsis: DRaaS providersArchitecture, RPO and RTO, Role SOC and NOC, Health Check indicators.

Can we measure extent of compliance to ISO 22301, ISO 31000, and ISO 27001.

Thank youThank you

to all participants here

Venugopal [email protected]

mailto:[email protected]

expectations in draas from csp

Leadership & Management