vTrack Business Continuity and Disaster Recovery

Andr van der Werff, Sr. Systems Engineer, VMware Netherlands

2011 VMware Inc. All rights reserved

Welkom!

Confidential

Agenda
09.30 - 10.15 - Disaster Recovery , bent u er al klaar voor?
Andre van der Werff - VMware Systems Engineer

10.15 - 10.45 - Site Recovery Manager 5 Technical deep dive

Lee Dillworth - VMware Principal Engineer

10.45 - 11.00 - Koffie 11.00 12.30 - Site Recovery Manager en vSphere replication Deep dive
Lee Dillworth - VMware Principal Engineer

12.30 - 13.30 Lunch

Confidential

Introduction

Confidential

Disaster Recovery, but what about the plan?

Confidential

Disaster Recovery, but what about the plan?

Confidential

And what about

Confidential

High Availability vs. Disaster Recovery

Preventing vs. Recovering Minor problems vs. True Disaster Minutes vs. Hours* Single Point of Failure vs. Site Failure

Confidential

High Availability vs. Disaster Recovery

Can Disaster Recovery include High Availability?

Stretched datacenter

Geo Clustering

Campus Clustering Continental Clustering Active/Active datacenter

Confidential

High Availability vs. Disaster Recovery

HA is focused on uptime (99.999%) rather then recovery time HA protects SPOF HA=Minutes vs DR=Hours HA focuses more on making compute resources available and
accounting for both planned and unplanned outages.

HA solutions tend to be more of a single-site solution, with primary

and standby being relatively close to one another.

HA can DR is Recovering from problems DR helps you to rec DR is often used between sites that are separated by geographic
distances spanning time zones.

DR focuses more on major outages and maximizing recovery of

data
10 Confidential

Disaster Recovery, but what about the plan?

Difference between disaster recovery and business continuity

planning?

How do you get started? Business Continuity in 7 steps. Where do we start as a company? The Analyses What are the top mistakes that companies make in disaster
recovery?

11

Confidential

Difference between Business Continuity and Disaster Recovery?

Business Continuity
Business Continuity or BC aims to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions (CBFs) against predetermined disruptions.

12

Confidential

Difference between Business Continuity and Disaster Recovery?

Disaster Recovery
Disaster Recovery or DR is the ability of an organization to provide critical Information Technology (IT) and Communications capabilities and services, after it is disrupted by an incident, emergency or disaster.

13

Confidential

No separate entities, but married together!

Business Continuity Plan

Business Continuity Disaster Recovery

14

Confidential

What is Business Continuity Plan (BCP)

Iterative process that is designed to identify mission critical business functions (CBF) and determine policies, processes, procedures to ensure the continuation of these functions in the event of a disaster

15

Confidential

Business Continuity Planning BCP

16

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

Testing & Exercising

Business Impact Analyse

Plan Development

Recovery Strategy

17

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

Securing the plan in the organization Commitment of the management

Testing & Exercising

Formalization

Business Impact Analyse

Plan Development

Recovery Strategy

18

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

Scope of Critical Business Functions (CBF) Indentify Key Risk Areas

Testing & People, Exercising

Process & Products

Business Impact Analyse

Plan Development

Recovery Strategy

19

Confidential

Business Continuity in 7 steps

For each CBF:
Program Assess the (financial & business) impact for the Key Risk Areas 1. Initiate

Define Goals, RPO, RTO and MTPOD Identify

Program Managerestoration ment

sequence

Risk Analyses & Review

Which parts of the business needs to be restored first?

Testing & Exercising

Business Impact Analyse

Present BIA findings to management for comment and acceptance!

Plan Development Recovery Strategy

20

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

Define recovery scope and requirements Identify available recovery alternatives and options
Testing & Assess cost benefits of available recovery options Impact Exercising Business Analyse

Plan Development

Recovery Strategy

21

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

Capture recovery activities in a DR plan

Testing Clearly define & Roles and Responsibilities Exercising Business Impact Analyse

Define the ECO system

Plan Development

Recovery Strategy

22

Confidential

Business Continuity in 7 steps

Define the methodology to test the BC/DR plan
Program How, what, when and where questions 1. Initiate

Test and exercising the BC/DR Plan so that: All

Program Manageunderstand ment

the plan, her/his

Risk Analyses responsibility and & Review

role

All procedures, including those with suppliers and customers agreed to be tested

Testing & Exercising

Business Impact Analyse

Plan Development

Recovery Strategy

23

Confidential

Business Continuity in 7 steps

1. Initiate Program Program Management Risk Analyses & Review

DynamicTesting & Organization => Higher Change Rate Organization change == BC/DR Change
Exercising

Business Impact Analyse

Regularly evaluated and update the BC/DR Plan

Plan Development Recovery Strategy

24

Confidential

Where do we start as a company?

25

Confidential

Where do we start as a company? The Analysis

Business Impact Analysis

Indentify business most critical functions (systems and processes) Restoration Sequence : Which part of the Business needs to be restored first! For each critical function define:
Recovery Point Objective (RPO) Recovery Time Objective (RTO) Maximum Tolerable Period of Downtime

Threath Analyses
Disease, Earthquake, Fire, Flood, Cyber attack, Sabotage (insider or external threat) Hurricane or other major storm, Utility outage, Terrorism, Theft (insider or external
threat, vital information or material)

Random failure of mission-critical systems, etc, etc

Often used as basis for the BCP

26

Confidential

Definition of RPO, RTO and MTPOD

100% Product / Service 100%

Disaster

Product / Service Resumption Business Resumption

Minimum level

RPO
Maximum acceptable data loss following an unplanned event (hours)

RTO
Length of time that a CBF could be unavailable (hours)

Protection Technologies

Recovery Process and Technologies

MTPOD: Maximum Tolerable Period of Down Time

Duration after which an organizations viability will be irrevocability threatened if product or service delivery cannot be resumed.

27

Confidential

MTPOD: Maximum Tolerable Period of Disruption

Published end 2007, british standard 25999-2 Forces DR/BC professionals to first look at products and services
Customer expectations Regulatory requirements Reputational issues Financial and operational impairment Strategic consequences

Defined within the scope of BCP

28

Confidential

BCP, the basics

29

Confidential

9 Absolute basics a BCP should cover

1. Develop and practice a contingency plan that includes a succession plan for the
management

2. Train backup employees to perform emergency tasks. The employees you count
on to lead in an emergency will not always be available

3. Determine offsite crisis meeting places and crisis communication plans for top
management. Practice crisis communication with employees, partners, suppliers and customers

4. Invest in an alternate means of communication and access to crucial information

in case the local networks go down

5. Make sure that all employees-as well as management-are involved in the

exercises so that they get practice in responding to an emergency

30

Confidential

9 Absolute basics a BCP should cover (cont.)

6. Make business continuity exercises realistic enough see how people involved
react when the situation gets stressful

7. Form partnerships with partners and/or suppliers to establish a good working

relationship

8. Evaluate your company's performance during each test, and work toward
constant improvement. Continuity exercises should reveal weaknesses.

9. Test your continuity plan regularly to reveal and accommodate changes.

Technology, people and processes are in a constant change at any company.

31

Confidential

Pitfalls of BCP

32

Confidential

Pitfalls of Business Continuity Planning

Failure to gain support from senior-level managers. The largest

problems here are: Not demonstrating the level of effort required for full recovery. Not conducting a business impact analysis and addressing all gaps in the
recovery model.

Not building adequate recovery plans that outline your recovery time objective,
critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.

Not having proper funding that will allow for a minimum of semi-annual testing.

Lack of Ownership, hot potato bounce between IT, Operations,

Finance, etc.

33

Confidential

Pitfalls of Business Continuity Planning (cont.)

Considered an IT-only issue Over-reliance on Outsourced Vendors Inadequate planning, undefined priorities Wrong identification of all critical systems (ie forgot external
systems or suppliers)

Unclear RPO/RTO/MTPOD Wrong information in asset management tooling. Failure to bring the business into the planning and testing of your
recovery efforts.

Untested Backup and Restore

34

Confidential

Q&A

35

Confidential

Thanks!
Andr van der Werff avanderwerff@vmware.com

2011 VMware Inc. All rights reserved