In IT, failure is not an option. Not surprisingly, organizations have made it a high priority to develop and implement reliable business continuity plans to ensure that IT services are always available to internal users and outside customers.
But recent technology developments and trends, most notably server and desktop virtualization, cloud computing, the emergence of mobile devices in the workforce and social networks, are having an impact on how enterprises handle IT business continuity planning and testing. Much of the impact is for the better, experts say, but these trends can also create new challenges for IT, information security and risk management executives.
Here's a look at how these tech megatrends are affecting IT business continuity specifically. (For a holistic perspective on business continuity planning including more about people and assets, read Business Continuity and Disaster Recovery Planning: The Basics.)
Use these quicklinks to navigate to a specific technology:
Virtualization is making business continuity planning easier for IT executives and their organizations, if for no other reason than it's helping to reduce the number of IT assets, says George Muller, vice president, sales planning, supply chain & IT at Imperial Sugar Co, Sugar Land, Texas, one of the nation's largest processors and marketers of refined sugar.
"For those of us who have been in the IT world for a few years, we've seen the transition from the old large mainframes to client server to Web-based applications to cloud based computing," Muller says. "During that time the proliferation of PCs and servers has been wild."
[Also read 3 key issues for secure virtualization by Bernard Golden]
With so many devices to maintain and keep running, particularly physical servers in the data center, ensuring systems uptime had become a much greater challenge, Muller says. "With virtualization, we've now been able to reduce that footprint [of servers], which means when we are planning for business continuity now we've got fewer devices to worry about."
Server virtualization has allowed communications and compliance technology services provider Walz Group in Temecula Calif., to greatly reduce its planned outages, and largely eliminate unplanned downtime, says Bart Falzarano, CISO.
Using server virtualization, the company can manage, support and secure its applications more effectively, Falzarano says. Walz has been able to achieve higher virtualization efficiencies (a higher number of virtual machines to hypervisor host) using newer infrastructure technology.
The company is then able to leverage workload mobility capabilities locally that allow it to quickly switch virtual machines and applications between different physical resource pools of compute, memory and storage.
"For maintenances, upgrades, firmware updates, critical patches, etc., Walz simply moves the applications away from the area being impacted by the maintenance activity," Falzarano says. "Once the maintenance activity, testing and quality control checks are complete, [we] may move the application back to that region or area."
Virtualization has actually had a bigger impact on disaster recovery than on business continuity, says John Morency, research vice president at research firm Gartner Inc. in Stamford, Conn., although one area where there's been an effect on continuity is work area recovery.
Many companies have relied on providers of work area recovery sites for business continuity, which can cost from $15 to $25 per seat, Morency says.
"But what more organizations are doing now is having people work at home or at Starbucks or the library or wherever," he says. "The use of Citrix, DVI and other desktop virtualization technologies, in conjunction with secure tunneling, is enabling organizations to implement broader and more distributed work area recovery."
Some businesses and functions, such a branch banks and customer service call centers, continue to use work area recovery services, Morency says. But a growing number of Gartner clients are leveraging virtualization to enable people to work offsite when needed, as an alternative to work area recovery.
[Also see CSO's ultimate guide to business continuity and disaster recovery—11-page PDF report, FREE CSO insider registration required]
Rachel Dines, senior analyst, Infrastructure & Operations, at Forrester Research in Cambridge Mass., says desktop, or client, virtualization is having a bigger impact on business continuity than server virtualization.
"Client virtualization is making workforce recovery [possible] for many companies that cannot rely on employees working from home with laptops," Dines says.
For example, at companies with highly sensitive information—such as financial services and insurance firms or government agencies—where employees are not issued laptops to prevent data leaks, client virtualization enables the rapid deployment of client images to disparate hardware at workforce recovery sites, Dines says.
In addition, organizations can deploy client virtual machines over the Internet and allow employees to access them via personal computers at home. "Either way, users are able to use the same environment that they are accustomed to on a daily basis, which means they will be more productive during the outage," Dines says.
Many of Gartner's clients increasingly are using software-as-a-service (SaaS) to support business processes, Morency says.
"With the use of SaaS for client-facing applications and even internal customer support applications there's a much improved means of continued availability, even in the presence of minor or major disruptions," Morency says. "You have a set of applications delivered from the cloud."
But this also imposes additional responsibilities on IT as far as being able to broker those services or provide additional problem management triage when necessary, Morency adds.
Walz Group operates a private cloud and uses cloud management tools that Falzarano says are a key to the company's business continuity initiatives. One such product the company is using is FlexPod, a data center management platform from Cisco Systems and NetApp that provides a design architecture with combined networking, computing and storage infrastructure.
[Also see A security checklist for cloud models]
Every Walz application that's running on FlexPod has a template associated with it, Falzarano says. These templates are checked into an "environments catalog", and are centrally managed by cloud management software. Using the software and the templates within an environment catalog, the IT team at Walz can maintain business continuity effectively, Falzarano says.
The consumption of resources (for example, CPU, memory, storage, bandwidth) for these environments are displayed via dashboard, alerting and reporting metrics, and detailed trending such as daily, weekly, monthly and quarterly consumption helps with planning, determining and provisioning the capacity needed for business continuity and disaster recovery purposes.
Using the cloud management tool Walz can set up defined policies for scaling out additional applications, and this allows it to maintain business continuity through a more automated, on-demand type of provisioning, Falzarano says.
The software also allows Walz to provision to its private cloud or to a service provider's private cloud. For example, if Walz is using 80% of the internal private cloud and suddenly sees a demand for a new application and wants to rapidly spin up development systems, it might choose to provision these development systems to a service provider's private cloud instead of provisioning systems to the remaining 20% on its private cloud, so that it can maintain some growth reservation. The same type of model can also be used for business continuity, Falzarano says.
Imperial Sugar operates a hybrid cloud environment, with about 95% of its applications running on a private cloud in its data center and the remainder accessed via a software-as-a-service (SaaS) model. The private cloud is provided by a network service provider and the SaaS software is delivered by software vendors on a hosted basis, Muller says.
Because the cloud environment is maintained by service providers and software vendors, the onus falls on them to ensure continuity, and that can be a benefit as well as a risk, Muller says.
"When I have a third party hosting the environment for me I look to them as part of the service-level agreement to have the resources—the people and hardware and infrastructure in place—so that they can guarantee me if the hardware has a problem at one location they've got another location that will bring up my apps in a manner that is seamless to our internal users," Muller says. "That's sort of their problem, as long as I've got a strong service-level agreement in place with them."
On the other hand, even with a service-level agreement holding the service provider responsible there are no guarantees that service will not at some point be interrupted, Muller says.
Not everyone sees cloud computing as influencing business continuity. "As of today, I don't see a huge impact," Dines says. "However, I do expect this to become a significant complicating factor in the future. As more organizations outsource more services to the cloud, it will become the job of the business continuity manager to audit the recovery plans of many different suppliers."
In addition, Dines says, during a failure or testing, recovery will need to be coordinated across many different sites run by different vendors. "Longer-term, cloud will make business continuity much more complicated," she says.
Mobile Devices in the Workforce
The proliferation of mobile devices in the workforce is a benefit for business continuity strategies because it gives more flexibility for workforce recovery options, Dines says.
"As compared to the days when employees only had desktops and laptops, the ability to remain productive without access to a computer via tablets and smartphones is a significant advantage," she says. "Additionally, it means that employees should be easier to communicate with during a disaster."
Business continuity planning software vendors are putting more emphasis on ensuring that the software and information needed for business continuity can be accessible via mobile devices, Morency says. This includes information such as the current status of recovery, the locations to which employees should be going, what applications and services they can access and where they connect to get the latest emergency updates.
"This is not only for telecommuters but for the workforce in general and the mobile sales folks who need ways to access the information that is most relevant to them, and be able to access this through the device of their choice," Morency says.
Enterprises "cannot depend on corporate headquarters or the data center always being available following a disruptive event," Morency says. "They have to ensure that critical plan content is always available [including to mobile users] regardless of what happened."
Many Imperial Sugar employees use smartphones, tablets and other devices for work, Muller says, and these devices would likely prove useful from a business continuity perspective because workers would be able to use them to conduct business transactions and communicate with co-workers and customers from multiple remote locations.
The key issue is ensuring that these devices continue to have access to the software and services that allow them to function optimally for applications such as messaging and collaboration. "If I've got a Blackberry Enterprise Server I just need to make sure that it's something I can bring up at a remote business continuity or disaster recovery site" if needed, Muller says.
The proliferation of mobile devices makes it easier for people to stay connected, "and certainly makes it easier to connect in a business recovery situation," Muller says. "A wireless PC can do the same thing, but a mobile device is smaller and easier to carry around and it costs less. You can do just about anything on a mobile device that you can do on a PC."
A Forrester report published in July 2011, entitled "It's Time to Include Social Technology in Your Crisis Communication Strategy," notes that while many risk professionals subscribe to automated communication services for reliable mass notification, "the widespread adoption of mobile devices and easy Internet access support the case for using social technologies like Twitter, Facebook, and Skype as critical components of your response plan."
As companies look for rapid, effective communication approaches with key stakeholders in crisis communications, they should strongly consider leveraging social technologies, the report says.
Another report, "The Do's and Don'ts of Using Social Media in Business Continuity Management," released by Gartner in January 2012, notes that social media "holds the promise of transforming enterprise business continuity management, especially crisis/incident management and communications practices."
Social media is used by more than 80% of the world's population, Gartner says, and enterprises can't afford to ignore it as a crisis communications tool. But effective use of a new communications channel requires planning and practice, and attempting to leverage social media for the first time during a crisis can cause more harm than good, the firm says.
Among the key recommended steps are to determine which social platforms are already used by employees, customers and other stakeholders and use those platforms in crisis/incident management efforts; and use social media not only to communicate during a disaster, but to gather information and gain the support of outside resources that can help ensure ongoing business resilience. Business continuity management professionals should immediately begin assessing social media's opportunities—and risks, the Gartner reports says.
"Social networks are both a blessing and a curse" for business continuity, Dines says. "They have the benefit of being an additional communication channel to get in touch with employees during a [business disruption]. However, they can be a headache for crisis communications and PR as they try to control potential damages to reputation and the propagation of rumors."