The past couple of weeks must have been an anxious time for the customers of the outsourcing service run by 2e2 which went into administration on January 29th.  This impacted on a range of organizations including hospitals. The good news today is that the Daisy Group plc. has been appointed to manage the 2e2 Data Centre business.  Organizations are now almost totally dependent on their IT services to operate. It is tempting to think that outsourcing the service absolves you of any responsibility.  This is not the case; an organization using a cloud service is still responsible for the continuity of its business.  The lesson to be learned from this is that while organizations may hope for the best they need to plan for the worst!

A previous example of the need for business continuity planning occurred some years ago.  On the 29th of March of 2004 a fire in tunnels under the city of Manchester had a major impact on telecommunications in the North of England.  Emergency services were hit and mobile phone services disrupted; it was estimated that 130,000 ‘phone lines were affected.  It was not until April 5th of that year that services were back to normal. 

Most organizations depend heavily upon the public telephone network and this network is normally one of the most reliable services so how did they cope with this disruption?  The organizations that had an up to date and tested disaster recovery plan (mostly the large ones) were able to continue their operations.  The small organizations without a plan were badly hit.

Smaller organizations, ones that are not able to afford their own highly resilient data centres, should benefit the most from the resilience offered by the larger cloud service providers.  However, as the example above illustrates, small organizations tend not to have a business continuity plan. In addition not all large organizations have included cloud services in their plan.

Organizations need to determine the business needs for the continuity of any services and data moved to the cloud. They should have policies, processes and procedures in place to ensure that the business requirements for business continuity are met. These policies and procedures involve not only the CSP, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies. They should form part of a complete business continuity plan. Such a plan is part of the operations of what KuppingerCole defines as the “IT Management and Security” layer within IT organization, which is described in the KuppingerCole Scenario: Understanding IT Service and Security Management – 70173.

Here are some points that need to be considered.  For a more detailed view see KuppingerCole Advisory Note: Avoiding Lock-in and Availability Risks in the Cloud - 70171

End to End Infrastructure: Use of the Cloud depends upon the infrastructure to be available from end to end. Not only does the equipment and services at the CSP have to be operational but also the network and the customer equipment need to be available and working. Therefore the Cloud customer, as well as the CSP, needs to ensure the availability of components under their control as well as having appropriate contingency plans.

Service and Data Availability: the data or the service may become unavailable for many reasons.  These include misconfigurations and bugs as well as hardware failures; in addition it may be corrupted or be erased. The CSP may offer several approaches to minimize the risk of data becoming unavailable. However - if timely access to the data is important – ensure that you understand the promised time to recovery. In some circumstances the Cloud customer may need to perform a backup themselves to ensure the required level of business continuity.

Theft or Seizure: The equipment that is used to provide the Cloud service may be stolen or seized by law enforcement because of the activities of co-tenants. These can both lead to a loss of availability of the Cloud service.

Supplier Failure: The cloud service may become unavailable due to the failure of the CSP or of one of their providers. The CSP may go out of business for many reasons ranging from withdrawal from the market through to financial bankruptcy. The CSP may also outsource some of the services that it depends upon and its own supply chain could fail with the failure of one of these providers. Whatever the reasons the impact of this failure on for the cloud customer could be very high.

Power Loss and Natural Disasters: The cloud service provided depends upon the availability of power for systems as well as air-conditioning and other ancillary services for the data centre. An example of this was the lightning strike in Dublin that caused the Amazon and Microsoft Cloud to go offline in 2011.

For more details on best practices for cloud computing attend European Identity & Cloud Conference held in Munich during May 2013.  This will feature a one day workshop on Cloud Provider Assurance.  This workshop uses real life scenarios to lead the participants through the steps necessary to assure that cloud services meet their organization’s business requirements.