Pros and cons
An entire business continuity program, with all its supporting files and databases, should be easily virtualized. A unique VM could be created that has all the necessary applications and databases.
This means that BC/DR resources can be located on-site as well as off-site. For example, virtualization makes it possible to replicate BC/DR VMs to another server or possibly to an external managed service company. This becomes a key disaster recovery strategy in which off-site VMs are changed to production VMs by failing over the primary VM (which has been disrupted) to the off-site VM (which should mirror the production VM). This activity is, of course, separate from the practice of backing up applications and data.
Concerns about security (e.g., unauthorized access) and data protection (e.g., data integrity) need to be addressed in such a proposed implementation, but there should be no major differences in how systems and data are accessed. Fortunately, most of these can be addressed through data encryption and the use of strong access and authentication procedures. Successful virtualization can be achieved using a variety of field-proven solutions.
Tips for virtualizing data recovery activities
The following tips -- not in a specific sequence -- can help you virtualize your BC/DR plans, documents and activities:
1. Determine what will be virtualized and not virtualized.
2. Consider setting up a pilot arrangement, virtualizing only certain BC/DR activities, seeing if that arrangement works and is acceptable to your team, then moving more items to the VM.
3. Investigate external services, such as cloud-based BC/DR service providers, who may be a viable alternative to your own internal VMs.
4. If your organization is already using cloud-based services, see if you can leverage one or more of those existing services, e.g., a backup data storage vendor, to support BC/DR activities.
5. If your IT organization has a second data center that supports replicated VMs, see if you can arrange for regular replication of your BC/DR VM(s) to the alternate site; do this before investigating the costs of replicating BC/DR VMs to a cloud.
6. Ensure that your security requirements are defined.
More on disaster recovery activities
7. Ensure there are sufficient storage resources available to handle all aspects of your BC/DR activities.
8. Determine if your BC/DR activities will impact network resources linking your primary and alternate data centers; and verify the same if using managed services.
9. Schedule and conduct tests of your virtualized BC/DR plans to ensure they can be recovered and launched at an alternate data center or with a managed service company.
10. Make sure your business continuity management system team is trained in how to use VM services.
11. Schedule reviews and audits of your virtualized BC/DR activities.
Virtualization can be effectively used for individual business continuity/disaster recovery activities as well as an overall BC/DR program. Decide which elements of your program can/should be virtualized, define and document how you will use your VM(s), and regularly test all your resources -- especially security -- to make sure they work correctly.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.
This was first published in January 2014