In order to minimize the loss of financial services due to natural or man-made disasters, a disaster recovery system has been established and operated in financial industry. The current disaster recovery system is mostly built and operated with the same computer architecture of the main data center. However, the change management of the disaster recovery system against the change of the computerized environment is not performed smoothly. In order to compensate for this situation, there is a growing interest in building a disaster recovery system in the cloud environment and the number of cases of disaster recovery system in the cloud environment has been gradually increasing. However, there is a limitation in constructing a disaster recovery system for the cloud environment. In this paper, cloud deployment environment is defined based on financial business classification in order to build a disaster recovery system in a cloud environment, and a disaster recovery system operation scheme is proposed. This paper is organized as follows. First previous related cloud disaster recovery technique and venders are analyzed. Then, the financial tacks classification metrics for cloud system adaptation and operations of cloud disaster recovery system are proposed. Finally, research conclusion in chapter 4 is presented.
The cloud market has not reached the maturity stage, and the public cloud service is mainly provided by the telecom companies. But it does not include the disaster recovery service in the cloud service. In terms of hardware of disaster recovery system, main components are divided into server, storage, and network. Servers and networks are cloud environments that can be configured to provide a virtual environment by the cloud services while maintaining fail-over or active-active state during the data center disaster. However, in the case of storage, since the data is continuously generated and changed through the server providing the main service, remote data replication should be performed through the data replication function provided by the cloud service.
- Building Disaster Recovery System for Cloud
3.1. Core / Context Analysis Framework for Disaster Recovery System ‘Core/Context Analysis’ is a analysis framework proposed by Jeffrey A. Moore[3,4]. Core means the core business of a corporation. Core business is an important part of enhancing a company’s competitive advantage. Context is defined as all activities other than the core. And context task is not pursuing differentiation, but rather ‘as efficient as possible in the standard way as possible’ . [Core / Context Analysis] is used as a framework for building a disaster recovery system in this research. The specified conditions in the Core are defined by ‘The Guide to Using the Cloud Services in the Financial Services’ printed by the Financial Security Institute. In addition, the definition specified in mission-critical is selected through Business Impact Analysis (BIA). The Business impact analysis is a series of analysis activities that define the tier matrix by analyzing the RTO / RPO for each business function and define the mission-critical (core or important task) according to the tier level connected to each business function. The results of business impact analysis can be defined a little differently depending on the consulting method, but the basic concept is applied equally[7,8]. Core task means that an IT system for processing, transmitting, receiving and delivering unique identification information or personal credit information. Context task means all other IT system. And Mission-Critical task means processes shortfall creates serious and immediate risk. NonMission –Critical means all other processes. Core-Mission-Critical task requires that a system that maintains direct relationships with customers in financial services and maintains competition with competitors. Context-Mission-Critical task requires that there is no direct relationship with financial services(A system that causes the business crisis when it does not work properly.). Core-Non-Mission-Critical task requires that a system that indirectly support financial services and require to maintain differentiation from competitors, but may be failed to deliver. Context-Non-Mission-Critical task requires that a System with low importance for corporate management.
In table 1, the comparison between the mission-critical task and the non-mission-critical tasks is classified according to the importance of the task. For mission-critical operations, contracts must be made with cloud providers to enable continuous business services through redundancy or SLA recovery activities. Relatively non-mission-critical tasks are less impacted by the disability, so that contracts for disability recovery activities can be additionally provided through contracts that take economic considerations into account. Although the mission-critical and non-mission-critical tasks corresponding with the core conditions are classified according to the importance of work, they do not use the public cloud environment, so that they are applied to the maintenance of the legacy system environment and the private cloud environment. However, for mission-critical tasks, the transition to the cloud environment should be considered de-pending on the utilization of the business. 3.2. Core / context model based disaster recovery system The method of constructing the disaster recovery system according to the system configuration type derived through the core / context analysis is differently configured. Generally, the scope of building a disaster recovery system will be different depending on the construction time and the operation time of disaster recovery system. However, since the mission-critical service has a great impact on the management of the financial company even, the disaster recovery system should be built in the advance. · Definition of locations for providing disaster recovery services ‘Mission-critical’ services and ‘non-mission-critical’ services are in the same space from the view of Core system. ‘Mission-critical’ services and ‘non-mission-critical’ services that are associated with the ‘Context’ system and are also in the same space. However, the ‘Core’ system and the ‘Context’ system do not exist in the same space. In the public cloud environment, the space of the ‘mission-critical’ service may be different from the space of the ‘mission-critical’. · Define when to provide disaster recovery services Disaster of ‘Mission-Critical’ services can affect to whole financial business even in a temporary disruption situation so that disaster recovery systems should be con-figured and prepared in the advance. The ‘Core’ and ‘Context’ systems that provide ‘non-mission-critical’ services can be preconfigured and operated in accordance with the financial company’s management policies and service priorities. And according to RTO(recovery time objective), the system may be newly configured and operated after a disaster occurs. · Classification of services under the Public Cloud environment ‘Context’ systems with public cloud services have different ‘mission-critical’ and ‘non-missioncritical’ services. ‘Mission-Critical’ services should be provided for disability or disaster in the aspect of temporary interruption, while relatively ‘non-mission-critical’ services can be selected for low-level services in table 2.
3.3. Operate Disaster Recovery System with Core/Context Model Disaster of ‘Mission-critical’ with ‘Core’ system and ‘mission-critical’ & ‘Context’ system can affect to whole financial business even in a disruption situation so that disaster recovery systems should be configured and prepared in the advance. How-ever, since the provision locations of the services are different from each other, the ‘Core’ and ‘Context’ systems do not cause the same disaster situation from the perspective of disaster. ‘Mission-critical’ services and ‘non-mission-critical’ services that are classified as ‘Core’ systems. And the services are directly affected when a disaster occurs. And the service continuity is maintained as shown in figure 2. It also connects with ‘mission-critical’ services using public cloud to provide continuous services.
In the event of a disaster in a cloud service provider as shown in figure 3, business services resume within RTO and RPO through a disaster recovery service contracted with a cloud service provider. A disaster recovery center operated by a cloud service provider provides business continuity for business services with a disaster recovery service contract
- Conclusion Personally identifiable financial information dealt with in the financial industry requires the highest level of information security . Therefore, adaptation of the cloud environment in the financial industry has many limitations. However, it is possible to derive information or financial services that can be handled in the cloud environment through business analysis of the financial industry. In this paper, the criteria for classifying the business and financial information services of the financial industry are defined based on the [Core / Context Analysis] theory. In addition, those that can be deployed in the cloud environment and those that should be provided as legacy systems according to the newly defined [core / context classification criteria]. The disaster recovery system for financial services and financial business supported is designed and proposed in the cloud environment. In particular, an operational frame for the normal operation of financial information services for disaster recovery is proposed. Through this design, it will be possible to establish a financial system cloud system that can manage personal information and financial information efficiently and establish a disaster recovery system.
BRCCI – Business Resilience Certification Consortium International (www.brcci.org)
We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:
- ISO 22301: Business Continuity Management Systems – Requirements
- NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
- ITIL: Information Technology Infrastructure Library
For information on the above program, please contact BRCCI (www.brcci.org, 1-888-962-7224).