This final post in our 5-part series looks at the critical capabilities required of your chosen BC/DR vendor, in the crucial realms of security and compliance.

  1. TCO – True Cost of Ownership
  2. Reliability
  3. Investment Protection
  4. Vendor Ecosystem
  5. Security & Compliance

So, security and compliance. Let’s get to it:

With the rising threat of data loss from security breaches, natural disasters, and human error, now more than ever you have to continually “ante up” your cyber defense arsenal against constantly escalating vulnerabilities. Keeping pace with risk is a major business challenge, especially for regulated industries.

Two Steps Forward

As quickly as ways to remove and block vulnerabilities are discovered, hackers are creating new strains from previously discovered malware – and they are developing more advanced capabilities from the original malware.

Security is a common concern as relates to any cloud service, but less so with those brands protected by a private cloud. What’s important? That the Business Recovery product under consideration provide complete end-to-end encryption, where data is not only encrypted while in transit, but also while at rest in the provider’s facility. A good question to ask is whether encryption of data at rest in the data center is a standard offering, or if it requires additional services and fees (you’d be surprised by the number of vendors who position encryption of data-at-rest as an “add-on” feature). Another important element is whether the encryption of your data is part of the base solution and is seamless, without the need for the user to install software or spend time setting it up (again, some vendors may surprise you, so it is always good to confirm).

Regulated industries need compliance. It’s a a significant factor influencing the selection of your Business Recovery vendor. While Business Continuity or Disaster Recovery regulations may not apply in every business situation, a general understanding of standards and legislation governing data integrity, availability and compliance is helpful for any organization developing a Business Continuity strategy. Credit Unions, for example, must comply with the National Credit Union Administration (NCUA) guidelines for data backup and availability while healthcare organizations have specific HIPAA requirements.

Looking at Vulnerabilities Before They Happen

Another important point to bring up is the criticality of understanding a solution’s potential vulnerability areas before an interruption occurs. This starts with requesting from the vendor a description of the technology powering the solution. In many cases, vendors will cobble together disparate software products as part of an OEM agreement, hiding the patchwork configuration under a nice user interface. Knowing the core technology that handles your data will give you a good idea of potential areas for concern. Examples: Being aware that your backup appliance is running a version of Linux that is known to contain a vulnerability, and that the vulnerability has been corrected in later versions; or knowing how many different layers of software handle your sensitive data, to assess the various ways someone may be able to untowardly gain access to that data.

Speaking of vulnerabilities, it should be a standard procedure to check if the provider’s data center has at minimum SSAE-16 certification or, even better, SOC2 certification. This ensures that security controls are in place and that the data center can comply with industry regulations such as SOX, HIPAA, FINRA, GLBA and the rest.

Timely Troubleshooting

Part of ensuring that security and compliance are correctly implemented involves looking at how the user interface helps or hinders the tracking of potential harmful events in the system. Are audit logs easily accessible and presented in a coherent fashion? Can alerts be customized and triggered based on specific SLA’s to comply with your organization’s data protection policies? Will you be able to easily pinpoint potential issues before they become serious events? While the user experience is normally looked at from a productivity standpoint, it should also be considered when evaluating the vendor’s overall security and compliance characteristics.

Thanks for staying with us for the length of this blog series. As a result, you are likely now ready to develop a comprehensive Business Recovery plan. Get to it: Download our essential Business Recovery guide.

Daniel Kuperman