Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
April 12-14, 2010Sheraton New Orleans
Staying Ahead of the Curve: The Latest Stressors, Methodologies,
Trends and Directions in Business Resilience
Richard Cocchiara, IBM Distinguished Engineer
Chief Technology Officer for IBM BCRS
[email protected] or 1-845-759-2043
April 12-14, 2010Sheraton New Orleans
There are several factors driving company resilience service architectures & solutions over the next few years
• Shift in focus from IT Continuity to Service Continuity• Global economic crisis forces cost re-examination • Increased virtualization of technology• Movement towards a Cloud Computing Model• Increased Regulatory Compliance needs• Need for longer term storage• Realization of human capital components• Green - power and water considerations• Improved integration of business continuity tools
April 12-14, 2010Sheraton New Orleans
Focus is shifting from disaster recovery to service resilience
Past
Companies are more focused on disaster recovery.
Reactive response to catastrophic events
Investments in IT recovery and workforce recovery were seen as expensive insurance policies.
Downtime is measured in hours to days.
Lack of focus on day-to-day events that cause the majority of downtime
Poor planning, reporting, and metrics
Today
Companies are more focused on services continuity.
Limit downtime (unplanned and planned) as much as possible.
Achieving continuous availability is seen as competitive advantage.
Downtime is measured in minutes to hours.
Focus on all causes of downtime, not just catastrophic events.
Emphasis on planning, preparedness, and adoption of standards
April 12-14, 2010Sheraton New Orleans
4
Overall Goldman’s IT spending index suggests modest growth; Capital spending implies a stronger recovery due to pent-up demand
Source: IBM GTS Market Insights Analysis based on Goldman Sachs, “Mapping 2010: Key Tech Trends to Watch”, January 10, 2010
Goldman Sachs IT Spending Indices, 2002-Present Goldman Sachs IT spending Growth Estimates, 1990-2010E
April 12-14, 2010Sheraton New Orleans
5
As an IT spending priority, BC/DR fared well in 2009 behind growing concerns of downtime and stakeholder expectations
“How much of a priority is purchasing or upgrading your BC/DR capabilities over the next 12 months?”
Goldman Sach survey of top IT spending priorities
Source: Goldman Sachs IT Spending Survey, March 2009
Source: Enterprise and SMB Hardware Survey, NA and Europe, Q3 2009
Top reasons why BC/DR has been a priority during the downturn
Increasing sensitivity to downtime and data loss
Expanded focus of DR to include all sources of downtime (i.e., not just catastrophic events)
Increasing pressure from internal and external stakeholders
Source: “How the Cloud Will Transform DR Services”, Forrester, July 2009 and “Predicts 2010
April 12-14, 2010Sheraton New Orleans
Virtualization technology will be the single biggest Virtualization technology will be the single biggest disruptor in the data center over the next few yearsdisruptor in the data center over the next few years
Source: Goldman Sachs Investment Research – October 2007
Goldman Sachs estimates that:
60% of servers can be virtualized but that only 10% are already.
The Virtualization market is enormous: 50% of servers
Goldman Sachs estimates that:
60% of servers can be virtualized but that only 10% are already.
The Virtualization market is enormous: 50% of servers
Production Servers % of Total Servers
Potential for Consolidation
1. High-end compute servers 10-15% Not likely
2. Large Application servers
(DB, ERP, SAP, Oracle, SAS, DB2, SQL, …)
25-30% Could be slowly virtualized
3. Non-critical servers (including Mail, Web, Java, File and Print servers)
50-65% Quickest candidate workload
Development & Test Servers 100% Virtualized
April 12-14, 2010Sheraton New Orleans
Rise of social networking and social computing
Globalization and Globally Available Resources
Real-timedata streams and information sharing
Billions of mobile devices accessing the World Wide Web
Cloud Computing
Evolving technologies will help businesses continue to innovate and change how we service clients
April 12-14, 2010Sheraton New Orleans
Cloud Computing will change business models and deliver services to clients faster and at lower costs then before
Cloud Computing Management Services
WorkloadManagement Provisioning Monitoring
Virtualized PhysicalServers(Ensembles)
System z, System x, System p, BladeCenter
Software Development
Deploys development tools for immediate use
Resilience
Provides dynamic storage and servers
Innovation Enablement
Expands sources of innovation, increases
competitiveness
Large Scale Information Processing
Optimizes emerging Internet scale
workloads
Self-serviceAdmin Portal
Workload PatternTemplates
SLA andCapacity Planning
AdministrationWorkflows
Workload Solution Patterns
April 12-14, 2010Sheraton New Orleans
Any cloud implementation must have some key resilience characteristics
• Device and location independence enables users to access systems regardless of their location or what device they are using, e.g., PC, mobile.
• Multi-tenancy enables sharing of resources, and costs, among a large pool of users, allowing for: – Centralization of infrastructure in areas with lower costs, e.g., real estate, electricity, etc. – Peak-load capacity increases (users need not engineer for highest possible load levels) – Utilization and efficiency improvements for systems that are often only 10-20% utilized.
• On-demand allocation and de-allocation of CPU, storage and network bandwidth • Performance is monitored and consistent, but can be affected by insufficient bandwidth or high
network load. • Reliability is enhanced by way of multiple redundant sites, which makes it suitable for
business continuity and disaster recovery, however IT and business managers are able to do little when an outage hits them.
• Scalability meets changing user demands, e.g., Flash crowds, quickly without users having to engineer for peak loads. Massive scalability and large user bases are common, but not an absolute requirement.
• Security typically improves due to centralization of data, increased security-focused resources, etc., but raises concerns about loss of control over certain sensitive data. Accesses are typically logged but accessing the audit logs themselves can be difficult or impossible.
• Sustainability is achieved through improved resource utilization, more efficient systems, and carbon neutrality. Nonetheless, computers and associated infrastructure are majorconsumers of energy.
April 12-14, 2010Sheraton New Orleans
Expect more Complex International Legislation and Accords
Basel I
Basel IA
Basel II
Solvency II
European Privacy Acts
Statute of the European System of Central Banks
Commission of European Communities OECD Principles
Markets in Financial Instruments Directive (MiFID)
UCIITS (EU)
Council of European Banking Supervisors (C-EBS)
United States Sarbanes-Oxley Act (SOX), Sections 302, 401, 403, 404, 406, 408, 409,…….(US)
United States Federal Reserve Regulations
UK’s Financial Services Authority Combined Code, includes Turnbull Guidance and COSO
Australia’s Stock Exchange (ASX) Principles
Japan’s J-SOX
India’s Clause 49, Right of Information Act 2002
Germany’s KonTraG 1999
Public Company Accounting Oversight Board (PCAOB)
France’s LSF
Canada’s 52-109 and 52-111
Islamic Banking Law
Autsralian Prudential Regulatory Authority (APRA)
April 12-14, 2010Sheraton New Orleans
Multiple and Diverse Best Practice Frameworks International Risk Governance Council (IRGC)
Federation of European Risk Management Associations (FERMA)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
• 1992, Internal Control Framework
• 2004, Enterprise Risk Management Framework (ERM)
Information Systems Audit and Control Association (ISACA)
• Control Objectives for Information and related Technology (COBIT)
Business Continuity Institute
IT Governance Institute (ITGI)
International Organization for Standardization (ISO)
• ISO/IEC 17799, ISO/IEC 27002:2005 expected to be renamed ISO/IEC 27002:2007
• ISO 31000 (new risk management standards under development)
• AS/NZS 4360:2004: Australia and New Zealand Risk management standard
British Standards Institute (BSI), BS 7799-1:1999, BS 7799-2:2002, BS 7799:2005, BS 25999
BITS
Generally Accepted Accounting Principals (GAAP) – Financial Reporting Standards (FRS)
• International Accounting Standards (IAS) – International GAAP
• Financial Accounting Standards Board (FASB) - US GAAP
• Local Reporting Standards – Local GAAP
Extensible Business Reporting Language (XBRL)
April 12-14, 2010Sheraton New Orleans
Information will need to retained and organized to meet compliance requirements
No Control – High Operational Costs – High Information Risk – No Visibility
InformationExplosion
Increasingly Punitive Legal & Regulatory Environment
Increasing Criticality of Producing Information
Rising Compliance &Litigation Costs
Information is out of control and piling up everywhere … paper too
Manual policies and processes that no one follows
No confidence our electronic information is accurate, trustworthy and admissible
Existing storage silos are costly and prevent efficiency
Required information can’t be found or analyzed
No visibility into key operational or legal risk areas
April 12-14, 2010Sheraton New Orleans
Backup is not the same as archive and companies will need to have an archive strategy that links the two
Backup
• For recovery
• Copies information
• Improves availability
• Short term in nature
• Data typically overwritten
• Not for regulatory compliance
Archive
• For retrieval
• Moves information
• Adds operational efficiencies
• Long-term in nature
• Data typically maintained
• Useful for compliance
April 12-14, 2010Sheraton New Orleans
An archive must ensure ALL types of information are properly stored and indexed in offsite locations
Content Management
Storage Management• Offline and offsite archival• Disk, tape
CollaborationArchiving
Application & DatabaseArchiving
Classification Search &Discovery
Taxonomy Analytics
Index(Metadata & Text)
FileArchivingArchiving
Intelligence
Online Repository
Key Drivers
Archiving InfrastructureStorage PolicyManagement
File System Extensions
Policy Management
• Compliance• Storage Efficiency
• Application/DB Performance• Information Security
ContentArchiving
Index(Metadata & Text)
GPFSScalable file systemArchiving
Infrastructure &Storage Hierarchy
April 12-14, 2010Sheraton New Orleans
As business models change, the human capital portion of a business becomes more important and at risk.
Critical assumptions:• A new flu pandemic could break
out soon.• It is expected to have global
impact and all countries need to be prepared.
• The flu virus could become highly transmissible and cause widespread sickness and death.
• There may be significant shortages of vaccines and antiviral medications.
• Significant disruption to economies, international and national infrastructures, and society in general, may occur.
An influenza pandemic is caused by the global outbreak of a new virus that causes illness and spreads easily from person to person, and for which people have no immunity and there are no vaccines immediately available.
April 12-14, 2010Sheraton New Orleans
So what is IBM doing about all this?
April 12-14, 2010Sheraton New Orleans
IBM’s approach to meeting these challenges includes a combination of methods, tools, reporting and services
• Resilience Maturity Assessment Framework (RMAF)– Use by business resilience teams for assessing customer resiliency– Developed jointly by IBM Research and IBM Business Continuity & Resiliency
Services teams
• Resiliency Assessment Methodology (RAM)– Used by BCRS consultants for assessing overall client business resilience– Used by IBM service delivery teams and IBM Research for assessing Global
Service Delivery Centers
• Resilience Maturity Index (RMI)– Computational index of specific components to help identify potential areas of
concern
• Business Continuity & Resiliency Services– Consulting Services– Managed Services– Recovery Services
April 12-14, 2010Sheraton New Orleans
Over time, IBM has developed a Resilience Maturity Assessment Framework (RMAF) to comprehensively analyze a company’s resilience
Six layers of client’s enterprise
STRATEGY
PROCESS
PEOPLE
APPLICATIONS & DATA
TECHNOLOGY
FACILITIES
• A holistic approach to evaluate all aspects of business resilience
– Object oriented framework for risk assessment and supporting method for use in initial phase of business resilience engagements
• The layers are broken down into IT and Business objects; objects are refined by attributes
– 250+ objects and over 4000 attributes
– Linked across layers to provide different resilience views like continuity, compliance, security etc.
– Evaluated for their current and target levels of business resiliency maturity
April 12-14, 2010Sheraton New Orleans
The IBM Resilience Maturity Assessment Framework (RMAF) uses a 5 level maturity rating model to assess client resilience
These attributes or features have the fundamental automation tools necessary to manage a disruption or opportunity when it occurs.
These attributes or features are centered on establishing thresholds and advanced warning systems that allow the company to take preemptive actions to prevent disruption.
These attributes or features focus on the organizations ability to sense and respond to unforeseen circumstances by using contingency plans and adaptive technologies or processes found in On Demand Business resources to maintain operations.
These capabilities focus on the business model itself and leverage the innovation, optimization and capacity management characteristics of an On Demand Operating Environment.
BasicBasic ManagedManaged PredictivePredictive AdaptiveAdaptive ResilientResilient
These attributes or features are ad-hoc in nature and constitute the most basic levels of capability. Little planning for redundancy, failover capability or security are evident and rely heavily on staff expertise.
1 = Basic 2 =Managed 3=Predictive 4=Adaptive 5=Resilient
Some or all of this activity is slow, manual and/or problematic.
Major changes usually have the outcomes documented,
Change process is monitored and is effective for major changes.
Change process is monitored and is effective for all changes.
Change results are always documented, follow consistent codes to indicate the results, and are continually used to improve the process.
LayerObject Group Object
Attribute Group
Attribute
ProcessProcess Change Management
Change Management
ActivitiesActivities Monitor & Report
Monitor & Report
IT Processes
IT Processes
Example:
April 12-14, 2010Sheraton New Orleans
Manage
Set
Design
Dep
loy
Plan
Implem
ent
ControlMonitor
Evaluate
Ana
lyze
Ass
ess
The framework is used as part of an overall continuous improvement Resilience Assessment Methodology (RAM) to help manage risk, improve governance and enable compliance.
Information Risk Management
Regulatory Compliance
Corporate Governance
Business Imperatives
Inputs: Business objectives, goals, priorities, policies & current capabilities
Outputs: Reduced Risk, Improved governance and enabled compliance
Objectives
Risk Supervision
and Control
Mon
itor
ing
and
Sur
veill
a nce
Reliable and ResilientInfrastructure
Efficient Flex ibly
Integrated Processes
Protection and
Contingency
STRATEGY
PROCESS
PEOPLE
APPLICATIONS & DATA
TECHNOLOGY
FACILITIES
Inte
gra
ted
Pla
nn
ing
Kno
wled
ge S
ha
ring
April 12-14, 2010Sheraton New Orleans
When IBM attempted to apply our framework and method to our Global Service Delivery Centers, there were several goals
• Goal: Validate and extend the RMAF based on our own experience– Identify new objects/attributes and modifications (can be generic for use elsewhere)– Define resiliency maturity levels for relevant attributes
• Goal: Derive a specialized view of RMAF for infrastructure service delivery– Identify objects/attributes relevant for service delivery operations of IBM– Develop a composite metric – Resiliency Maturity Index for infrastructure service delivery
• Benefits– Robust framework for assessing the resiliency of Global Service Delivery Centers
• A tool to understand how varying the resiliency of specific objects in the model affects the overall resiliency of the Global Service Delivery Centers
– IBM differentiator – metric for comparison with competitors– Common framework for BCRS customers and internal use
April 12-14, 2010Sheraton New Orleans
Specialized view of RMAF for GDC Resiliency Assessment
Service availability view for remote delivery of IT infrastructure services
“Features concerned with maintaining uninterrupted services to remote customer (internal or external) as per agreement”
Feature relevance indicated by 1s and 0s in the ‘Service Availability’ column
Feature relevance indicated by 1s and 0s in the ‘Service Availability’ column
The features are marked with a maturity level from 1 to 5
The maturity values are aggregated into a resiliency maturity index
April 12-14, 2010Sheraton New Orleans
Model for computing Resiliency Maturity Index (RMI)
FacilitiesFacilitiesFacilities
TechnologyTechnologyTechnology
Applications & DataApplications & DataApplications & Data
People (O
rganization)P
eople (Organization)
People (O
rganization)
Organizational resilience is an orthogonal entity that cuts across all layers.
Organizational resilience is an orthogonal entity that cuts across all layers.
ProcessProcessProcess
BusinessBusinessBusinessITITIT
People -Facilities
People – IT & Bus. Processes
People -Technology
People – Applications & Data
SubstitutionRelation
Main facility, backup facility
Home Office
Voice networkUtilities
Network
Computing Systems
Degree of substitution = 80%
…
…
Operational Process
…Remote Connectivity
Degree of substitution = 30%
Overall GDC Resiliency
Business Processes
DependenceRelation
April 12-14, 2010Sheraton New Orleans
Sample: Application of model to one Global Service Delivery Center
Object Raw Net Reason
Main facility, backup facility
3.7 4.1 Dependence on People-Facilities
80% substitution of home office by main facility
20% substitution of voice by email
Home office 3 4.1
Utilities 4.5 4.5
Network 2.7 2.7
Voice network 3 3
Total Score 3.3 3.5
Object Raw Net Reason
Network 5 4 Dependence on main facility, utilities and network, People-Technology
Computing sys. 5 4
Mgmt sys. 5 4
Security sys. 5 4
Total Score 5 4
Object Raw Net Reason
Remote connectivity
4 4 Dependency on n/w, computing – mgmt –security systems, People-App & Data
30% substitution of Email by voice
40% substitution of Collaboration by voice
Remote Infra Mgmt
2.2 3.6
Email 2 3.9
Collaboration Tools
5 4.4
Skills DB 2 3.6
Total Score 4.1 4
Object Raw Net Reason
Operational Processes
5 4 Dependency on Applications and Data layer objects, People-Process
Business Processes
3.4 3.5
Total
Score
3.9
Facilities Layer
Process LayerTechnology Layer
Applications and Data Layer
Overall GDSC Score = 80% IT-process score + 20% Business-process score = 3.9
April 12-14, 2010Sheraton New Orleans
We help globally deliver resilience solutions through resiliency centers and delivery and consulting experts
around the globe.
A unique infrastructure and skill set designed for flexibility and responsiveness in a resilience situation, from simple to complex environments
Support for over 12,000 clients with over 15,000 contracts
Our depth and breadth of resources include:
A business model based onrisk and syndication ofresource at a machine level
Options for dedicated orlimited shared resource
Successful support for over750 client recoveries.
April 12-14, 2010Sheraton New Orleans
Thank You!
Richard Cocchiara – CTO & Distinguished Engineer845.759.2043 - [email protected]
IBM Business Continuity & Resiliency Services
For more information visit: www.ibm.com/services/continuity
April 12-14, 2010Sheraton New Orleans
Copyright information
© Copyright IBM Corporation 2010
IBM Global ServicesRoute 100Somers, NY 10589 U.S.A.
Produced in the United States of America02-08All Rights Reserved
IBM, the IBM logo, DB2, GDPS and Geographically Dispersed Parallel Sysplex are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.
ITIL is a registered trademark, and a registered community trademark, of the Office of Government Commerce and is registered in the U.S. Patent and Trademark Office.
Other company, product and service names may be trademarks or service marks of others.
Use of the information herein is at the recipient's own risk. Information herein may be changed or updated without notice. IBM may also make improvements and/or changes in the products and/or the programs described herein at any time without notice.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
BUP03005-USEN-00
April 12-14, 2010Sheraton New Orleans
Trademarks and notes
IBM Corporation 2010
• IBM, the IBM logo, ibm.com, Express, iSeries and pSeries are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information”at www.ibm.com/legal/copytrade.shtml
• Adobe, the Adobe logo, PostScript, the PostScript logo, Cell Broadband Engine, Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, IT Infrastructure Library, ITIL, Java and all Java-based trademarks, Linux, Microsoft, Windows, Windows NT, the Windows logo, and UNIX are trademarks or service marks of others as described under “Special attributions” at: http://www.ibm.com/legal/copytrade.shtml#section-special
• Other company, product and service names may be trademarks or service marks of others.
• References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.