Considering the Threats

Keeping in Compliance

In some cases, regulatory compliance and government mandates dictate that companies have secure, auditable access to key information, even during unanticipated events. Requirements like Sarbanes-Oxley, HIPAA and others still apply, even if an organization is working under less than ideal conditions. Consider a health insurance provider that suffers a business disruption that forces key employees to work from home. Should any of those employees access sensitive data that falls under HIPAA regulations, the company must be able to prove those employees were authorized to do so.

While such safeguards and audit trails may be in place at the headquarters office, companies also need to ensure they apply to employees who access the data remotely. Indeed, compliance is one reason some government agencies are now mandating that the private sector organizations they do business with be able to demonstrate they have a credible business continuity planning implementation.

Competitive Imperative

From a competitive standpoint, most companies can�t aff ord to let an event such as a snowstorm inhibit its ability to respond to customers, supplies and other partners. If the storm should rage on for two days or three, competitors may well pick the slack for any company that can�t keep getting business done.

Finally, without a business continuity plan that includes secure remote access, companies may leave themselves exposed to hackers and other security threats during an unanticipated event. If an employee accesses company resources from a home PC that contains a virus, and winds up unleashing the virus on the corporate network, it may cause as much damage as the business disruption that kept the employee at home in the first place.

Case Study: Humana Finds Safe Harbor

The health insurance provider Humana, Inc. had a direct confrontation with Hurricanes Katrina and Rita in September and October of 2005. The company has employees in New Orleans and Texas, says Chuck Deaton, manager of information security architecture and design for Humana in Louisville, Kent.

�We were able to tell those folks to pack up, take their laptops and go to some safe harbor,� Deaton said. Once safely in an alternate location, the workers could log in to the Array gateway via any type of connection, be it dialup or broadband. �They could immediately connect to the network using any available PC and continue to be productive.�

Deaton, who uses a combination of Array devices including the SPX5000, SPX3000 and SPX2000, says the performance, end user experience and capacity they off er can�t be matched by any competitor. �It�s gaudy what Array can do compared to the closest competitor,� he said.

Remote Access for BCP: Critical Deployment Criteria

Secure Anytime, Anywhere Access

Fundamental to a business continuity plan is the ability for workers to be able to get at the applications and resources they need, even when they can�t make it to their normal place of work. It does no good to keep servers, applications and databases up and running if the workers who need them cannot get access to them. Access should also be available when the offi ce is no longer functional and the server infrastructure has been moved elsewhere. Similarly, should workers lose their primary access device � such as when a laptop is lost, stolen or broken � they should be able to access resources from any alternate device with a functioning Web browser.

All the while, however, the business has to be mindful that during an emergency, it is especially susceptible to a security breach, whether from internal users or unauthorized intruders attempting to take advantage of the relative chaos. In such a situation, strong encryption, access controls and end-point security are a must.

Zero Service Interruption

Service interruptions often occur after events that are either completely unforeseen, such as an earthquake, or for which there is little time to plan, such as a snowstorm. Just as you can�t be sure workers will be able to make it into the offi ce during such events, you can�t assume that your IT staff or outsourced solution vendor will either. Given that, your business continuity plan must be able to be implemented without IT help of any kind.

That means the plan can�t rely on being able to reach the IT department by phone, e-mail or Web. And it can�t assume that workers or IT will be able to add any additional hardware that may be required, such as additional remote access devices to support new users. To be truly effective, the business continuity plan must provide the capacity and performance you require with no IT intervention � and no downtime.

Seamless Capacity

Maximum Performance

While scaling to increase capacity, a successful business continuity plan also demands a remote access solution that doesn�t sacrifice performance in the process. Metrics to consider include the amount of bandwidth available for each user, latency and per-user response time. With many remote access systems, performance in each of these areas degrades as the number of active users increases.

Automated VPN Provisioning

Workers who don�t normally have cause to use their organization�s remote access solution pose a special problem for business continuity planning. During a business disruption, these workers will be using laptops or workstations that may not be outfitted with required virtual private network (VPN) software or other critical components. They are also likely to be unfamiliar with the remote access solution and how to use it.

That makes it imperative that the business continuity plan include a remote access solution that can deliver any necessary software components �on the fly,� as they are required. It must also provide interactive �smart� training that makes it intuitive for even new users to successfully set up.

Cost-Effective Implementation

Outfitting a remote access solution with the licenses required to support all those workers who should be included in a business continuity plan can be cost-prohibitive. Most vendors require users to purchase additional hardware that goes unused day-to-day. Similarly, most don�t have licensing plans that enable customers to add additional licenses in case of an emergency, then revert back to their normal level once the business disruption has ended. What customers need is hardware that is priced at an appropriate level for their day-to-day needs, but that can scale to support the entire workforce if needed, along with a contingency license that covers such a scenario at a reasonable cost.

Global Redundancy

Of course a remote access solution that meets all of these requirements won�t do any good if the applications and resources normally present in the company data center are no longer functioning. A business continuity plan, then, must ensure that applications and other resources are available from multiple sites, in case the primary site fails. And that backup data center plan must work in conjunction with the remote access plan, such that workers can get at the servers they need no matter where they happen to be.

As you assess the remote access landscape, you are likely to fi nd that most vendors don�t effectively address these seven essential requirements, if indeed they�ve considered them at all.

Meeting BCP Challenges with Array Networks

Secure Access On Demand

With the Array Networks SPX Series SSL VPN Access Gateway, there is no need for IT to pre-install software on each client. Rather, users can merely click on a URL and all the software they need will be automatically pushed to their machine and ready to use � with no IT involvement. That�s an important consideration in an emergency situation, where many workers who are normally in an offi ce location are instead relying on remote access. IT personnel are likely to be busy getting their own house in order; they won�t have time to field support request from all the new remote users. It�s also a productivity issue, in that the SPX Series allows the workers to quickly get at the resources they need, instead of wasting time trying to get their machines properly configured.

The SPX Series also allows for the same level of security, if not better, as if all workers were in the head office. That�s because IT can predefine which workers are allowed to access what resources, with a granular level of control over access to resources including e-mail, fi les, applications and the corporate intranet. Indeed, the SPX Series even allows IT to consolidate a plethora of such access control lists (ACLs) from their firewalls, LAN switches, wireless LAN devices and application security proxies � thus improving overall security for the organization by ensuring all the ACLs are synchronized with up-to-date information.

Capacity for All

The SPX Series also has sufficient capacity such that most customers will be able to support all of their additional users on their existing hardware. At the high end, with the ability to support 64,000 concurrent users and 100,000 concurrent SSL sessions, the Array Networks SPX5000 offers the highest capacity on the market, and is roughly 20 times more scalable than competing solutions.

Performance to Spare

Of course, the ability to support vast numbers of users doesn�t do much good if performance degrades as the user count goes up. The Array SPX Series suffers from no such problems. It maintains an average latency of less than 2 milliseconds, even as throughput scales from 100 Mbps to 850 Mbps, according to tests conducted on the high-end SPX5000 model by The Tolly Group.

VPNs on the Fly

The customizable SPX user interface and Web portal make it simple for even first-time VPN users to log in. Interactive instructions guide users through the process, which typically involves no more than clicking a few tabs to select the desired applications. Any required software is pushed to the end user machine transparently and disappears once the session is over; no software installation is required.

IT can also be assured that any machines that log in to the Array system are secure because the SPX supports client-side integrity checking, to ensure client machines adhere to company security policies. The Array Intelligent Delivery feature provides the ability to push any required patches or components to end-users before they log in.

Flexible Purchase Options

The Array Networks ABC Flex License Plan means customers don�t have to scramble to procure licenses for new users in the event of an emergency. The plan enables additional users beyond those covered under the day-to-day concurrent user license to log in as needed, in some cases without any phone calls or other actions on the part of IT.

A number of plans are available, including:

� A 30-day certificate that covers the number of additional users you�ll have in the event of an emergency. The plan goes into effect as soon as IT calls, faxes or emails Array with an activation code.

� An insurance plan that allows customers to pay a monthly premium for the right to add additional users up to a predefined number in an emergency. Burst licenses are loaded on the system at purchase or via license key, and remain available for a period of one year. Users can log on seamlessly without IT intervention in the event of emergency. Customers can select the option to own the licenses outright if they purchase an additional 12-month insurance plan.

� A peak usage plan is available for customers with 500 or more concurrent users. Customers determine the number of additional licenses required in an emergency and pay a small fee annually to cover that number of users. In the event of an emergency, users can log on seamlessly without IT intervention. Customers pay only for users activated. Focus on Availability

The Array SPX Series ensures remote users can access IT resources, but IT must also ensure that those resources are available even during a time of disruption. That�s where the Array TMX Series of application availability solutions comes in. The TMX Series offers high-performance server load balancing, including on a global basis, such that servers in one data center can back up their counterparts in another data center in an N+1 redundant configuration.

The TMX Series helps IT weather the predictable Web application usage spikes that occur during emergency situations, and helps organizations with multiple data centers to remain operable when one goes down.

Case Study: ITG Wethers NY City Transit Strike

Investment Technology Group found out fi rst-hand how valuable the SPX Series can be in the event of an emergency. ITG is a specialized brokerage and technology firm with headquarters in New York and offices in North America, Europe and the Asia Pacific region. The company provides financial solutions to the most demanding of institutional investors, helping them get optimal prices for securities, route orders to desired markets, and manage the cost of trading � all in real time. For ITG, the ability to provide uninterrupted services is imperative, so its employees must be able to access critical business applications and resources at all times � even if they can�t get into the offi ce or if the offi ce is no longer functioning.

The company opted for the Array SPX to support its remote access requirements because it off ered a number of benefi ts that other SSL VPN solutions couldn�t match, including superior capacity and performance. The fact that the SPX enabled even users who don�t normally employ the VPN to quickly connect in the event of an emergency, without IT intervention, was another factor, along with the cost-effective ABC Flex License Plan.

All those factors came into play during the New York City transit strike of 2005. On December 20, the fi rst day of the strike, ITG took advantage of the ABC Flex plan to temporarily increase the number of user licenses it owned. Those employees who were not able to travel to the office responded as they had been trained; they stayed at home and logged in to the corporate SSL VPN portal, where they were able to access appropriate resources and continue to conduct business.

The Array Networks SSL VPN functioned as intended, such that:

� Every user that needed to log on was able to log on, each receiving a premium user experience

� No action was required on the part of ITG�s IT department in providing secure remote access over the course of the event

� ITG was billed only for excess SSL VPN usage over the duration of the event

� ITG did not experience business disruption as a result of the transit strike

Conclusion

Visit the Authors Web Site

Home    Calendar    The Business Forum Journal     Features    Concept    History
Library    Formats     Guest Testimonials    Client Testimonials    Experts    Search
News Wire      Join Why Sponsor      Tell-A-Friend      Contact The Business Forum