Business Continuity for Web Sites (Archived Report)










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Archived Report
Business
Continuity
for Web Sites

by James G. Barr

Docid: 00017833

Publication Date: 1707

Report Type: TUTORIAL

Preview

Web sites are vulnerable and hackers are relentless. The discipline of business continuity is
designed to proactively protect enterprise assets, including Web
sites, against intrusion and to provide for strategic recovery plans in
the case of a disaster or breach. Potential intrusions are varied and require
effective preventive tools, including robust physical security as well as essential Web site protections such as firewalls, anti-virus software, and
intrusion prevention systems. Effective business
continuity for Web sites also requires redundant systems and software and recovery
plans that are regularly reviewed, updated, and tested.

Report Contents:

Executive Summary

[return to top of this report]

Business continuity plans for Web sites are designed to protect
sites from a variety of threats and disruptions – as well as to restore key
business functions in case of a breach.

Related
Faulkner Reports
Preparing a Business Continuity Plan
Implementation

Although effective business continuity is critical for Web sites,
plans should not stand alone; instead Web site continuity should be a part of an
organization’s overall business continuity planning strategy. Threats to Web sites are
real, with malware reportedly found on some of the largest and most trusted
sites. Business continuity plans for Web sites attempt to prevent deliberate
attacks, provide redundancy against accidental failures, and limit the impact of
any problems that do occur. Plans should also consider vulnerabilities posed by
application code, especially custom code. Application code weaknesses are so
significant that they’ve become one of the hackers’ two favorite targets. The
other favorite? Careless habits of insiders. In addition to protecting against
intrusions, recovery plans must be written to support applicable public and
private compliance requirements. To be comprehensive, strategies must address
security issues, procedures, equipment and software problems, telecommunications
issues, and data loss. Security and intrusion prevention have become the keys to
successful and uneventful Web site management.

There are many techniques available for providing Web site continuity, including the use of a separately located hot site and the use of
multiple sites configured for load balancing. Regardless of the techniques
employed, a significant amount of communications, hardware, and software
redundancy is needed to provide seamless continuity in the face of any type of
situation that could arise. In order to contain costs, some organizations will
identify the greatest vulnerabilities and craft policies that address them,
while tolerating some risk of a short-term performance lag or outage. However,
organizations whose businesses depend heavily on their Web sites may not be able
to make such compromises.

Description

[return to top of this report]

Effective business continuity plans are designed to ensure the
continued operation of critical business functions in the event of a disaster. Unfortunately, for a business-critical Web site, almost any situation resulting
in "downtime" could constitute a disaster. For this reason, continuity
planning must cover a number of scenarios ranging from short-term outages to
full-scale disasters. Such scenarios include:

  • Physical disasters such as fires and hurricanes.

  • Major thunderstorm
    activity that can down power and telecommunications lines.

  • Malicious attacks such as internal/external sabotage and
    theft.

  • Non-malicious events such as LAN/WAN failures, problems with
    hardware/software maintenance or migration, and disruptions caused by a
    partner or supplier such as cloud-host failures.
  • Sudden loss of key Web site support personnel through illness, injury,
    resignation, or termination.1

Maximizing continuity entails implementing measures to prevent
Web site outages and ensuring redundancy in case of an outage. Prevention
focuses on using security measures to eliminate and reduce Web site threats.
Security measures include the use of anti-virus software and intrusion
prevention systems; routine maintenance, including testing and installing
patches; and physical security, from fire suppression systems to
industrial-grade room locks. Redundancy focuses on providing a secondary switchover system
in the event that the primary system experiences an outage – whether it is scheduled or
unexpected. In the past, such systems were used primarily in the event of a
disaster, but today they are also commonly used during brief, scheduled outages,
such as those needed for upgrades and other site maintenance.

True continuity is possible only with redundant systems that can be
activated quickly if primary systems fail. One approach to redundancy is to
spread Web sites across multiple Web servers and, where possible, multiple
Web-serving sites. This distribution philosophy can provide fault tolerance for Web
server failure, as well as permit load balancing to enable consistent
performance for the customer. In addition to prevention and redundancy, business
continuity plans should detail the recovery processes and list action steps to
take in response to an emergency. Recovery plans must also address
compliance requirements for mandates such as the Sarbanes-Oxley Act (SOX) and
the Health Insurance Portability and Accountability Act (HIPAA).

Other considerations include recovering from malicious acts such
as distributed denial of service attacks (DDoS). These attacks have been known
to compromise enterprise sites regularly. A DDoS attack involves flooding
one or more target computers with false or spurious requests, thereby
overloading the machines and denying service to legitimate customers.
Additionally, Web site administrators and business continuity planners must
concern themselves with software- and data-corrupting viruses and worms that can
damage or destroy site content or backend database information.

Non-malicious disruptions can also wreak havoc.
In one instance, a data center migration disrupted more than 100,000 Web sites. At that time, a managed
hosting organization alerted its customers to a planned data center migration
that would require customer sites to be offline for one day; however, due to
unexpected problems, some were down for over four days. Having an effective
business continuity plan was critical for those Web sites.

Current View

[return to top of this report]

In terms of Web site continuity, today’s business continuity planners are
focused on a variety of issues, notably cybersecurity, capacity planning, and
recovery tolerances. 

Cybersecurity. The concepts of business continuity and security are closely
intertwined. Therefore, whether the attack comes through hacking, viruses, or
denial of service attacks, sabotage is a consistent threat to business Web
sites. In establishing a business continuity plan, administrators need to ensure
Web site security receives adequate attention:

  • Access Rights should be granted on a need-to-know basis.

  • Security patches should be tested and applied as soon as
    possible.

  • Sensitive or confidential data should be encrypted.

  • Web servers, network equipment, and other infrastructure
    components should be physically protected.

  • Security/disaster recovery best practices should be implemented as recommended
    by organizations such as the SANS Institute, the International Organization for
    Standardization (ISO), and the BSI Group.

  • Network security should be audited on a regular basis by
    someone who specializes in intrusion prevention.

Capacity Planning. Any Web site can be susceptible to sudden, and
often unpredictable, spikes in activity. A better-than-expected marketing
campaign can potentially turn a site servicing hundreds of customers into a site
servicing thousands. Unless Web site capacity keeps pace with customer
load, performance can suffer. Just as with security concerns, business
continuity planners should try to ensure that system capacity is monitored,
bringing sufficient resources online before they are necessary.

Recovery Tolerances. Although informational Web sites can usually
endure longer downtimes than commercial sites, either type of site needs to
implement a backup and recovery strategy in case of an incident. Depending on
recovery time objectives, tape backup, electronic vaulting, and hot backup are
some options.

Retail Resiliency. Owing to their contributions to enterprise "bottom
lines," retail-oriented Web sites demand special attention. Analysts Gary Hinson and
Dejan Kosutic assert that "A
well-engineered, high-volume retail [Web site] … will be configured to maintain
24×7 service even though the individual systems and network components may be
overloaded, attacked, fail, or be taken out of service for backups, maintenance,
and upgrades. Distributing the web traffic across physically diverse data
centers that share the front-end load and synchronize the back-end database
reduces the reliance on the component parts and increases resilience."2

Outlook

[return to top of this report]

Among the factors influencing the future of Web site continuity planning will be
"hacktivism," social networking, and continuity funding.

Hacktivism. While, traditionally, Web site hackers have been motivated by:

  • Monetary gain, stealing and reselling customer information and other
    proprietary data.
  • Vandalism, as a demonstration of their ability to disrupt, however
    temporarily, the business interests of a major corporation.

In recent years, however, a new form of hacking has emerged. Dubbed "hacktivism,"
the hacker targets specific Web sites in furtherance of a
political agenda. With the revelations about US and Israeli
involvement in the development and deployment of the Flame and Stuxnet cyber
weapons, it becomes easier for "hacktivists" to claim that what is good for
government is good for them. By applying this perverse logic, many more
hacktivists may decide to wage cyber war against Web sites belonging to
enterprises – and governments – with which they have some grievance.

Within certain industrial sectors, continuity planners will be forced to "ramp
up" their Web site recovery capabilities. These sectors include:

  • Finance
  • Healthcare
  • Energy
  • Government (Public Sector)

Social Networking. In an effort to increase their exposure to customers – and prospective
customers – many enterprises have established a presence on social
networking sites such as Facebook, LinkedIn, and Twitter. In the
event of a Web site outage, enterprise officials can leverage these sites to
maintain contact with critical customers and business partners. A Web Site
Business Continuity Plan should include a list of customers and business
partners addressable through Facebook, etc. It should also contain sample
statements designed to address the following:

  • What happened (to the enterprise Web site)?
  • When will the site be restored?
  • How should customers and business partners communicate with the enterprise
    while the Web site is down? (This element should be part of the
    organization’s Service Disruption Policy.)

Social networking outreach should be coordinated with other alert
mechanisms, such as e-mails and instant messages (IMs). The goal is to ensure everyone that while the enterprise Web site may be down,
the enterprise itself is up and running.


Funding Web Site Continuity.

Finding funds is always a
challenge, but during tight economic times, budgets for business continuity and
disaster recovery may be cut back. Management and planners should be aware that
cutbacks for backup systems and sites could result in differences between the
current production system and the recovery site. A mismatch would be a
problem for all organizations, but especially for those with mandated compliance
requirements.

Recommendations

[return to top of this report]

Business Continuity Standards

Whether for Web sites or any other business continuity application, business
continuity planners should function according to the provisions of recognized
and respected business continuity standards, such as ISO 22301:2012: Societal security — Business continuity
management systems — Requirements and ISO 22313:2012: Societal security
— Business continuity management systems — Guidance.

ISO 22301:2012 specifies requirements to plan,
establish, implement, operate, monitor, review, maintain and continually improve
a documented management system to protect against, reduce the likelihood of
occurrence, prepare for, respond to, and recover from disruptive incidents when
they arise.

The requirements specified in ISO 22301:2012 are
generic and are intended to be applicable to all organizations, or parts thereof,
regardless of type, size and nature of the organization. The extent of
application of these requirements depends on the organization’s operating
environment and complexity.

ISO 22313:2012 for business
continuity management systems (BCMS) provides guidance based on good
international practice for planning, establishing, implementing,
operating, monitoring, reviewing, maintaining and continually
improving a documented management system that enables
organizations to prepare for, respond to and recover from
disruptive incidents when they arise.

ISO 22313 is generic and applicable
to all sizes and types of organizations, including large, medium
and small organizations operating in industrial, commercial,
public and not-for-profit sectors that wish to:

  • Establish, implement,
    maintain and improve a BCMS.
  • Ensure conformance with the
    organization’s business continuity policy.
  • Make a self-determination
    and self-declaration of compliance with this International
    Standard.3

Guidelines for Web Site Business Continuity Plans

Integrate Business Continuity Plans.

A Web site continuity plan should be part of – and consistent with – the
organization’s overall continuity planning strategy. A Web site problem could be
part of a disaster affecting the entire organization, an isolated Web site
incident, or a Web site intrusion affecting all or part of the entire
organization. The integrated Web site/enterprise plans should address IT-related
issues, potential physical damage to the facility, compliance requirements, and
employees’ continuity issues.

Review and Revise Plans.

As with any business continuity plan, a Web site plan should be reviewed, and revised on a regular basis. Importantly,
any significant changes in an organization’s management, policies, or technology
should trigger reviews of business continuity plans and appropriate revisions. Frequent updates keep plans current to
"today’s" organization.

Conduct Regular Web Site Recovery Exercises.

Test plans regularly
with routine recovery exercises; the recovery process should include test
restores from backups. The focus of the recovery exercises should also include
help desk and other customer support staff; these individuals can help to keep a
temporary Web site outage from becoming a long-term crisis.

Review Partners/Suppliers Plans.

Since partners and suppliers are
part of an organization’s extended business, it is important to know their
business continuity plans. Are their plans at the same level of preparedness as
the organization’s? How will partners/suppliers communicate with the
organization in case of a disruptive event? It is important to work with partners
and suppliers to ensure that they meet the organization’s business continuity
requirements.

Create a Service Disruption Policy.

A
service disruption policy is aimed at retaining customer confidence in the event
of a Web site outage. This policy should indicate how customers may communicate
with the company if Internet service is interrupted. The policy should also seek
to reassure customers that personal or confidential data is safe despite the
disruption. 

Options for Redundancy

Consider Multiple Servers, Multiple Sites.

Establishing multiple Web servers on multiple sites can be a useful tool in maintaining
Web site
continuity. Single points of failure can be eliminated by using a failover
mechanism that enables one Web infrastructure component to take over for a
failed one. It is important to remember that telecommunications lines are
another potential cause of Web site outages. Organizations may elect to have
multiple Internet connections for their Web sites, possibly even using
connections from separate providers.

Consider Outsourcing. Third-party Web hosts offer the advantage
of pre-built data centers with environmental controls, physical and virtual
security, redundant hardware and network connections, and round-the-clock
staffing. These organizations will handle all the updating and maintenance of
the redundant environment, taking this burden off customers’ shoulders. With the
complexity of today’s Web hosting environments, using a third-party service can be the best – and often most affordable – option for a large number of customers.

Consider Co-Location.

Organizations that do not wish to fully
outsource their Web site hosting operations may be interested in co-location, an
increasingly popular approach in which a customer stores its servers and other
equipment at a third-party data center but is responsible for managing that
equipment. This provides the direct control that is not available with
conventional hosting services while offering the benefits of a
professional-grade data center that is located separate from the customer’s
primary equipment, and that is therefore protected from fires, power outages,
and other disasters that only affect a limited geographic area.

When evaluating a hosting or co-location service, prospective
buyers should consider the following:

  • The hosting center’s physical location

  • The monitoring and troubleshooting services available

  • Environmental controls

  • Physical security measures

  • Virtual security measures

  • Bandwidth available

  • The time it will take to activate a redundant system

  • Service level agreements


Consider a Hot Site.

A hot site is a fully-functional, but
dormant, Web site that resides on a separate Web server or server farm. Hot
sites have no connection to the production Web site and therefore will remain
unaffected by production site problems; in many cases, hot sites are located in
different geographic areas in case the primary site’s problem is caused by a
power outage, storm, or other regional event. Hot sites can then be activated if
the production Web site is ever compromised or if the main site must be taken
down for maintenance. Hot sites are designed to be ready for near instant
activation as soon as they are needed. Consequently, they require regular
updating to ensure that they have all current data and site configurations. In
addition, they require completely redundant hardware and networking capacity.
The cost of such redundancy and of regularly updating the hot site make this
option cost prohibitive for certain purposes. Hot sites are most appropriate for
large organizations that can afford the cost and for e-commerce operations that
rely on their Web sites for the bulk of their business activities.

Return on Investment

While business continuity planning has some inherent value, the
level of planning as well as the resources applied to it are subject to the same
cost/benefit analysis as any other corporate venture. Business continuity
planners, therefore, should determine the return on investment (ROI) as part of
their strategy. Critical considerations include the following:

  • Who are the customers? Does the Web site serve internal
    employees or external customers such as corporate clients and business
    partners?

  • How much revenue, if any, does the Web site generate?

  • How long can the Web site be down? How long before
    customers begin to lose confidence? How long before they defect to other
    companies and other sites?

  • If the company Web site is down or disabled, do customers
    have any recourse for conducting time-sensitive business, such as access to
    an 800-number or a service center?

  • What data is accessible through the Web site? Proprietary
    product data? Customer personal data? Business partner data?

  • What would be the impact if that data were changed or
    stolen? What are the financial, legal, and regulatory implications of such
    an attack?

Application Code Protection

Application security begins
with secure design and code; penetration testing and code reviews should take
place during the development process. To strengthen existing applications,
conduct code reviews and fix vulnerabilities identified in the reviews. Using
application firewalls is another preventive method with several lines of
defense; applications firewalls can protect against injection attacks, block
DDoS attacks, and monitor access control. Firewalls should also support
integration with identity and access management systems, be compatible with an
organization’s network, and log traffic.

Web Security Checklist

A secure Web site requires a layered approach to
security, with multiple
barriers to intruders attempting unauthorized access. Taking these basic steps
will help ensure that a Web site is more difficult to breach.

  • Test and apply all general application patches when they become available.
    See that patches are installed properly so that poor installation does not
    cause other problems.
  • Delete hidden directories from the Web root of the Web server. If hidden
    directories are needed, protect them through authentication mechanisms.
  • Store only publicly viewable content on the Web server.
  • Frustrate dynamic vulnerability attacks by
    analyzing the software link structure and removing any unnecessary links from
    public access. 
  • Install a firewall and see that the rule set within the firewall provides
    needed protection.
  • Provide security awareness training to users, monitor and retrain
    individuals, if necessary.
  • Protect
    existing Web applications’ vulnerabilities with: Web application firewalls,
    application source code testing tools, Web application scanners, and application
    penetration testing devices. 
  • See that all new Web applications are written by
    developers who have proven skills in writing secure code.
  • Scrub the Web site of all references to data center locations, or the
    location of data center infrastructure. Why make it easier for
    individuals to compromise data center – and Web site – operations?

Site Monitoring

According to the Aberdeen Group, "A delay of just six seconds
versus five to download a page can impact visitor conversions to sales by seven
percent, page views by 11 percent, and customer satisfaction by 16 percent."

To receive early warning of Web site problems, employ a site monitoring
service like AlertBot. AlertBot is a Web site and Web application monitoring service that allows clients to track the availability and
performance of their public Internet services from around the country, and
around the world.

Status Code 503

Enterprise users – not least of which Google – need to
know when a Web site is taken down by configuring the site to display a Status
Code 503 page. As analyst Taylor Vowell explains: "When your site goes
down due to any reason, and your pages aren’t accessible any longer, you need to
inform your visitors what is going on, but more importantly you need to let
Google know what is going on. The 503 Code tells Google that your ‘Service is
Unavailable.’ This is Google’s recommended solution for planned site downtime."4

"Dark Sites"

While business continuity planners concentrate on protecting enterprise Web
sites from infrastructure disasters and other threats, they also recognize the
Web site as a vehicle for enabling recovery operations, which, one could argue,
renders Web site continuity doubly important. Specifically, some business
continuity planners elect to establish an enterprise "dark site," a shadow Web
site that may be activated on the occasion of a disaster, and function as a
disaster information center for enterprise employees, customers, and business
partners. Equipped with collaboration tools like Microsoft SharePoint, the
dark site can operate like a virtual headquarters, not only facilitating
recovery efforts, but allowing enterprise employees to stay in touch with key
customers and other stakeholders.

To ensure availability after an enterprise disaster, a dark site may be
hosted in one – or more – public clouds.

Content Curation

In the interest of enterprise promotion or
transparency, Web sites are often overbuilt, becoming indiscriminate dumping
grounds for all – or nearly all – enterprise information. This practice
has the effect of:

  • Diminishing Web site navigability, rendering essential information hard
    to find.
  • Decreasing security, exposing more information to theft or manipulation.
  • Complicating continuity, as large, loosely-integrated Web sites are more
    error prone.

In the interest of Web site security and continuity, in particular, the
process of populating Web sites should be carefully scrutinized. As analyst Kari
Kraus observes about enterprise information in general, "tough decisions need to
be made, early on, regarding what needs to be saved." Borrowing a term employed
by the arts community, "We must replace digital preservation
with digital curation.
"5

Mobile Apps

Mobile apps (m-commerce) are starting to supplement – if not displace –
mobile websites (e-commerce), especially in the retail sector.

According to analyst Tyler Moore, a mobile app "can improve [an enterprise’s] marketing reach, and provide a
unique channel for attracting new customers or engaging with existing customers.

  • "An app can attract new customers through the app stores.
  • "An app can take advantage of phone and tablet hardware.
  • "An app can provide a unique experience to your customers.

"A mobile website is a great way to start a relationship with a customer, and
an app can deepen existing relationships."6

Recognizing this phenomenon, business continuity planners should extend their
Web site plans to protect mission-critical mobile apps.

References

[return to top of this report]

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and business
writer with more than 30 years’ IT experience. A member of "Who’s
Who in Finance and Industry," Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business BY
Really Trying
, a member of Faulkner’s Advisory Panel, and a senior editor
for Faulkner’s Security Management Practices. Mr. Barr can be
reached via email at jgbarr@faulkner.com.

[return to top of this report]