What's the difference between a managed and an unmanaged server?
Managed and unmanaged servers have a variety of features and benefits depending on the needs of each client.
In a managed environment, OGO takes on the primary responsibility of managing the OS level, patching (upon request), anti-virus, user management and security through Active Directory, and basic technical support for client issues. OGO’s managed server products work best for clients who have limited IT expertise, lack the redundant infrastructure internally, or who do not have the desire to manage and support some, or all, components of their service infrastructure. Most commonly, our clients use our managed environment to host online banking applications, public facing websites, and other critical applications.
In the unmanaged environment, the VM runs on the redundant OGO infrastructure, but OGO has no role in managing the server at all. The client is responsible for user configuration and management (for instance setting up their own Active Directory to control access), patching, and security. This level of service is comparable to what’s available through Amazon, Rackspace, and other providers by default. Unmanaged servers work best for technically advanced clients who understand the security ramifications of their application configurations, OS configuration, and access but want a fully redundant infrastructure by a trusted provider. Our most common uses of our unmanaged environment is by service providers hosting their sensitive applications in cloud and partners of OGO who have the technical expertise to mange their environment but don’t want the responsibility or costs of maintaining fully redundant compute, storage, and network environments in multiple data centers.
Why does my Cloudworks Virtual Desktop, VDI, session time out? Can it be changed?
Hosted Virtual Desktop sessions shouldn’t be extended. Users always want the desktops to be left unlocked forever, but that violates security practices as recommended by the NCUA, FDIC, DOD, and every security vendor in the market. One method of addressing this in the past was to explain the risks associated with an unlocked and unmanned workstation. Most employees state that they trust their coworkers and they don’t have access to anything that would be a problem…I give them the example of a coworker who is having a tough time or gets into trouble at the office and wanting to let off steam (without getting themselves into trouble), decides to use someone else’s email to send an unpleasant email to the CEO or the BOD. I have never found anyone who wants that email to come from their email address.
What does base image mean?
If you are currently using or plan to use some sort of electronic offsite data copy strategy than knowing what base image means is key. If you aren’t using or planning to use electronic storage then this probably doesn’t apply.
Every disk to disk or data vaulting solution requires you to establish a base line or your data. This occurs generally in the installation phase and is the process of taking a full copy of the systems you are trying to protect. Taking a clean base image and sending it to the offsite location, or hotsite, is a key part of the process. The base image is the crux of any offsite backup solution. Once this full copy of the data is created and sent offsite your backup location now has a full copy of the data you want to protect. At this point, your data vaulting or disk backup solution can take incremental backups. This occurs when at some interval, 15 minutes with the Replicator, the software takes a new picture or snap shot of the data and compares it to the base. Then it figures out what is different between the two images and sends a log of the changes to the backup solution. By identifying and sending just the differences you are able to have a much more efficient backup process. Essentially, many servers have operating systems and software that once installed never changes. Sending copies of that non-changing data is not needed.
Generally, when you need your data in a Disaster event usually the software will take the base image and then apply the differentials or incrementals. The combination of the base plus the incrementals is what gets your replacement server to be at the right place and time. It is the frequency of these base images and the ability to get them and retrieve them offsite that establishes the basis of your Recovery Point and Recovery Time objectives.
What is the difference between Disaster Recovery and Business Continuity?
Often times Disaster Recovery and Business Continuity are used interchangibly. In fact they mean very different things. However, if you are a smaller business or Credit Union and don’t have a lot of budget for creating redundant systems, having bench depth or where some interuption in your business would be impossible to work around (say a surgeon for instance) than the terms are mostly interchangible. If however, you have multiple business processes and lots of complexity in your business than the terms (and this blog) tend to mean a lot more.
Disaster Recovery is really about the process of recovering your production or normal environment once something bad happens. For example, say you have an event that knocks out power to your head quarters – Disaster Recovery would be the process of getting all of the things from the head quarters to work out of another location. It could mean relocating staff, rerouting phones, recovering servers or many other things. Ultimately though it is what happens following the catastrophic failure and the steps and processes that are followed to get back to normal.
Business Continuity on the other hand is really much more about what you do during the event. So, if you have redundancy built into your business processes and infrastructure than you can reroute website traffic or phones or other critical business process through your secondary solution. It can also be the manual processes that are employeed while the event is occuring. Say for example that a power outage knocks out your head quarters but Credit Union branches are still powered up. Business Continuity would apply to the manual processes that the branch staff might use to continue to take deposits and make loans while the either power is restored or another solution is found.
Ultimately – for complex organizations both plans are needed and important to keeping a business running. I also like to think of them as no different than having different marketing strategies to deal with new entrants vs. existing providers. Ultimately, we often need many routes and plans to ensure that we are able to meet the expectations of our members/customers.
What is a BIA, Business Impact Analysis?
As you look at your Business Continuity and Disaster Recovery Planning efforts, start at the core. Include all departments and functional areas in the Business Impact Analysis. Each of them outlines processes and functions within the area and ranks them according to criticality. The report describes potential risks, financial impact and outlines criticality of business processes helping determine needs/requirements to sustain the business even in a disastrous timeframe. Based on the outcome of this analysis, departments are able to focus on those areas in which documentation, cross training and additional planning are needed. Single Points of Failure can be identified and plans for resolution created. Data for the analysis is collected in a Workshop Environment with participants providing the following information:
Key Information to Gather
- Can the process be performed manually?
- Timeframe for severe impact to the Credit Union
- At what point will the member be impacted by the disruption?
- At what point will the member begin to lose confidence in the Credit Union?
- At what point with the Credit Union be at risk for increased fraud?
- Recovery Time Objective (RTO) – the period of time within which systems, applications or functions must be recovered after an outage.
- Recovery Point Objective (RPO) – the maximum amount of data loss an organization can sustain during an event (0 hours means that only the transaction in progress at time of the disaster could be lost)
- Systems and equipment needed to support the process
Processes are then ranked
A) Critical – Processes that MUST be online within a single day
B) Vital – Processes that can be restored tomorrow
C) Important – Processes that can take up to 3 days
D) Non-essential – Processes that can be a week or more
**Something to keep in mind – your business is constantly changing. Updating these changes in your BIA data is important. We help focus those efforts and update your reports on at least a bi-annual basis. This ensures you are meeting FFIEC requirements for the report.
Credit Union Pointers
Credit Unions generally have between 75 and 150 different business processes and should include at a minimum the following:
- ACH (Payroll)
- Online Banking
- Consumer Lending
- Mortgage Lending
- ATM Processing
- Debit Processing
- Credit Card Processing
Do you wonder about the next step to take after creating your business impact analysis? Does your management team or board not believe the financial impact based on your data? If you are looking to the answers to these or other questions related to Business Impact Analysis please contact us at firstname.lastname@example.org or by filling out this form on our contact us page.
What is a document imaging system? How do I back it up or move it to the cloud?
If you still think all legal documents should be in originals on paper than this isn’t for you. If your Credit Union has moved to electronic document delivery and are continuing to try and become paperless – than cloud and disaster recovery for your document imaging system are key issues.
What is a Document Imaging System?
A document imaging system takes documents, letters, notices, or plain text and stores the data & documents in a way that preserves the original integrity of the document/data and allows for easy searching and retrieval. These system can allow institutions to replaces large paper warehouses with electronic documents that are still kept secure and that meet legal requirements as original documents while taking up very little physical space and allowing quick remote access.
The challenge that is posed to both cloud and disaster recovery for document imaging systems come from the fact that these systems behave differently than many other applications in Credit Unions. First, in many cases, document imaging systems become they end point or electronic vault for all legal contracts and documents in the Credit Union. This essentially means that the data has to be kept very secure but also it means there is a lot of data. Often times this system alone can account for 40 to 50% of the Credit Unions data. Second, unlike most of the other Credit Union systems – the data doesn’t change minute by minute. Instead, documents get checked in and they sit forever. The loan document that you request three years from now should be the same as it was orginally. Finally, because the system has the features it tends to have proprietary hardware that is used to provide low cost storage, optical systems and other functions. In many cases, these systems can be complete stand alone networks, storage and servers from the normal operating environment.
If it is critical to have access to the document imaging system, as identified by a Business Impact Analysis, then there are several key considerations for recovering the entire system. First, you need a way to copy and replicate large amounts of data offsite affordably. Second, you need the ability to recover that data quickly should it be needed. The replicator can handle both of these problems. However, the replicator cannot handle the custom optical systems, worm drives, or scanning tools that may be needed. Almost all of our clients worry about recovering the data and are not concerned with getting new data into the system in a disaster.
If you are interested in moving your existing Document Imaging System to the cloud you will most likely need to find a hosting provider that can provide three or four components. First, a database hosting platform such as SQL, MYSQL, Sybase or something else. Second, you will need the application component which is probably made up of a Windows Server. Third you will need lot of inexpensive storage (something most cloud providers are very good at). Finally, you will need to make sure you have the bandwidth to upload documents and retrieve them efficiently. If you are loan officers are used to bringing up a 5 mb loan document image in seconds, you will need a lot of bandwidth to maintain the performance of LAN. Ultimately though the additional security features, disaster recovery capabilities and scale of a cloud platform should out weight the performance trade offs and enable you to move away from proprietary hardware and work arounds to have a fully electronic work place.
What is a loan decision system?
Loan decision system or Automated Underwriting System is a rule or criteria based logic system that can standardize the underwriting and approval of loans. Using decision trees and other logic rules these systems can completely automate the approval process or assist loan officers with underwriting loan applications. When combined with self service application systems a loan decision engine can approve and disperse a loan if all criteria is met. The loan decision system can help meet compliance needs by ensuring that risk based increases or discounts are being applied consistently as setup in the system. This allows for complex and competitive pricing while allowing loan offers to still focus on member service and sales.
What is a consumer lending system? How do I back it up or move it to the cloud?
If you are interested in learning about the what components make up a Consumer Lending System and how a Credit Union can plan to recover it in a disaster or how they can move it to the cloud – this blog is for you.
A consumer lending system provides all the components needed to process various consumer loans for financial institutions. The loans types vary by system but often include Auto, Home Equity, Credit Cards, Specialty/Personal, and possibly 1st or 2nd mortgages.
Newer system often try to automate the process for Members or Customers with self service web interfaces as well as workflows for internal loan officers. A complete lending system can automate the process from initial opportunity all the way to funding the loan with some systems even handling loan services which is usually an add on module. In additional to standard loan processing these system often include cross-selling and upselling related loan products like GAP, Credit Life & Disability, and various insurance products. All lending systems have some ability to reach out to 3rd party resources or receive data from 3rd party resources to complete parts of the work flow (like credit reports or identify/address verification systems) or pass on information (like in-direct lending interfaces or sending final loan information to document systems or servicing systems).
If lending is a key business process, as identified by a Business Impact Analysis, then there are several key considerations for recovering the entire process. Each business process will require some combination of people + process + equipment + data. Most likely you will need a location or
to send your staff to during an event. The hot site should have PCs, Phones and printers etc. ready and waiting for your staff. Your Business Continuity Plan should answer the process question of who does what during an event. Finally, you will need data and equipment piece answered. We recommend using the Replicator to take backups and get them offsite. In a disaster this will work well to recover the key IT systems needed to process consumer lending. In addition, you may need connectivity to things like the credit bureau or a document imaging system.
If you are interested in moving your existing Consumer Lending System to the cloud you will most likely need to find a hosting provider that can provide three or four components. First, a database hosting platform such as SQL, MYSQL, Sybase or something else. Second, you will need the application component which is probably made up of a Windows Server. Third, you will need connectivity to the credit bureau, credit card provider other third party and finally you may need either a permanent VPN to enable your local loan officers to connect to the cloud solution or a Virtual Desktop Environment should do the trick. All of these together should enable you to move the entire Consumer Lending System to the cloud.
How do I do a table top exercise?
Many times we get asked what the purpose of a tabletop exercise is and why a Credit Union should conduct one. To begin – if you aren’t interested in meeting your members expectations in an actual crisis event – than you shouldn’t bother doing one. If however, you believe as I do that it is often more important how you perform in the bad situations – than tabletops are essential to performing well when something bad happens.
The tabletop exercise is designed to exercise and practice a group’s response in a certain situation. We do these annually as a team event (for our clients) with participation from all departments and functional areas. They help create muscle memory and locate areas of improvement in planning and training. Think of these as something similar to a fire drill. You did them as a child, you continue to do as an adult and we’re all better prepared and familiar with what needs to be done.
The most important things to do are:
A) Have someone create a scenario and have them be the facilitator/observer throughout the event
B) Have all department heads and critical personnel present and participating for the entire event
C) Take notes of key decisions, problems that arise and missing steps
D) Remember to look at your business continuity plan during the event
E) Learn from the exercise by making a list of action items and plan changes and making sure you complete them.
F) Repeat with a new scenario
In addition – what we most regularly find that clients forget to do during an event or table top include:
A) Forgetting to communicate status on a regular basis to the whole group
B) Not making a decision
C) Not communicating clearly and consistently with members
D) Following their plan (strangely people regularly forget they have written down most of this before)
Are there applications that don't work in the cloud?
Every business has a variety of applications they use on a daily basis. These can range from time card systems to account platforms to in-house custom solutions. Generally speaking, any client-server application works great in a virtualized environment. This includes most web-based applications utilizing a database backend. Common examples would include most web CMS’s (such as WordPress, Drupal, DotNetNuke, etc), networking tools such as SolarWinds, Splunk, and other business tools like SugarCRM and SharePoint.
The applications that struggle in a virtual environment tend to be the applications that were not meant for true client-server use or mutli-users. A common example of this is QuickBooks. Other programs that use proprietary database and flat file structures. especially older ones. also suffer this same fate. Some applications that use external devices such as bar code readers. thermal printers. etc struggle on a virtual environemtn but these issues can commonly be overcome by working with a strong support team. Overall, most up-to-date software applications perform without issue in a virtual environment.
The most popular applications Ongoing Operations has seen in the cloud include Jwalla, CheckAlt, SQL, Exchange, Lync, Dynamics, Quickbooks, Great Plains, and many standard client server configurations.