Bologna (Italy), October 3, 2019

Disaster Recovery: the approach and Solution as a Service developed by CRIF

For more than 30 years, CRIF has been among the most important players on a global level for credit risk assessment services and solutions for the banking and financial sector, managing large volumes of information coming from clients and authorities. The ability to guarantee a Business Critical service with high levels of reliability and minimal risk of unplanned interruptions is an absolute must. Furthermore, the type of data being processed exposes CRIF to the risk of cyber attacks.

CRIF Global Technologies has more than 1,200 employees, with skills in various IT sectors, including Technology, Security, Applications and Governance, training and developing talent in Italy and around the world. Within the context of its continuous investment in innovation and in line with the company’s mission and DNA, eighteen months ago, CRIF Global Technologies chose to design and implement an in-house Disaster Recovery as a Service solution for all the group companies.

We asked Carlo Romagnoli, Senior Director of IT Infrastructure & Operations at CRIF, to tell us about this project and how it has now become a solution for SMEs. Let’s start with how important it is in your sector to have a Data Recovery system.

Credit information is in itself a critical area for data management and for CRIF in particular, since we manage information which comes partly from public sources, but above all confidential information coming from the banking and financial sector. Any interruption to our services could partially or completely block lending by our bank and financial institution clients, for whom we are a “critical supplier”.

Well aware of this responsibility, CRIF Global Technologies has always paid close attention to service continuity in all its forms: creation of architectures which are redundant in every part and highly reliable, and specifically the utmost attention to data management. Indeed, CRIF has developed processes and procedures with the aim of comprehensively managing the data lifecycle: from security backups to duplicate copies stored in a certified off-site security vault.

Structured into hubs which are geographically spread across different continents, the CRIF Global Technologies division is able to offer a Disaster Recovery as a Service solution, which brings together and capitalizes on important investments and expertise in the sector. The service provides regular testing for the information systems of the individual countries that CRIF operates in, which provide an essential guarantee of reliability and solidity of the overall CRIF “ecosystem”."

What would the effects of data loss be for the business? What is the likelihood of such a serious event happening?

Nowadays, it is unimaginable to have a business without an information system: data on customers, employees, payments and internal data make up a fundamental part of any economic activity. The total loss of a company’s data could seriously compromise business operations, result in the immediate block of all functions, and generate a crisis leading to the total loss of turnover, regardless of the sector the affected company belongs to. In the case of partial data loss, the resulting impact may be reputational and, even if there is no immediate direct effect on turnover, it could have a devastating effect by undermining the trust of customers. Unfortunately, there are cases of companies without a Disaster Recovery system that are hit by disastrous events and are then unable to recover the business.

The chances of an event occurring that forces the activation of a Disaster Recovery service are relatively low, above all if the systems have been designed and implemented with the correct levels of redundancy and reliability. However, it is in any case necessary to develop a service of this type, precisely with the aim of protecting the business against a catastrophic event and preventing potential overwhelming negative effects.

It should be said that a Disaster Recovery service cannot prevent attacks by hackers, since the security of the information system is a very different matter. However, it is true that a Disaster Recovery service can be essential in the case of attacks that compromise data availability as it keeps an up-to-date replicate of the information, which is difficult to damage when faced with an attack on the primary system.

Based on your experience, do companies have effective data recovery systems available? How much would it cost for a small or medium-sized enterprise to develop a similar solution?

It would be difficult for an SME to develop such a complex project and service due to the limited available budget and financial investments, and to the IT skills required. It’s true that small and medium-sized enterprises have backup systems that are generally efficient, but not able to maintain business services in light of catastrophic situations. The cost of developing such a service in-house is closely related to the size of the company and the complexity of the information system: as a purely indicative estimate, the potential investment for a company could be around one million euros, added to which are the costs of maintenance and updating, regular testing, and above all the necessary in-house specialist skills. Taking these aspects into consideration, and in order to respond to the needs of companies, CRIF decided to offer its own Disaster Recovery as a Service solution to the Italian market, incorporating the skills acquired over the years and its solid infrastructure. In the present-day scenario, where data management has become central for almost every type of business, we believe we can make a contribution to data protection issues and to an efficient and reliable recovery process.

Is your Disaster Recovery as a Service solution now sufficiently developed to be offered to small and medium-sized enterprises? What makes it stand out?

The advanced Disaster Recovery as a Service solution developed by CRIF is based on the availability of a highly reliable data center, and on the appropriate technological and above all procedural and managerial skills that are essential to being able to tackle rare but devastating events.

Specifically, the service is provided through our Uptime Institute Tier IV certified data center, based in Italy. Every year, functionality testing is performed for each individual client, during which, CRIF makes the data center available, as well as the basic infrastructure: network, firewall, balancers, connectivity, servers and storage, while the client retains responsibility for the functionality testing of its applications. The activation methods for each Disaster Recovery environment is regulated by specific contracts.

The CRIF solution is based on several characteristic elements: hyperconvergence, software-defined networking, advanced data alignment technologies, and suitable bandwidth quality and quantity. Each Disaster Recovery environment is isolated in order to guarantee the necessary segregation; CRIF does not access any data as part of the management of these environments.

The effectiveness of a comprehensive Disaster Recovery system also requires a Disaster Recovery Plan, i.e. a manual with all the procedures necessary to activate and manage any crisis, based on the following scenarios: no-building (damage to physical structures), no-people (lack of personnel), and no-technology (when the information system is inactive or unavailable). For a company, it is not only fundamental to have the technological infrastructure necessary to deal with a major crisis, but it is also advisable to define the governance and procedures for activating Disaster Recovery. Normally the Disaster Recovery Plan does not include a procedure for the recovery of the service at the primary site, since the disaster scenario is not predictable. Therefore, the time frame and methods for any recovery must be studied according to the specific scenario. For this reason, once again, technological and managerial skills are even more essential and imperative.

For more information