Don’t Be Fooled About Cloud Disaster Recovery

If I ever had any question that confusion still exists about the benefits and drivers for cloud disaster recovery as a service (DRaaS), the results of a recent survey commissioned by Sungard Availability Services* have settled that. There is clearly confusion – a lot of confusion. The results of the survey are interesting in that there is little consensus among the responders:

• 40% said that a faster recovery time objective (RTO) was a great benefit of cloud disaster recovery. BUT 27% said a major downfall was slower recovery times. Well, is DRaaS faster or slower?
• 13% of respondents said that a key benefit was increased security. BUT, almost 39% complained that one of the downfalls was decreased security. Which is it … is cloud disaster recovery more or less secure than more traditional on-premise recovery methods?
• 26% indicated that higher performance at a lower cost was a definite benefit. BUT, 14% said cloud disaster recovery was less cost effective. So, is cloud disaster recovery cheaper or more expensive?

Now, these results would be understandable if they were from the “unnamed masses.” However, the survey was very targeted and specific. These responses are from 276 IT professionals: men and women who are technology experts and who live and breathe IT every day. If there is this much ambiguity among IT personnel about cloud disaster recovery, I can only assume that this confusion is even greater among business stakeholders and, in many cases, decision makers.

Here are some thoughts that can bring clarity to the confusion about each of the above points.

Get specific about required recovery times Praising cloud disaster recovery as “fast” or complaining that it is “slow” is not meaningful. What does “fast” look like? What is “slow” in comparison to? The truth is, Recovery Time Objectives (RTOs) for recovery to the cloud can vary significantly depending on the underlying data protection methodology, recovery technology, application complexity, and amount of data.

Given these variables, you need to make cloud recovery choices based on what you need:

• What are your business tiers?
• Which applications are business critical so that you need to bring them up as quickly as possible?
• Which applications are less critical and can therefore take a longer time to restore?

Once you have established your desired RTOs by application, you are equipped to discuss with prospective cloud providers whether they can meet your requirements and provide the appropriate solution for your recovery needs. With a cloud provider who can deliver what you want, questions of “fast” or “slow” disappear: recovery happens right on time. Understand the shared nature of security responsibilities Security is another aspect to DRaaS that is not all-or-nothing. The key question to address is how much of the security function will be managed by your provider and how much you are retaining responsibility for. For example, say that you have a failover. Once your recovered environment is handed over to you, do you have the responsibility to recovery your antivirus software and data loss prevention systems, or is application and data security handled by your cloud recovery provider?

When you evaluate your cloud DR service provider, some of the criteria to consider include:

• Security and compliance controls at the infrastructure and network access level
• Controls to ensure that one customer cannot access information from other customers in shared, multi-tenant environments
• Encryption of both data in motion and data at rest
• Authenticated access and auditing of access
• Compliance with regulations such as PCI and HIPAA

Clearly delineating responsibilities and ownership of security functions is critical; otherwise, you may be exposed and not even realize it.

Recognize that there is an inverse relationship between cost and risk Last, but not least, how do costs factor into your decisions? From a recovery perspective, ideally, there would be no variance in what you want, what you need, and what you can afford. The reality, though, is that you are often faced with shrinking budgets and increasing demands from your business stakeholders. That’s why it is crucial to understand your business application recovery tiers based on the impact of downtime to your business. You can then work with a cloud recovery provider to determine the optimum solution with the right technologies and products for your various tiers.

For example, for mission-critical tiers such as online transactional systems that support your customers, you will need near-zero recovery times – and the associated high price point will be justified by the cost of downtime. However, for less critical applications, your recovery solution might include leveraging a shared infrastructure and recovery times measured in terms of days, not hours … all of which come in at a lower price point.

There is a trade-off between the level of risk you want to take and the investment you want to make in the various parts of your recovery program. Ideally, you want a DRaaS provider who can offer a comprehensive solution with multiple recovery options that can be tailored to fit your budget.

Clarity in the cloud At the end of the day, the most important aspect of disaster recovery is whether your business applications are functional and your end user and consumer needs can be met. If you are considering cloud disaster recovery but have felt unsure about whether or how to proceed, I encourage you to spend time identifying the specific questions for which you need answers. Once you have those answers, you will find light cutting through the fog … and achieve clarity in the cloud.

*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.