Why cloud should be part of your disaster recovery strategy

Server on fire

With cyber attacks frequently making headlines, and the General Data Protection Regulation (GDPR) coming into force last year leading organisations to look closer at how they securely store data, it's understandable that businesses are making disaster recovery and business continuity a high priority.

At one end of the scale, unplanned downtime can lead to a drop in productivity and a heavy cost - it's estimated that, depending on the size of the organisation, a one-hour outage could cost a business as much as 100,000. At the other end, there's the potential for data loss or theft, opening up the business to legal and financial ramifications and reputational damage.

There's also the pressure of keeping an 'always on' service. Analyst firm Gartner notes that with the rise in digital business initiatives and online interactions, IT availability requirements are being driven towards 100%. To minimise the impact of failures, business recovery time objectives (RTOs) are dropping from days to hours.

In a worst-case scenario, IDC research director Phil Goodwin says that somewhere in the neighbourhood of 80% of organisations without a disaster recovery plan in place will fail entirely in the face of a disaster.

Disasters can take a wide variety of forms. Often natural disasters such as floods or storms come to mind, but more often than not, the ones businesses face are man-made, taking the form of human errors or cyber attacks. But even small disasters can lead to long outages.

Organisations should prepare for all contingencies, and a solid disaster recovery plan aims to determine how a business responds to and mitigates against unplanned downtime in myriad ways, including data protection and backup.

Is cloud-based backup becoming the norm?

For many years, larger enterprises have recognised and responded to the potential impact an IT failure could have, investing heavily in solutions - including those based on cloud technology - to protect against disasters. This has led to a dramatic drop in the price of reduced storage and backups, making cloud-based solutions more accessible, especially to the SMB market.

"Until recently, disaster recovery didn't get the attention it deserved from businesses because of the cost and complexity of doing it right. Moreover, business units didn't see a direct benefit from disaster recovery - until a disaster occurred," says Wayne Horkan, an executive on the Institute of Engineering and Technology's (IET's) information and communications sector.

"With the emergence of cloud computing, there are now full-blown disaster recovery solutions available to small, medium-sized, and large businesses alike that help companies reduce costs without sacrificing service. Businesses today are more comfortable with replicating their data to the cloud. They understand its usefulness and ease of access."

Disaster recovery-as-a-Service (DRaaS)

Cloud-based services are making businesses rethink their traditional data protection and disaster recovery plans as, if they have strong connectivity, these can help them reduce data centre infrastructure costs and complexity. It's in this area that vendors are seeing a growing interest in cloud-based solutions such as Disaster Recovery-as-a-Service (DRaaS), where applications and data are copied to and stored on the provider's infrastrucure on the cloud. If a catastrophic failure occurs, the backup can simply be activated and pressed into action within minutes.

"A natural progression in business continuity would be to extend beyond cloud-based backups into cloud-facilitated DRaaS options," says David Bird, editorial contributor for BCS, the Chartered Institute for IT. "Financially, it certainly might appear to be a more viable option compared to using traditional mirroring/replication models to a failover hot site."

Big names like Amazon and Microsoft are already in the game and Gartner is seeing the DRaaS market becoming increasingly commoditised, with 25% year-on-year growth expected for the coming years.

It can be a minefield for businesses though, as hundreds of vendors are offering a wide range of DRaaS options from fully managed through to self-service models.

"There's a tremendous amount of competition and variability," notes Goodwin, whose focus at IDC is on cloud data management and protection. "There are organisations at one end of the spectrum that do little more than provide on-demand services and from there it's entirely 'build your own'. Then there are what we call 'white glove' suppliers who come in and do threat analysis, [and will] be there for every step. Of course, there are many variations in-between."

How to decide if a cloud-based option is right for you

Whatever the size of your business, it's important to do your research before implementing a cloud solution, as with any technology it has its pros and cons. Not all cloud-based DR solutions are the same or work the same way. In many circumstances, the best disaster recovery solution is a hybrid of cloud and on-site technologies.

On the plus side, cloud-based data protection and backup offers reduced cost and improved agility and frees up the time of IT staff - instead of taking care of backup infrastructure they're free to focus on other aspects of the business.

It also enables organisations to recover their data quickly, negating the need to wait for on-premise servers to be recovered.

"It offers resilience, and if you spread it across multiple providers you're even more resilient," notes Stuart Mackintosh, chair of OpenUK, the free and open source technology industry association. However, he adds that if you do use multiple providers, there needs to be a degree of separation between them as many use the same back-end service.

Another advantage over older, hardware-based forms of DR is cost. With cloud, there's no need to set up failover systems and network infrastructure at a secondary site, or have the added cost of maintaining those systems. Instead, the DR partner manages the infrastructure - with the added benefit that businesses only pay for the storage capacity they need at the time, when they need to use it.

On the downside, cloud solutions aren't impervious to disasters of their own and you have to consider how your business will access the cloud if the disaster involves a lack of connectivity. Horkan also highlights issues around vendor lock-in and a lack of control.

"It can be difficult to migrate data to another cloud provider at a later date," he points out. "[Plus,] since data is held off site by a company you do not control, you lack the ability to control and customise your data storage set-up, an issue for larger businesses that have complex needs."

Do your due diligence

There are many issues to consider, but one of the main associated challenges is ensuring the requirements of the business are understood and the costs are accurately estimated. To get this right you have to do due diligence.

Mackintosh recommends businesses ask themselves the following questions.

"Ask yourself what you're trying to do, what you want the outcome to be. This is never 'having disaster recovery' - that's just a tool. You need to understand your RTOs and recovery point objectives (RPOs) and map these to your business objectives. Are you looking at restoring all services? How much data can you lose?

"Also ensure vendor transparency. It's easy to buy something off the shelf and tick a compliance box. Take responsibility and ensure you understand what's on offer. Finally, it's important to test your disaster recovery plan - it's only as good as your last restoration," he adds. "That's when you might find out you're not able to recover all the data you expected to. Or, in the case of big data, you might discover that it takes a week to restore all your data!"

Much depends on the cloud provider and on the SLAs involved. Can they guarantee high availability? What recourse do you have if they fall short? Will there be contention, or will your applications get the resources they need to run effectively? If businesses can get satisfactory answers to these questions, a more resilient infrastructure is within reach.

This article was originally published in February 2018, and has since been updated to include additional information

Keri Allan

Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.