Out of site: Risk preparedness
Out of site: Risk preparedness
Services abound for business continuity and disaster recovery in the cloud, but what's the right choice for your firm? Alan Earls investigates.
While high-profile outages from major providers within the past year have put everyone on notice that storing data offsite has not yet been perfected, the fact is that vast amounts of day-to-day business is now conducted using cloud-based resources. And despite some glitches, analysts say cloud-based DR is making inroads – particularly for the small and midsize business (SMB) market, but also, increasingly, for the enterprise.
Overall, the jury is still out on whether cloud computing models will help or hinder BC and DR efforts. “But, from what we know so far, there are a number of benefits,” says Patrick Potter, governance, risk and compliance strategist at Bedford, Mass.-based RSA, the security division of EMC. For example, Potter says distributed, diversified cloud support models can reduce the impact of regional disruptions from natural disasters, especially since it's likely that not all participants in the support chain are located in proximity to each other. “Thereby, they can continue supporting the IT infrastructure and business processes,” Potter says.
Also, because of the varied access methods available, such as via PCs and mobile devices, and facilitated by cloud structures, it is easier for users to access their BC/DR plans and applications they need to use. “These access methods are flexible, allowing users to get the information they need wherever they are – or are moving to – in response to a natural disaster,” says Potter.
From an industry perspective, cloud-based backup and disaster recovery (BDR) is a “good play for the SMB space because those companies are generally challenged to provide DR and backup using on-premises resources,” says Steve Brasen (left), managing research director of systems management at Enterprise Management Associates, a Boulder, Colo.-based consulting services firm.
In fact, he says, BDR is a subset of business continuity, which focuses not just on IT, but on all the things a business will need to operate. “A core precept of BDR is that you need your data in two places,” says Brasen. “The source data will be on-premises, and if the duplicate is in the cloud, it is remote, and you are covered.”
However, he says, SMBs have traditionally found it is costly and difficult to do actual archiving – with all the checks and balances – so these firms usually end up doing rudimentary backup rather than true DR. So, the advent of cloud BDR has opened the doors for these size organizations to extend their internal capability to the cloud. Now, they can have off-site backup at a reasonable price – typically provided on a subscription basis.
“That is the big step for smaller companies,” Brasen says. “If you only need your backup stored for immediate recovery, maybe a cloud-based service is the cheapest and easiest route.”
People are thinking much more about BC, rather than just DR, says Jason Buffington (right), senior analyst of data protection at Enterprise Strategy Group, a global advisory firm based in Milford, Mass. “Think of DR as data resilience, but not always with an immediate expectation of resumption of service,” he says. On the other hand, BC is where there is the assumption that – via automation or orchestration – a continuity of operations is available.
Buffington sees a large increase in organizations with BC initiatives – roughly twice as many currently as just pure DR initiatives. “This is a maturation point in the industry,” he says. “However, accomplishing BC with a mixed infrastructure – still based mainly on physical assets – will be more challenging.”
He says full virtualization is the best long-term approach because virtualized assets are easier to stand up again somewhere else, whether it is a do-it-yourself second site, a co-location facility or somewhere in the cloud. Buffington's reasoning also extends to what he says is the biggest reason for failures: lack of testing. “The average BCR plan gets tested once a year, if that, because it requires physical infrastructure,” he says. And, most companies don't want to invest in that much additional hardware. By contrast, virtualized and cloud-based BCR just requires more virtual machines. “That means you can test it more often and it helps you get the kinks out of the system so it will really work when you need it,” he says.
An even better option, in his view, is disaster-recovery-as-a-service (DRaaS). With this option, one can largely dispense with hiring expertise – it all comes with the package. “With DRaaS, we see people testing monthly or even weekly,” he says. And the cost is much lower than other choices.
Brasen says the bottom line in making decisions about whether – and how – to leverage the cloud comes down to assessing the reliability of one's existing infrastructure and determining whether a move to such a platform could improve reliability or provide similar reliability at reduced cost.
While he sees more providers moving to provide DR and BC services, the business model may be unsustainable. “Their costs are increasing in proportion to the amount of data,” Brasen says. He recommends companies implement “dedupe” – deleting duplicate entries from a list or database – and tiering strategies to ensure that the use of cloud resources remains cost-effective.
Companies that need to archive – for example, under HIPAA regulations – may want to implement tiering and then implement a cost-conscious, long-term solution, such as tape. “But even with tape, it is crucial to test periodically,” Brasen says. “That's the only way to make sure your investment will pay off.”