More attention has been paid to the cloud and its potential than any single technology since the advent of the Internet, and it’s tempting to dismiss yet another article on cloud benefits as another artifact of the enormous hype that has surrounded cloud-based technologies. But cloud-based disaster recovery (DR) is an approach to creating a disaster recovery plan that provides real benefits in cost, simplicity, flexibility, and effectiveness.
The cloud offers an entirely new level of effectiveness for DR because cloud-based recovery does not rely on an already-compromised data center to execute the recovery process. On the contrary, cloud DR plans, like much of cloud computing, is based on virtualization, so that the entire system, from the server – along with its operating systems, patches, data, and applications – is loaded onto a virtual server, which itself might be a distributed, redundant cluster. The system components once virtualized and bundled, can be copied onto a virtual host in mere minutes, significantly reducing recovery times when compared with disaster recovery that takes place in traditional, physical data centers.
In addition, cloud service providers ensure your data is SSL-encrypted in transit or at rest, provide state-of-the-art firewalls, access control, intrusion detection, auditing and monitoring, and on-site patrols to prevent physical site intrusion.
Types of cloud solutions
The cloud solutions types can vary but they usually follow one of the following models.
- Public: In a public cloud solution, the infrastructure is owned by the cloud service provider (CSP) and the system is accessible via the Internet. One prominent and well-known example of public cloud solutions is Amazon AWS. A public solution, where infrastructure is provided by the CSP, provides effective data services and disaster recovery in an affordable environment.
- Private: A private cloud solution is a system operated by or for a single organization. It is maintained within the organization’s firewall and must be accessed by a direct connection. A private cloud will be more expensive to set up but will be highly flexible and tuned to an organization’s needs. However, because of the private nature of this type of cloud solution, lack of in-house cloud expertise can result in the solution having some of the same vulnerabilities as an in-house data center, such as inadequate planning or unavailability of key personnel when disaster strikes.
- Community: A community cloud is basically a private cloud shared among multiple organizations. This is a compromise solution that can somewhat ameliorate the risks and costs of strictly private or strictly-public solutions.
- Hybrid: A hybrid cloud solution is when an organization combines more than one of these solutions, assigning different types of cloud solutions to different functions within the company or organization, basing the decision on the sensitivity and hierarchy of the data, and the resulting variable needs for recovery in case of disaster.
Reasons for cloud-based disaster recovery
All IT pros know that whether it comes in the form of natural disasters, fires, power outages, or malicious attacks, disasters will happen. And when they do, systems need to be restored as quickly as possible. Not only can downtime have an effect on business, many organizations have legal or regulatory requirements to meet that require fast recovery and data protection.
While organizations are getting more aware of security threats, all too many organizations have insufficient DR plans in place or no plans at all. Businesses and agencies often cite reasons for this lack that include the perceived likelihood of a system failure being too low to justify the costs and time commitment inherent in setting up the infrastructure and accompanying data recovery plan. But either it is through human error, human malice, or natural disaster, system failures happens. With some up-front research and preparation, an organization can implement a DR plan without incurring great costs or dedicate an unreasonable amount of time to it – especially if they leverage existing knowledge and infrastructure by hiring a CSP.
DR plans are meant to protect a company’s data integrity and confidentiality, as well as ensuring the availability of systems and applications. A cloud-based disaster recovery plan, by providing anytime-anywhere access to crucial data, can reduce downtime and ensure an organization has 24/7 access to its business-critical data and applications. As such, a DR plan is a necessary part of any security risk management. In addition, organizations that have legal and regulatory compliance concerns can hire a CSP with expertise in that area, and which already have security controls built into their architecture that can help meet regulatory demands. Specialty CSPs may also be able to assist with audits and to supply necessary documentation.
Benefits of Cloud-based disaster recovery
Infrastructure, including updates: A data center is costly, and keeping it up to date with changing technology and maintaining resistance to ever-changing threats requires additional expenditures which contracting with a CSP can significantly mitigate including continuing maintenance and upgrade costs in the contract.
Remote access: By using cloud-based solutions, including cloud-based DR, even in the case of disasters, the data remains accessible. Even if personnel cannot be on site due to fire, flood, or any other cause, remote access means that critical functions can be accessed from any location, guaranteeing continuity of critical business functions for your organization.
- IT Expertise: Cloud solutions give your organization access to the IT expertise of the CSP, allowing internal IT personnel to concentrate on business-driven data issues and development, rather than having to develop internal expertise in storage and security technologies.
- Round-the-clock support every day of the year: Your Service Level Agreement (SLA) with your CSP should include anytime response, 24-7, 365 days a year. If your system fails, whatever the cause, your CSP should have a support team ready to implement your disaster recovery plan immediately, without your organization having to set up and maintain full-time coverage.
- Minimal downtime: The cost of even an hour’s downtime is costly to any organization in our fully-connected world. Staffing expenses, lost business, regulatory risks, and customer goodwill all suffer when internal and/or external systems fail, leaving you – and possibly your customers – without access to data and applications. Cloud-based systems, by using virtualized systems and cluster computing, are well-positioned to have almost no downtime when executing a failover, and because of the distributed nature of the computing, it is almost impossible to have the backup systems affected by the same disaster that affected the primary system.
- Ease of Deployment: Compared with setting up your own disaster recovery plan and dedicating time, money, and people, using the existing expertise and infrastructure of a CSP is quick and easy. Experts can smooth the way, relying on their experience in helping organizations like yours get a cloud solution in place with a minimum of trouble for your organization.
- Cost-effectiveness: Leveraging the expertise of your CSP for disaster recovery means that implementing a DR plan is not only simple but will cost less. No secondary data centers need to be set up, and replication, failover, and failback routines are already in place for much less than you would spend to implement these safety measures on your own. CSPs offer scalable plans, so organizations only pay for what they need, and can change their service terms by changing their subscription as business needs change – not by making another significant investment.
- Flexible: DR plans are complicated and time-consuming to develop on your own, but your CSP already has the essentials in place, waiting to be customized to your organization’s unique needs, which the CSP can quickly identify, relying on expertise and experience.
- Additional Security: While on-site data centers might seem to offer the fastest recovery times, those centers are often affected by the same factors that caused the initial failure. Cloud-based solutions mean that the recovery center is operational, and not similarly unable to function.
Steps in cloud disaster recovery
As clear as the reasons may be, determining where to start building your DR plan can be challenging. The following steps can help you navigate this process.
- Assess threats: Every organization has a different set of needs, and a good place to start planning your cloud disaster recovery plan is by assessing the needs of your organization. It helps to understand your risks, and what areas of your company are affected by each risk. Threats to consider usually come under the following categories:
- Acts of nature such as a hurricane, tornadoes, earthquakes, ice storm, fire or flood, or other natural disasters. These often incur physical damage as well as threatening data storage and transmission.
- Human error is possibly the single greatest cause of system failure: poor configurations, careless coding, failure to test existing systems and recovery plans, accidental activity, lost passwords, and other unintentional human failures put your organization at risk for large-scale system failure.
- Malicious activity can include disgruntled employees sabotaging a system or causing physical damage employees damaging or sabotaging data, as well as external hackers, malware, or acts of terrorism or espionage.
- Triage Systems for Recovery: Different aspects of your organization use different systems for different purposes, which may each have different recovery requirements. Stakeholder input can help you determine a hierarchy for recovery, based on the urgency of a business function and/or the sensitivity of data at risk. Assign tiers or levels of hierarchy to each business-critical application or type of data, to make it easier in moving your data recovery components to the cloud, and to ensure that each app or data tier is triaged appropriately.Once you’ve identified the different areas and their risks, you can assign recovery time objectives to each system and type of data, taking into account the factors that can affect recovery times. Based on this assessment, you can more accurately select the most appropriate recovery procedure for each. Business-critical applications and data can cost thousands of dollars per minute of downtime, so those should be high on your recovery list, as should data and systems involved in regulatory compliance. On the other hand, you may have archived data that won’t be missed for some days or even longer. Knowing what you have and how it’s used can help you and your CSP formulates an effective DR plan scaled and customized to your organization’s needs.
- Assign Roles: Ensure that you’re CSP and your IT department has defined their roles and understand what they need to do in case of a failure. Using the services of a CSP does not remove all responsibility from your in-house information teams. IT management should be a major stakeholder when it comes to planning, implementing, and testing the DR plan with your CSP.Ensure all roles are understood by all participants, so people can swing into action immediately in case of a failure.
- Determine CSP Capabilities: Make sure your CSP is able to meet your needs by asking some key questions. While your needs will determine the extent of questions you should ask, the following questions will apply to almost all situations:
- What security measures are in place? Data security requires protection on many fronts to protect against hackers, malware, social engineering attacks, physical invasion of the premises, and natural disasters. Find out what security measures your CSP is using against all kinds of threats. The CSP’s response should include:
- state-of-the-art perimeter protection;
- Physical location surveillance and security.
- What redundancies are in use? Your CSP should have redundancy in the following areas:
- Protected data should exist in at least two separate physical locations to protect against localized disasters.
- All equipment should have uninterrupted power supplies, and in the case of major outages, CSPs should have generators at all physical locations.
- You should be able to quickly access your data and applications on a network that does not rely on the connection that might have been interrupted in the original failure.
- What is the CSP’s Service Level Agreement? Does SLA provide support and recovery options twenty-four hours a day, seven days a week, and 365 days a year? What is the intended recovery time? Note that recovery time can be affected by many conditions, so potentially the range can be from a couple of hours to several days. Some factors that have to be taken into account are:
- The complexity of the main server setup. Cloud-based virtual machines can be reloaded as is from a single data bundle if properly planned for, while reconfiguration of physical servers can take 24 hours, plus one more hour per additional server. This includes the reconfiguration of the servers as well as the upload of data.
- Availability of key recovery personnel. Will the appropriate personnel be on site? Is there an absence/vacation/emergency backup?
- State of the disaster recovery plan. Is your organization’s DR plan complete and fully tested? Untested plans may contain surprises, errors, and gaps that are only apparent when they are put into use for the first time, causing delays that could have been avoided with a little additional preparation.
- Equipment replacement needs. If the failure extends to equipment, time to replace the hardware must be factored in.
- Sufficient budget. Did your organization fully account for its needs in case of failure, and did you budget accordingly, so the CSP has the appropriate measures in place?
- Set-up: Once you have identified your organization’s vulnerabilities, requirements, and resources, you can start setting yourself up for disaster recovery in the cloud. It’s a good idea to start by moving one component at a time to the cloud: one application, or tier of data storage.This will allow you to monitor one component at a time and test the effectiveness methodically.
- Evaluate your plan: Work with your CSP to test your DR plan to see if it is effective so that you don’t find out that it has glitches when you are implementing it. Set up test scenarios and evaluate the outcome. Fill in gaps, including those of education and individual preparedness.
- Maintain and Evolve: Developing your initial plan is only the first step.Frequent testing and staying current with security patches is essential, and reevaluating the plan in the context of newer technology is mandatory because threats – especially malicious threats – are constantly evolving their technology as well.
Cloud-based backup is a safer, more reliable, and more cost-efficient way to ensure you have a robust disaster recovery plan. By outsourcing your organization’s data backup to a hosted provider, the technology can do the work of monitoring, maintaining, and supporting the disaster recovery of the business.
Using cloud-based backup-as-a-service is the first step in establishing a fully cloud-based disaster recovery solution. Cloud-based solutions are capable of delivering the fastest recovery after a failure, as well as optimizing protection by making it easier, more cost-efficient and lowering risk.
Benefits are realized by outsourcing the process, including responsibility for system upgrades, patches, and staying on the leading edge as new technologies emerge, and are a technology worth considering for your organization, whether you have to upgrade or initiate your DR plan.