Disaster recovery (DR) was traditionally seen as beyond the reach of most small and medium-sized organisations in terms of cost. But advancements in public cloud technologies in particular, have changed the DR landscape forever.
“We’re seeing a huge uptake in disaster recovery by the SME market simply because it’s more accessible, more user friendly, easier to set up and most importantly more affordable,” said Darragh Canavan, sales operations manager with online backup and disaster recovery provider, KeepItSafe.
“Traditionally, DR involved a big capex cost with upfront spend required for hardware but now DR has become a service and a lot more attractive,” he said.
Canavan believes that organisations are moving beyond traditional backup solutions such as tape and hard drives to full blown, online DR, recognising the fact that they can’t afford to be without mission-critical business applications and services for an extended period of time.
Estimated hardware rebuilds stand at anything from two to five working days but with DR as a service, clients can be back up and running in a fraction of that, eliminating the risk of lost business, reduced staff productivity and reputational damage.
“A lot of organisations will say an acceptable recovery point objective (RPO) for us should be on an hourly basis. But for more critical databases they may have a 15 minute RPO,” said Canavan.
“If you have an onsite failover, you can be back up and running within 5 minutes. If you have a full site disaster, you can be back up within two hours. It really depends on how many servers you have and the nature of the business. We sell our solutions based on the recovery time objective (RTO) or how quickly we can get you back operational,” he said.
With KeepItSafe’s DR as a service – incorporating onsite and offsite replication and failover – starting at €250 (RRP) per month for one server and economies of scale kicking in as servers are added, it’s not difficult to see why smaller organisations look to the cloud as a realistic and affordable option.
Pat Larkin, chief executive with Ward Solutions also acknowledges the role that the cloud has played in bringing DR to the masses but strikes a note of caution.
“Cloud has made DR solutions much richer and more accessible. But the danger is, people look at it as a panacea. One thing we could caution them to do is to look at the security challenges. It’s got to be fit for purpose,” he said.
Larkin has come across scenarios where organisations believe that by putting a few virtual servers into the cloud and replicating the data, their corporate obligations in relation to DR are fulfilled. But many fail to consider even the most basic security questions.
“While the cloud provides a very neat solution, you still need to apply an appropriate level of diligence and a systemic approach,” he said.
“Is the data securely transferred, both on transfer and at rest in the cloud? Is it a public or private cloud? How are users authenticated? Is the cloud provider meeting regulatory requirements? Where is the data resident and where is it replicated to? Are you coming under safe harbour obligations?
“If these systems are on premise right now and you put them into the public cloud, there might be a greater level of exposure than your own security infrastructure. So as you spin it up, it’s almost like spinning up your information systems in a shop window,” he said.
Angela Madden, managing director with Rits Information Security Specialists also points to the risks of including cloud services as part of any business continuity or DR strategy.
“If an organisation includes cloud services as part of their BCM and the cloud provider is affected, i.e. is the target of a denial of service attack or goes out of business, then the organisation will be significantly affected in terms of its ability to continue business operations as normal or to initialise business continuity management,” she said.
“The other element to be aware of is where an organisation attempts to recover data from the cloud to an alternate location. Bandwidth availability, encryption of data and access to keys (potentially held by the cloud provider), jurisdiction and compliance with data protection requirements – if you move your data out of Ireland or the EU – have to be carefully considered,” she said.
Larkin believes that best DR practice is an ongoing process, which requires continuous review, assessment and learning.
“You need to verify, trust and verify. Verify that it is what it says it is and delivers the service as promised. You trust for a while and re-verify. The acid test is whether you can live run off your DR solution. If you can’t, it begs major questions of your DR strategy,” he said.