Top of Page

November 2016

Using the Cloud for Disaster Recovery Requires Different Skills

By Crystal Bedell

It wasn't long ago that business continuity/disaster recovery (BC/DR) was reserved for the privileged few. Only the largest enterprises had the resources to build and maintain a secondary site, so only the largest enterprises had the peace of mind that comes with BC/DR capability. Today, however, that has changed. Cloud computing has democratized BC/DR, making it available to virtually any organization. The concern now is how to use cloud-based BC/DR securely.

According to analyst firm Enterprise Strategy Group (ESG), the number one planned use case for cloud computing is improving data backup and archive. BC/DR comes in second, and has for two years in a row, says Jason Buffington, a senior analyst for ESG.

"Cloud is overwhelmingly compelling when it comes to data protection scenarios," Buffington explains. "From a practicality standpoint of BC/DR, cloud becomes interesting because it gives so many organizations, that typically wouldn't have one, a second site."

Mid-sized organizations have wanted BC/DR capabilities as long as enterprises have, but didn't have access to a second site, the expertise, or the budget, which basically meant that BC/DR was unattainable to them. "Cloud, when packaged with managed services, gives them what they've been looking for," Buffington says.

That said, security concerns continue to loom large. It is the number one reason IT organizations choose not to use the cloud for their data protection strategy, Buffington says.

Greg Schulz, senior advisor analyst for StorageIO, acknowledges that there are a number of threat risks to putting data in the cloud. For example, it can become lost, stolen or compromised. But, he warns, "The same things can happen in your own non-cloud environment. You have to ask yourself: are those threats larger in the cloud or just perceived to be?"

Interestingly, IT professionals whose organizations use the cloud as part of their data protection strategy cite security as one of the top benefits of going to the cloud. "When you switch from any on-premises data protection solution to any other on-premises data protection solution, most of the same security holes still apply," Buffington explains. For example, on-premises solutions don't encrypt data in flight or at rest, and they provide physical access to secondary copies, which typically aren't as secure as primary copies.

"There is a whole set of problems that cloud solutions have had to address, such as encryption and key handling. Inherently, you get better security in some scenarios, depending on what you're trying to solve for. We hear this consistently," Buffington says.

Understanding your objective is key to securely using the cloud for BC/DR. "It gets back to understanding what it is you're doing with BC/DR, understanding the different cloud options, how to use cloud to enhance what you're doing, and how to define and use the cloud to accomplish what you need done," Schulz says.

There's a difference between dumping data in the cloud for backup and using the cloud for BC/DR. "You need to figure out how to use the cloud as a site to park data, but also as a place to effectively build a virtual copy of your environment so that you can practice recovering," Schulz says.

Thus, BC/DR requires a different skillset than backup, which primarily entails learning how to use a tool. "BC/DR takes a significantly different skillset and mindset that's not easily learned," Buffington says. "The regimen for testing the business process - executive sponsorship, cultural shifts - are well outside the domain of what an IT person will know much less what they can learn on their own in short order. It's more than just data."

For that reason, not just any cloud service provider should be used for BC/DR. "The key differentiation between BC/DR solutions is expertise," Buffington says. Some of that expertise is embedded in the technology itself. For example, does the technology auto discover servers? Does it auto discover dependencies between servers? Automation and orchestration are critical, he says, as is sandboxing, which allows you to turn on a second copy without breaking the first.

However, Buffington advises IT organizations not to mistake replication capabilities for BC/DR. It's not uncommon for engineers to build replication capabilities into a vendor's solution, and for those capabilities to be marketed as a disaster recovery solution. "Your replication feature is not my DR plan," Buffington says, referring to vendors' features. "That's not DR - it's data survivability. Period. Until you can turn it on and test, it's not DR. It becomes DR when you have a way to turn it on and test it - two features that vary quite a bit."

The writing, testing and maintenance of the BC/DR plan is another area in which the service provider should have expertise. And, in fact, the service provider should play a role in the testing. However, Buffington warns that if the service provider is out of state, they may never get onsite and therefore may never have empathy for your needs and specific environment. On the other hand, local service providers don't necessarily have the competence to run infrastructure at scale. They can still help, however.

"Have them be part of the solution as a part of you from an empathy perspective, coupling that with the service provider for expertise in BC/DR delivery," Buffington says.

While the cloud makes BC/DR attractive from an economic standpoint, Schulz warns against choosing the lowest bidder. "What kind of cloud are you going through? Is it a low-cost, low-budget environment where you get what you pay for, or is it a premium service that has government-grade security with security capabilities like identity rights and multi-level authentication?"

The one thing you should not be charged for is testing, according to Buffington. "Any time you are charged to test, which is something you should be routinely doing, that's poor ethics. You should not have to break the bank to stay healthy. If testing becomes cost prohibitive, you won't test, and you won't be ready and all the money you spent or didn't spend will be wasted."

Crystal Bedell of Bedell Communications in Spokane, Wash., is a regular contributor to InfoSecurity Professional magazine. This is her first article for Cloud Security Insights.