Hurricane Sandy was an awful, albeit salutary, reminder of the importance of effective IT disaster recovery and business-continuity planning. Whether or not you think the climate scientists are right, Mother Earth is indisputably volatile and unpredictable. Exceptional events do and will continue to occur. As a CFO accountable for enterprise risk, how do you make the best use of cloud computing for risk mitigation?
To date, much of the focus on cloud computing has emphasized the rigors of managing the shift of your systems and infrastructure from the (seemingly) safe harbor of on-premise servers to the (presumably) choppy waters of the hosted cloud. There are a wide range of factors that make this “lift and shift” no trivial task, even without disasters.
But when disasters do come, you’d better be prepared.
Could the Cloud Be Your Next Disaster?
If you’re counting on your cloud provider to be fully responsible for disaster recovery, its disaster-recovery capabilities need to be carefully assessed.
That disaster needn’t be a natural, Sandy-like catastrophe. If your provider drops the ball for whatever reason, its disaster may rapidly become your disaster and indistinguishable (from the perspective of your business) from anything nature can dish out. These misfortunes could range from data loss or corruption to persistent and major infrastructure failures to a significant security breach. And there’s always the possibility that your provider simply goes out of business.
But if your provider’s services are affected by what insurers call acts of God — wind, earthquake, or flood — and it’s unable to recover quickly or adequately, you may have no choice but to watch and wait, unless you’ve made prior arrangements. Not all providers offer explicit warranties regarding disaster recovery. And the way you define disaster may not be the way your provider defines it. At what point does an extended outage become a disaster? Understanding this is even more relevant given all the new entrants into the cloud market, each with varying levels of maturity and capability.
However, instead of dwelling on what could happen in a disaster, why not focus on using the cloud itself for your disaster recovery?
Could Cloud Be Your Disaster-Recovery Strategy?
According to research firm Ovum, disaster recovery and storage backup top the list of what customers are looking for in infrastructure-as-a-service. Gartner predicts that 30% of midsize companies will use disaster-recovery-as-a-service (DRaaS) by 2014.
Analyst predictions are interesting and can help you understand the context of discussions, but when it comes to your organization, with its specific requirements, knowing what other organizations are doing only helps so much. A deeper dive can illustrate how a cloud service, if chosen and implemented wisely, may have certain advantages over more traditional disaster-recovery options.
- Solving the oversubscription problem
One of the fundamental design considerations in legacy off-site disaster-recovery models is the ratio of subscribers to servers. If you declare a disaster at the same time a number of your provider’s other customers do, you (and the provider) may have a real problem. Standing in line with a box of backup tapes under your arm is not the place to be as the winds howl and the flood waters rise. However, due to the inherent scalability of cloud infrastructure, the oversubscription problem is largely eliminated with DRaaS. The assumption, of course, is that your cloud provider has the capacity to handle major concurrent disasters. This should be verified as part of your due-diligence process.
- Improving recovery speed
The conventional model of restoring systems from backup tapes or other off-site media is impractical for organizations with zero outage tolerance. Depending on your specific requirements and design, utilizing cloud resources can reduce the time it takes to recover your data and get back to business to hours, or even minutes. The delay would depend on the nature of your IT infrastructure and business environment, and to what extent you need to recover in order to conduct businesses satisfactorily, also called your recovery point objective (RPO).
- Increased frequency of testing
In a DRaaS environment, you should be able to test your disaster-recovery plans as you see fit. This has a distinct advantage over conventional disaster-recovery testing, as it allows you to test incrementally when, for example, upgrades or configuration changes are made to your production IT environment. In other words, you don’t have to do the whole test each time from A to Z. Plus, the ability to keep the disasterrecovery environment in lock-step with your production environment is an important factor in reducing the RPO time.
DRaaS: Still Not a Settled Issue
There are a number of reasons why the cloud, even given its advantages, may still not be the best choice for your disaster-recovery solution. For instance, not all on-premise legacy or custom systems will work in a cloud environment, so you may have no alternative other than to continue to work with a conventional, noncloud disaster-recovery service, or a collocated data center where you rent space for backup servers and bandwidth. (Bandwidth may be a limitation in a full-blown disaster. Your systems may be up and running but, as everyone tries to access the same network at the same time, due to network congestion they may be inaccessible to your customers.)
There are raft of compelling disaster-recovery solutions in the cloud. In order to make the right decision for their organization, CFOs need to be able to ask the right questions and perform the due diligence commensurate with the decision’s importance. Like most things in life, if the solution seems too good to be true, it probably is — especially if you have an IT ecosystem of significant scale and complexity.
Rob Livingstone, a former CIO, is the author of Navigating Through the Cloud. He runs an IT advisory practice and is also a Fellow at the University of Technology Sydney (UTS), Australia, where he teaches strategy and innovation in UTS’s flagship MBITM program. Visit Rob at www.rob-livingstone.com or e-mail him at firstname.lastname@example.org.