The words ‘cloud’ and ‘security’ are most often found in the same sentence when concerns about the latter are holding back adoption of the former. However, developments in disaster recovery are making cloud a friend to business continuity.
By having disaster recovery delivered as a service by a cloud provider, organisations are offered faster recovery of critical IT systems and data with centralised, scalable management – and without the hefty costs of another physical backup site.
But like most new solutions pitched to the market, both IT and business stakeholders are finding themselves confused by a degree of ambiguity and conflicting information.
For example, in a recent survey of IT professionals by Sungard Availability Services, 27% of respondents reported slower recovery times in the cloud, rather than the speedier action that vendors claim.
One of the main issues that businesses face when implementing a disaster recovery solution is that they haven’t been configured properly. When this is the case, it can lead to a significant slowdown in the system and slower recovery times.
‘It’s essential that businesses spend the necessary time testing their recovery solutions so that they can operate an always-on business that doesn’t suffer downtime as a result of slow recovery times,’ says Doug Hazelman, VP of product strategy at Veeam.
The recovery time for any customer is determined primarily by the performance of the network between the disaster-recovery-as-a-service (DRaaS) provider and the location into which the systems are being recovered.
With that in mind, the fact that 27% of IT professionals reported slower recovery times in the cloud is not necessarily that surprising.
‘It could be that, previously, these respondents had a local or well-connected backup and recovery solution and were able to recover systems at high network speeds with low latency,’ says David Steven, head of global infrastructure offering management at Fujitsu UK. ‘In which case, recovery over the internet from a remote DRaaS provider would undoubtedly be slower.’
But speed isn’t the only benefit of DRaaS – scalability is also a major advantage in a world where data is exploding at a rapid rate.
With traditional disaster recovery solutions, organisations require an entire reproduction of their live environment to provide effective failover. For large environments, the cost of this can easily reach hundreds of thousands of pounds each year, pricing a lot of organisations out of the market.
With DRaaS, organisations align the price they pay with the resources they consume by only scaling them up when they need them – usually during testing or an invocation.
‘The costs are dramatically reduced, and because you’re outsourcing the function to a third party, you don’t require further investment into in-house training,’ says Oscar Arean, technical operations manager at Databarracks.
That’s not to say that drawbacks don’t exist, however. While DRaaS can undoubtedly boost an organisation’s recovery credentials by allowing them to respond faster, many IT professionals are still not comfortable letting critical information leave their premises.
The perception that cloud can lead to decreased security is an extension of the more general concern regarding data storage in the cloud, such as where the data is held, under what conditions, and under what legal jurisdiction.
When considering a DRaaS or general cloud service provider, these general considerations should be taken into account. However, when it comes to a specific disaster recovery solution, this is unlikely to be true.
Most solutions will have implemented significant access and audit controls that can meet compliance requirements, and these will often be additional to what organisations will have implemented internally.
‘Options will generally exist to encrypt data being secured into a backup vault, both at rest and in transmission,’ says Steven. ‘That would mean, if enabled, the data would be no less secure than online transmission between virtual tape libraries, and arguably more secure than movement of physical media.’
The security element in cloud recovery is important to businesses, as it is with any cloud-based offering. Any IT solution that involves moving a wealth of data into the cloud can prompt security concerns.
Nearly half (49%) of the 1,600 IT professionals quizzed in a survey by Unitrends in March listed security as their greatest concern with respect to the cloud. This is a figure that appears to be falling.
Organisations that often overlooked the fact that many cloud solutions offer government-grade security are growing more aware of the cloud, its benefits and its security protocols. As a result, IT professionals are increasingly accepting of the security credentials of cloud infrastructure.
‘Security in the cloud doesn’t seem to be as big a concern for businesses as it was five years ago,’ says David LeClair, VP of product marketing at Unitrends. ‘In fact, real-world analysis of actual negative events in the cloud shows that security issues where data is compromised are in fact extremely rare. More likely negative events that could lead to data loss are events surrounding cloud outages and downtime.’
Ultimately, companies shouldn’t fear the cloud as long as they take the right precautions when choosing their services. The cloud can offer huge advantages to businesses, so any IT professionals who disregard it as an insecure option could find themselves in very foolish territory.
According to Hazelman, the best way of staying safe is to choose providers that conform to international and national certifications to ensure the highest standards are being adhered to by service providers. ‘In many cases, a cloud service provider may be more secure than the customer’s own on-premises infrastructure,’ he says.
Aside from security concerns, one of the biggest downfalls of DRaaS is the risk that the DRaaS vendor could go out of business or have to file for bankruptcy, which could in turn put the company’s data at risk.
Nirvanix, a US-based cloud storage provider, only gave its customers two weeks’ notice before it was to shut down, as it filed for bankruptcy protection. This was caused by financial constraints as the provider does not receive a lump sum at the start of their contracts with customers.
‘With such short notice, many companies had limited support to get their data back from the service provider,’ says Josua Braun, senior product marketing manager storage, EMEA at Netgear.
Weighing up the costs
While DRaaS – like all cloud solutions – is pitched as cheaper than on-premise, 14% of respondents in the Sungard survey reported it being less cost effective.
So in terms of total cost of ownership, how can CIOs convince CFOs that this will save the organisation money?
This really depends on what the service is being compared with. Businesses that do a thorough cost analysis of running a second data centre – including replication licensing, bandwidth, power and the staff time to manage it – often find DRaaS to be a lower cost.
But, sometimes those costs aren’t factored in because the organisation is already running a multi-site operation and staff costs aren’t separated from other activities.
‘Disaster recovery won’t make you any money – that much is true,’ says Arean. ‘But it’s never been cheaper for businesses of all sizes to ensure that they can avoid the enormous costs of disruption, should a disaster happen.’
This isn’t to say that costs have become negligible, or even that DR is something CFOs will willingly divert budget to.
Falling storage and bandwidth prices have certainly made cloud infrastructures more affordable for businesses today, but many still regard DR as a ‘tax’ that will never be capable of generating revenue.
But a good DR provider will add value to an organisation through its expertise, and help create a robust business continuity plan, Arean adds.
The primary cost saving comes with disowning a dedicated environment required for building the disaster recovery landscape, in terms of property, power, air and ventilation.
Besides, replicating a primary environment could work out to be less cost-effective, as it may require building a custom disaster recovery environment on the cloud.
‘Consolidating and porting of workloads to the cloud, and passive or offline disaster recovery, are ways to achieve cost-effective disaster recovery solutions,’ says Venkatesh KB Shankar, infrastructure services expert at Mindtree.
It is down to CIOs to decide whether DRaaS is right for their goals and business environment. This discussion is far closer to understanding the value of an insurance policy than it is to making a technology acquisition.
The decision-makers need to understand how important protection of individual applications or workloads is to their business. How long could they live without access to that application or data? And what is the financial cost of not having access to data or of staff not being able to do their job? What are the realistic alternatives that will provide the protection they need, or is no protection a viable option? Can they afford to ‘self-insure’?
‘When these kinds of questions are understood, DRaaS can be seriously evaluated,’ says Gordon Davey, cloud strategy leader at Dell UK, ‘and if the business genuinely needs quick recovery in the event of a disaster then it’s hard to imagine a cloud-based option not being the best solution.’