Disaster recovery (DR) and business continuity plan (BCP) services are critical considerations for any organization. However, they don't come cheap. That is, until
Proper evaluations are critical when any CSP is being considered for cloud-based backup and DR/BC use cases.
Before committing to a cloud-based DR service or BC provider though, companies should thoroughly evaluate any potential cloud service provider (CSP) to ensure a good fit. Let's discuss what should be considered.
Cloud-based disaster recovery service processes
First, before doing business with any CSP, it's important to understand its backup and continuity processes and technology. For instance, in the case of Security as a Service (SaaS) CSPs, only data is stored. As a result, SaaS provider DR/BC plans should be analyzed with a focus on storage and backups because consumers have little to no control over continuity of the data once it's there. In addition, some continuity planning that accommodates for the internal operations of the provider should be included as well, such as redundancy of network devices, backups of system and application configurations that are essential to business operations.
For Platform as a Service (PaaS) providers, code repositories and maintenance can be shared, as can data. Infrastructure is still the provider's concern, however, and should be included in its own internal planning. For Infrastructure as a Service (IaaS) providers, consumers can manage entire virtual machines (VMs), but the provider still manages the infrastructure. Thus, DR and BCP strategy and responsibility is shared in these cases.
When businesses want to leverage cloud service providers specifically for cloud-based DR and BCP services, there are several recognized use cases that can serve as guidance. The first is online data storage, which is a simple backup scenario for some organizations. SMBs usually employ this idea, but it is also gaining traction in larger enterprises. The second use case is a backup of VMs or specific types of data, even if an enterprise-class DR/BCP program is in place. Another option is to backup and run whole application farms or certain critical services from a cloud service provider environment.
Cloud-based disaster recovery service considerations
Once the processes and use cases for cloud-based DR services have been taken into account, companies must assess potential CSPs to ensure they meet certain standards. Proper evaluations are critical when any CSP is being considered for cloud-based backup and DR/BCP use cases. Some of the concerns that should arise in an assessment include:
- Maturity of the CSP: How long has it been in business? What is its track record?
- ISO 27001, SSAE 16, and the like, for DR/BCP: Has the CSP adopted any sort of standards for implementation?
- CSP operational resources for DR/BCP: Does the CSP have enough staff and technology to adequately handle DR/BCP responsibilities for your organization?
- Contract language for service-level agreements and recovery capabilities: Do the contracts provide an appropriate level of coverage?
The next step for evaluating DR and BCP possibilities in the cloud involves matching up the concepts of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO looks to answer the question "How long can our organization function without certain key services?" RPO defines a "trigger point," which is the moment when too much data has been lost to continue business. In a mature DR/BC plan, these concepts should already be defined internally. Both of these metrics should be understood and fleshed out prior to beginning the evaluation of a CSP.
The Cloud Security Alliance also offers some recommendations on choosing cloud-based DR/BCP services:
- Customers should perform on-site inspections of CSPs when possible.
- Customers should inspect CSP DR/BC plans, and these should be a standard part of both consumer-initiated audits and standard SSAE 16 reports.
- Customers should identify physical interdependencies in CSP infrastructure. This is only logical, as the resilience of the CSP is fundamental to the consumer DR/BCP program being implemented.
- Contracts should clearly state obligations for security, recovery and access to data.
- The CSP should understand customer RTOs and include them in contracts.
- A CSP BCP policy should exist and be blessed by the CSP board of directors. This is really as much of an internal CSP governance evaluation as anything else.
- CSP BCP programs should be active and (ideally) adhere to standards like ISO 25999 (now ISO 22301), which describes a standard set of business continuity requirements.
There are numerous CSPs that offer cloud-based DR and BCP services. One is Nirvanix, a company that offers storage and general backup capabilities in a distributed data center model. Another CSP that offers DR/BCP services is iLand. It is a full-featured DR service organization, with testing and replication services. SunGard is a more traditional backup and DR organization, offering extensive data center services. SunGard has now enabled virtualization-specific backup and recovery options for both new and existing customers.
From the editors: More on cloud security regulations
Is the SSAE 16 a better tool for evaluating CSP security than the SAS 70?
Take three steps to ensure PCI compliance in the cloud.
An organization looking to implement cloud-based DR/BCP, or ensure existing CSPs have adequate disaster recovery services, should confirm that its internal DR/BCP metrics and those of the potential CSP are compatible. Then, the CSP must be assessed to ensure it is sufficiently robust and maintains internal controls on which it is willing to share information, whether via SSAE 16 or ISO certification.
Prepare for disaster
Though moving disaster recovery and business continuity to the cloud may seem like a daunting prospect, the benefits of cloud-based DR and BCP could make for a compelling option, and cloud providers are offering new capabilities and services in this area all the time. Choosing the right cloud-based DR service option is simply a matter of asking the right questions about potential CSPs and finding the right fit for an organization.
In addition to the steps mentioned above, one other key consideration is cost. While a cloud-based DR/BC cost model is often favorable, especially to smaller organizations, there may be significant benefits to maintaining separate data centers and facilities that larger organizations can't ignore, depending on bandwidth requirements, computing needs and flexibility. Explore all the options, and don't discount a cloud-based DR/BC alternative when planning for the long term.
About the author:
Dave Shackleford is senior vice president of research and chief technology officer (CTO) at IANS, and a SANS analyst, instructor and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. Dave is the author of the Sybex book Virtualization Security: Protecting Virtualized Environments, and he recently co-authored the first published course on virtualization security for the SANS Institute. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
This was first published in December 2012