Preparing for a disaster

06 September 2019

In case you were overseas or just hadn’t seen the news, a failure across large sections of National Grid’s network blacked out large swathes of the country in early August. Winds of 60mph left businesses, homes and train lines with no power. Can you imagine the impact if it was a serious natural disaster?

A timely reminder then that it doesn’t matter what line of business you work in or where it is based, if disaster strikes and you lose valuable data as a result of lack of preparedness, the chances are you’ll be in serious trouble. 

Granted, some sectors face harsher consequences than others should data escape or be completely erased from existence, but no business with any designs on success and longevity – no matter how large or small – can risk losing the very thing that keeps it going

Of course, most enterprises don’t need to be told the obvious or even be patronised, but one thing they do need to know is whether they should take care of data recovery themselves or farming it out to a specialist. In other words, we’re talking about data recovery as a service (DRaaS).

It will come as no surprise that there are a number of specialists out there whose job, quite understandably, is to extol the virtues of outsourcing. That said, does that mean enterprises generally lack the requisite nous to get themselves up and running again should the worse happen, or is it just scare tactics?

“If disaster recovery is driven and pushed by the IT department, organisations can fall into the common mistake of assuming they’re ‘good to go’ when disaster hits,” says Sascha Giese, head geek at IT monitoring and management company SolarWinds. “While IT departments can certainly handle the technical side of things, ensuring services are up and running if production goes down, they’re not necessarily the key stakeholder in ensuring business processes and services can also be maintained. These business processes and activities can really be summed up in one key term that goes hand-in-hand with disaster recovery: business continuity.”

So, is outsourcing really a good idea and – if so – why? 

In Giese’s opinion, the primary benefit of outsourcing a DRaaS solution, particularly one that’s hybrid-cloud-based, is that companies needn’t build their own infrastructure to support the disaster recovery process. 

“Instead, they can rely on a remote cloud infrastructure that may include multiple sites of its own,” he adds. “Fundamentally, it means shrinking business resources are focused exclusively on ongoing and core operations rather than using previous in-house bandwidth for the worst-case scenario—which can happen but is the exception rather than the rule. By handling DRaaS in-house, an organisation must have the time and capital to invest in and maintain its own DR environment. That’s why outsourcing DRaaS can be especially useful for small- and medium-sized businesses without the necessary expertise to provision, configure, and test an effective disaster recovery plan.” 

For others, the primary benefit is more black and white. “The number one reason to outsource disaster recovery (DR) cost,” says George Crump founder and president at Storage Switzerland, an IT analyst firm focused on the storage and virtualisation segments. “(Otherwise) you’re paying for a second location that in most cases sits idle and isn’t used at all. As a result of that there’s a whole set of different things that could go wrong.”

He also offers up numerous analogies as to how enterprises can burn money by preparing for a disaster in the wrong way. “Let’s say I buy a second car in case I need it one day,” Crump says. “It sits in the garage for years and then when I finally need to use it, the engine doesn’t even turn on.”

Crump adds that there are alternatives to outsourcing, but again they are not necessarily economically viable.

“In theory you could rent a space like a managed service provider (MSP) but again you’re paying rent for something you’re not going to use,” he continues. “So, the value of the cloud is you’re going to get data protection anyway and now you’re going to store it in the cloud. And then when you need to you can push a button and start your disaster recovery process. It’s a significant cost saving and it really encourages more frequent testing. As a disaster recovery planner, I can tell you that the number one thing that breaks a disaster recovery plan is nobody has actually ever executed the plan. This way you could start a test every month if you want to with no issues.”

Steve Blow, tech evangelist at IT resilience, disaster recovery and backup provider Zerto agrees and says outsourcing can enable scalability without driving costs way up.  “With DRaaS, you pay for what you need, when you need it.” he adds. “Any DRaaS provider will offer enterprise class infrastructure from storage, compute and network, as well as being able to offer additional services around security etc.” Blow adds that “having all of these capabilities” in house can get very pricey as a sole tenant, which is why many businesses look to DRaaS providers to utilise OpEx based cloud billing. “Paying on usage or reservations, rather than having the costs of keeping your DR environment’s lights on at all times, just in case, ensures optimum cost-effectiveness and flexibility. This also frees up IT teams to work on innovations that can have an impact on the business,” he says.

Chris Huggett, senior vice president, sales, EMEA & India at critical production and recovery services specialist SunGard AS says although economics is “quite rightly” an important factor, enterprises need to ask themselves why they would prefer to do it in house when there are specialists around who can also do the job with greater reliability. “So, for many businesses it’s the classic core versus context discussion,” he says. “Is recovering your applications core to your business or even your IT activity?  For a lot of people, it’s not, but we certainly believe it’s one of those areas where you’re better off in terms of reliability and economics going to a specialist.”

If DRaaS is all it’s cracked up to be, just how close is it to overtaking traditional means of recovery?

“That shift has already happened,” says Huggett. “Because if you look at traditional recovery, that meant standing up dedicated infrastructure, networking, storage and compute resources dedicated to a client, which therefore are not available for anyone else, which makes it more expensive. Everything else in terms of the way people produce their production IT architectures, involved them going out and buying platforms and running their applications on them so they focus therefore on the application. After all that’s what CIOs lie awake worrying about – applications and workloads. 

“People are perfectly satisfied that providing recovery capabilities on top of a cloud platform is as reliable than having a dedicated infrastructure built for them, if not more so.”

Blow agrees. “DR has traditionally been very complex and, even when outsourced, the infrastructure remains the same,” he says. “With advancements in the market and the ability to use a software only approach to DR, providers gain more flexibility as to how they are able to deliver this capability, without having to give up traditional DR requirements and actually enhancing them. In my view, DRaaS has already started overtaking traditional recovery services, particularly as it has lowered the entry cost. This has increased the scope to include less critical applications that otherwise wouldn’t have been included in DR, as well as reaching out to the SME market that may have been previously priced-out.”

 However, Crump is more cautious and says, “it’s not as close as the headlines would lead you to believe”, because most small to medium sized organisations don’t take disaster recovery seriously enough. “It’s very much a ‘it won’t happen to me’ condition going on,” he adds. “That’s not any fault of DRaaS, it’s just humans. I would say that most organisations are still in investigative mode. The technology is established but it’s still early days in terms of adoption.”

Of course, DRaaS does not mitigate all the work involved in DR, especially upfront planning. So how does a vendor taking the lead, address the environment and select what is a priority? 

Ron Blair, senior director analyst at Gartner says it’s an important point and highlights the cost benefit. “DRaaS prices are 50%+ less than just a few years ago,” he says. “As DRaaS providers try to avoid a ‘race to the bottom’, top providers have baked in onboarding service elements that were once considered “white glove”. Some examples include assessments to right-size environment needs, application dependency mapping, and runbook creation. But when it comes to gaining interlock with business units and creating a business impact analysis (BIA), these would typically require professional services.” 

What about the location of the DRaaS vendor’s data? After all, if it is situated perilously close to the client’s and both are taken out by the same “disaster”, does that mean there are unexpected costs and incompatibilities? Or worse?

“If they were both taken out at the same time then that would be an example of bad planning,” warns Huggett. “If it’s the same disaster taking out both instances then the risk profiling would have gone awry there. We take the view that for example your pushing data into a public cloud instance, that public cloud should be in an entirely different domain – quite likely a different country to where the originating target servers are actually located.”

Some sectors face harsher consequences than others should data escape or be completely erased from existence, but no business with any designs on success and longevity – no matter how large or small – can risk losing the very thing that keeps it going

Some sectors face harsher consequences than others should data escape or be completely erased from existence, but no business with any designs on success and longevity – no matter how large or small – can risk losing the very thing that keeps it going

David Davies, business and IT service continuity consultant at Daisy Corporate Services, concurs.

“DRaaS is a ‘cloud’ service and as with any other cloud service it’s important for a client to understand the physical aspects of the service when selecting a provider,” he says. “This includes the location and security of the backups and the recovery data centre (and if there are multiple backup locations and recovery data centres or only one), and where the IT support people are based who will manage the recovery.” 

Crump says that regardless of sovereignty laws, the European market has strict regulations regarding where data can sit. “Europeans are sensitive about data sitting in the Americas and with good reason,” he adds. “What I would suggest is that if there is a limit on where you can store data, just have it as far away as you can. If you’re in Germany but the data can’t leave the country, just make sure it’s at the opposite end of the nation.”

It would appear the evidence for outsourcing is overwhelming. However, are there any particular user groups that need it more than others and does it suit every company? 

Giese says while it can work for every company, it might not be the best scenario for all of them, if only due to their size and scale. “Smaller IT infrastructures will do just fine with traditional DR methods,” he adds. “But the larger and more distributed the organisation, the more complex it is to adjust traditional DR to fit in and tick the boxes.”

Davies is in agreement and says there might be a serious rationale for a company not only wanting to keep it in-house, but having to. “There may be regulatory or security reasons for the organisation to want to keep its ITDR in-house,” he says. “There may also be technology or skill set limitations of the DRaaS provider (particularly if legacy systems are involved) which mean they can’t take on all of the DRaaS requirement. It also depends on the client’s culture – the extent to which an organisation embraces and feels comfortable with outsourcing and cloud services. A good DRaaS provider should ensure multiple tiers of service and cost level are available, to be able to meet everything from small business to enterprise requirements.”

Huggett says that “most obviously” there are certain regulated markets, financial services being the most obvious example, where loss of data can lead to legal issues “and ditto” in the public sector.” In the healthcare space and in central and local government, there are very severe implications if data has been compromised, lost or even stolen. Disasters have different effects in different sectors, but we certainly see based on our customer make up financial services and healthcare very much to the fore. But that doesn’t mean others aren’t equally affected – possibly just a bit less public.” 

Reading this, enterprises not already outsourcing disaster recovery might be tempted to explore it further. Yet, what if their old-fashioned in-house set up is not easily compatible with what the vendor is offering – will they face complications moving from one to the other?

“It’s important for teams to focus on the fact the overall objective isn’t to merely restore data or an application,” adds Blair. “It is to restore business processes. Business-oriented intimacy is important toward ensuring key items are not neglected - from recovery of virtual desktops to call centres.”

Blow says no solution works exactly the same as the next, just like in the same way no provider has the same engagement. 

“There are always challenges when moving,” he adds. “Processes will change, some flexibility may be lost, plus there’s always the requirement to ensure the business is protected during the move process. The key to staying on top of these complications is to ensure the chosen solution is as simple as possible, enabling the provider you’ve chosen to be able to guide you through the move with minimal fuss and mitigated risk.”

Huggett says “it shouldn’t be a complex issue”, because enterprises don’t have to turn off their production environment to move their disaster architecture to a cloud environment. 

“You might parallel run for a while with your cloud recovery architecture proving itself before you switch off your legacy DR environment,” he adds. “If you were unfortunate enough to have to suffer a disaster during that period, then actually you’ve got two rather than one possibilities of recovery. Usually when you migrate IT systems it is the moment of change that causes the greatest difficulties.” 

However, one would be forgiven for thinking DRaaS is an IT issue, but Huggett warns that it goes much deeper than that. He says it is now a topic of conversation in boardrooms because of the psychological impact it can have on staff. What’s more, this is only compounded by the advances of another form of technology.

“Let’s face it, the ‘as a service element’ is just a new way of delivering disaster recovery, as the need for an interest in disaster recovery has never really gone away,” he adds. “What has changed is because of the rather public nature of some of the disasters that have befallen some, people are very conscious that if there is a disaster then social media will see to it that people will get to hear about your disaster perhaps in a way that a few years ago you might have been less exposed. There’s a reputational impact and the human beings involved in recovering from disasters end up being offered crisis coaching and counselling.” 

And on that cheery note, it’s important to remember whether or not you decide to outsource DR, it pays to be prepared.