Disaster Recovery as a Service: Planning for Worst Case Scenarios

Posted by Mark Greisiger

A Q&A with Jack Bailey, Director of Product Management at iland Internet Solutions
Disaster recovery as a service (DRaaS) can be a good solution for many organizations as a security measure in the case of a cyber-security event. I asked Jack Bailey, Director of Product Management at iland Internet Solutions to explain the value of DRaaS.

What is DRaaS?
DRaaS is a cloud-based service to which you can outsource a secondary site that is ready for operation, avoiding business interruption in the case of a data breach situation.

Business continuity is a requirement these days. Customers expect it, and so do executives.

Why might a customer be interested in this approach for disaster recovery or business continuity loss mitigation?
Business continuity is a requirement these days. Customers expect it, and so do executives. You want your data to be safe and you want easy access to it. If you don’t have a solution for business continuity, your competitors will. As with all cloud-based services, the appeal of DRaaS is that you don’t need to own the technology or buy any hardware or train any personnel. In most cases, our customers aren’t storing data as their first line of business—it’s not a revenue-generating item and they don’t have the technical capacity or expertise in-house—but they want the safety and security of knowing that in an emergency situation they have a second site ready to go.

What types of businesses are best served by DRaaS?
At iland we service organizations of all sizes and shapes. Typically, a risk assessment and a realistic understanding of just what could happen if operations were compromised is what will drive a company to us. Now, some businesses might be fine if their customers can’t access data for five minutes or even a few weeks, and we can tailor our services accordingly. On the other hand, you have the insurance industry. When something catastrophic happens, insurance companies actually have an increased amount of business so they have to be ready for high levels of functioning during that time of need.

Also, from a regulatory perspective, you must have a disaster recovery plan in place if you’re bound by HIPAA or other federal laws, so we find that companies in those industries also tend to gravitate toward us.

How might a client deploy their DRaaS solution in the event of a cyber attack?
As I mentioned, we provide many different DRaaS options, including real-time replication, which makes a secondary site ready at the push of a button. That kind of speed is usually important for people with public-facing sites or e-commerce businesses. We also have less immediate plans for people that don’t need instant results. We can manage the secondary site or we can provide tools for them to self-manage it. Either way, they will have a plan ahead of time that will tell them how to access the site and deploy the solution in the case of a failover.

Are there any risks or downside to DRaaS?
It can be a challenge for companies that are used to doing everything themselves to suddenly shift these services to an outside vendor because it obviously takes a lot of trust. Another challenge is that people tend to be skeptical about cloud providers. We believe that cloud providers are held to a higher standard and we maintain our own internal data sets and compliance-driven testing policies. At the end of the day, we are in the business of keeping data safe. It’s absolutely normal for someone to be skeptical but we always encourage organizations to look closely at the background and certifications of any potential vendor. You want a provider that’s not just a fly-by-night operation with a couple of servers in a closet. Some companies see the cost of DR as a downside, but if you carefully consider the value of business continuity, retaining customers and saving transactions, it’s a small price to pay. In fact, many companies see it as another, equally necessary form of insurance.

What else needs to be considered in the decision to pursue DRaaS?
Keep in mind that backup and disaster recovery are two very different services. Some customers come to us saying that a backup vendor told them that all they needed was to get the backed-up data to a secondary site. It’s not that simple. Unless you have a plan you can test, and a means to validate that everything works, you won’t have the confidence for a failover situation. Another thing is that one size does not fit all when it comes to DRaaS. There’s no silver bullet for everyone, so we have to identify the approach that makes the most sense for the business and addresses its real needs.

In Summary…
Thanks to Jack for his insights into DRaaS. As part of an overall DR/BC plan, DRaaS could be considered a baseline safeguard control for any company that relies on computer and information assets for daily operations. DRaaS is also a prudent risk management option for an organization that has 24/7 system availability requirements, particularly if a prolonged outage due to a cyber-attack (DDoS) or network corruption would significantly impact production or business revenue.