3 things to consider before buying into Disaster Recovery as a Service

Disaster Recovery as a Service (DRaaS) backs up the whole environment, not just the data.

"Most of the providers I spoke with also offer a cloud-based environment to spin up the applications and data to when you declare a disaster," says Karyn Price, Industry Analyst, Cloud Computing Services, Frost & Sullivan. This enables enterprises to keep applications available.

Vendors offer DRaaS to increase their market share and revenues. Enterprises, especially small businesses are interested in the inexpensive yet comprehensive DR solution DRaaS offers. There are cautionary notes and considerations too that demand the smart businesss attention before and after buying into DRaaS.

DRaaS market drivers, vendors and differentiation

DRaaS is a wise move for cloud vendors hungry for a bigger slice of the infrastructure market.

"DRaaS is the first cloud service to offer value for an entire production infrastructure, all the servers and all the storage," says John P. Morency, Research Vice President, Gartner. This opens up more of the market, providing much higher revenues for vendors.

[4 tech trends in IT disaster recovery]

DRaaS creates new revenue streams and opportunities for vendors, too.

"They want to bring comprehensive recovery to a wider variety of business customers," Price says. Where only an enterprise could afford a full-blown BC/DR solution before, now the cloud offers a more affordable option for BC/DR to the small business.

Vendors leveraging DRaaS include Verizon TerreMark, Microsoft and Symantec (a joint offering), IBM, Sungard and NTT Data, Earthlink, Windstream, Bluelock, Virtustream, Verastream, EVault, Hosting.com and a trove of smaller contenders seeking to differentiate themselves in the marketplace, according to Price and Morency.

"While most of the DRaaS vendors are relatively similar in their cost structures and recovery time objectives, the recovery point objective is a differentiator between vendor offerings," says Price. Whereas Dell and Virtustream each report RPOs of 5 minutes, according to Frosts Karyn Price, Windstream reports RPOs of 15 minutes to 1 hour, depending on the DRaaS service the customer chooses.

DRaaS: No drab solution

With so much to offer, DRaaS has a bright future in the BC/DR realm. Companies with no tolerance for downtime, those looking to enter the cloud for the first time, those seeking a complete DR solution and those that have infrastructure in severe weather risk locations are interested in DRaaS. DRaaS is particularly interesting to enterprises with minimal tolerance for downtime.

[3 more tabletop exercises for business continuity]

"Most of the DRaaS vendors I speak with offer recovery times of four hours or fewer," says Price.

DRaaS is an option for enterprises that want to test the cloud for the first time.

"If you are in the middle of a disaster and suddenly you have no infrastructure to restore to, would you rather have a cloud-based solution that maybe you would have been wary of as your primary option or would you rather have nothing?" asks Price.

Small businesses see DRaaS as a way to finally afford a broader BC/DR solution.

"DRaaS can minimize or even completely eliminate the requirement for company capital in order to implement a DR solution," says Jerry Irvine, CIO, Prescient Solutions and member of the National Cyber Security Task Force. Since DRaaS is a cloud solution, businesses can order it at most any capacity, making it a more cost-effective fit for smaller production environments. Of the 8,000 DRaaS production instances that Gartner estimates exist today, 85- to 90- percent are smaller instances of three to six production applications, Morency says. The VM scope of these companies is between five and sixty VMs and the associated production storage is no more than two to five TB, Morency adds.

Businesses hit with increasingly severe weather catastrophes are very interested in DRaaS.

"When you look at the aftermath of events like the Tsunami in Japan, there is a lot more awareness and a lot more pressure from the board level to do disaster recovery," says Morency. This pressure and the affordability of DRaaS can tip the scales for many a small business.

Proceed with caution

Enterprises and small businesses considering DRaaS face a lot of due diligence before choosing a solution and a lot of work afterwards.

"It's not like you just upload all the work to the service provider," says Richard P. Tracy, CSO, Telos Corporation. If the enterprise requires replication to a cloud environment supported exclusively by SAS70 data centers, then the DRaaS provider better be able to demonstrate that it has SAS 70 data centers and agree to keep data in the cloud only in those facilities.

Depending on the industry, the customer must confirm that the DRaaS provider meets operational standards for HIPAA, GLBA, PCI-DSS, or some of the ISO standards as needed.

"You don't want to trust that they do just because it says so on their website," says Tracy.

Due to the nature of the cloud, DRaaS can offer innate data replication and redundancy for reliable backup and recovery. But unless specified otherwise, DRaaS could include only replication to failover core systems and backup may not be included.

"Many organizations define their backup systems or data repositories as critical solutions for the DR facilities to replicate," says Irvine. This provides for replication of core systems and data backup to DRaaS.

And once the enterprise's data successfully fails over to the DRaaS service, at some point the enterprise and the service have to roll it back to the enterprise infrastructure.

"You have to make sure that the DRaaS service will support you in that process," says Tracy. There are processes, procedures, and metrics related to exit strategies for outsourcing that the customer must define during the disaster recovery planning process. These will depend on the organization. These procedures set the timing for how soon data restoration to the primary location takes place and how soon the company switches the systems back on.

"The SLA should define the DRaaS provider's role in that," says Tracy. "It's not just failover, it's recovery."

DRaaS: Worth consideration

DRaaS can replicate infrastructure, applications and data to the cloud to enable full environmental recovery. The price is right and the solution is comprehensive. Still in its early stages, DRaaS is by all signs worth consideration, especially with the number and types of offerings available, and the obvious market need.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSODellEVaultGartnerIBM AustraliaISOMicrosoftNTT AustraliaSASSymantecVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place