Disaster Recovery Is Different for the Cloud

Disaster Recovery Plans (DRPs) have received increased attention due to disruptions from cyberattacks, natural disasters, and the pandemic. A well-developed DRPs can mitigate those risks, but DRPs for the cloud are somewhat different than those for traditional on-premises assets.

Richard Marcus

Richard Marcus leads the Information Security Team at AuditBoard where he is focused on product, infrastructure, and corporate IT security. He is also responsible for leading the charge on AuditBoard's own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases.

A disaster recovery plan is a focused, detailed strategy that addresses all types of operational disruptions. The disruptions include both natural disasters and human-made disruptions. Natural disasters would include earthquakes, fires, tornados, hurricanes, floods — and pandemics. Human-made disruptions might be power grid outages, active shooters, cyberattacks, bomb threats, protests, and military action. While it is impossible to predict every type of disruption, good disaster planning attempts to cover all the most likely scenarios. The actual plans are organized by the disaster type with specific instructions for the organization to follow if and when the disaster occurs.

When drafting disaster recovery plans, a significant consideration is the deployment method of the services you are attempting to recover. On-premise and cloud installations have distinct recovery advantages and challenges, and disaster recovery plans absolutely must account for the differences.

Traditional Disaster Recovery

Despite the hype around the cloud, there are still many good reasons for on-premises deployments.

Traditional on-premises deployments are delivered from your organization’s local, physical environment on its own infrastructure. The main advantages of on-premises deployments are transparency and control. Some organizations house extremely sensitive or regulated data, and have decided they must keep the data in-house to be certain it is properly secured and available when they need it. This additional assurance comes at a high cost. Your infrastructure team is responsible for all hardware needed to support your deployments at scale, including sufficient resources to ensure capacity needs are met and that resources are available to perform regular backups of critical data.

To ensure your services can recover from disaster, redundancies are required for each technology resource, and may even need to be deployed across redundant data centers and geographic regions. This can be difficult if your organization lacks the footprint to support such redundancy. Before building the infrastructure, management likely will require estimates, proposals, and budget requests, all of which take time. Afterward, the support and maintenance of the infrastructure as well as data backup processes are entirely dependent on internal staff.

In a disaster, the time it takes to rebuild the infrastructure, restore the data, and recovery services for end-users will be very significant, if possible at all. Data recovery will depend on the most recent off-site backup, likely a day old or more. After a disaster, downtime means everything.

Cloud Disaster Recovery

The move to cloud solutions has increased over the last decade, but the trend is likely to speed up during the post-pandemic recovery period. Organizations that have moved to cloud solutions for technical needs have shifted the risk and responsibility for disaster recovery onto third-party providers. Moving to hosted infrastructure allows organizations to implement services that are dynamically scalable, resilient, and redundant by default. Many cloud service providers even allow customers to choose their recovery times based on the criticality of the service or risk level.

Two factors come into play: recovery point objective (RPO) and recovery time objective (RTO). RPO is a measure of how much data you are willing to risk losing, and RTO measures how long it will take to have your data operational after a disaster. If the data is mission-critical and the organizational risk tolerance is low, some providers offer near real-time recovery for both RPO and RTO. If the risk tolerance is higher, a less expensive option is available to those who are willing and able to work from a day-old backup.

Disaster recovery planning for cloud-hosted solutions should involve a review of the supplier contracts to ensure the recovery SLAs meet your needs. If there are any customer responsibilities related to configuring data backup frequency or testing, those activities should be confirmed and tested. Some providers will even agree to coordinate with you during periodic testing of recovery capabilities. “Trust but Verify” applies here for vendors that are responsible for your most critical services or data.

Does a Disaster Recovery Plan Really Matter?

Over 200,000 businesses closed during the first year of the COVID pandemic. Too many organizations were unprepared for the pandemic disaster. In the article “Top Risks in 2021: A Global Perspective”, Protiviti pointed out that “there was nothing unpredictable about 2020. Pandemic risk has loomed on the horizon for a long time… yet, only digitally invested companies were ‘future-ready’ when COVID-19 hit”. Disasters will happen, and solid disaster recovery planning can mean the difference between operational resilience and failure. As you update your DRP and try to anticipate the unexpected, consider the possibility of moving legacy on-premise solutions to cloud environments.