While the stakes of recovering from a data disaster are higher than ever before, the resources needed to ensure business continuity are more readily accessible, too.
Disaster recovery (aka business continuity, business continuance, service resilience et al.) is a topic that weighs heavily on many IT organizations and has since the birth of IT. Time has only made ensuring business continuity and disaster recovery (BC/DR) a more complex challenge for all businesses.
When IT was primarily a mainframe, and most or all of its work was not mission critical, DR was off-site storage of magnetic tape backups and a contract to run jobs on someone else’s mainframe.
Now? IT is integral to every aspect of operations for most organizations, whether making things, selling things, or providing services. Recovery time objectives (RTOs) and recovery point objectives (RPOs) are trending from hours to minutes. Compliance requirements regarding operational processes and retention of data are becoming more demanding and increasingly complex.
Businesses are now challenged with retaining more information than they used to, and for longer. Additionally, they now also need to know every repository where they may have information about a particular person—should that person exercise their GDPR (General Data Protection Regulation) right “to be forgotten.”
The use of many resource types in delivering services makes the problem even harder: more than 97% of organizations use SaaS solutions, and 61% use IaaS in production, and 52% use PaaS. Nemertes predicts that in 2019 less than half (on average) of the overall workload of IT will run in organizations’ data centers. BC and DR plans have to take into account recovery for cloud-based services and cloud-housed data, as well as ongoing due diligence of service providers’ operational maturity and BC measures.
You can probably rely on a major provider having solid continuity planning and audited SSAE (Statement on Standards for Attestation Engagements) SOC (Service and Organization Controls) 2 certification of BC/DR controls in all operations and data centers—but can you say the same for all your SaaS and PaaS providers?
Now, add in the problem of corporate data on users’ personal devices—not simple to manage even when only some staff had these devices, and the vast majority were stationary desktops under full company control. Now the average employee has multiple devices, with only a minority of devices being under full IT control. Identifying corporate information that must be protected is operationally essential, and it has serious compliance implications.
DRaaS: A Better Option Than Going It Alone
Creating a BC/DR plan sufficient to the day is of course possible, with enough dedication of resources. Well-resourced IT operations can fold it all into their processes and beef up backups while layering on discovery tools and other relevant systems to meet the expanded needs. Perpetually under-resourced IT operations, though, will not be able to keep up, and will have to travel further down the road of cost versus risk arbitrage: deciding whether to pay what it takes to retain everything they should, or to accept the operational, legal and financial risk associated with letting some data go unprotected.
And even those who can afford to protect everything may see it as requiring a level of investment they don’t want to make. Nothing does less to advance strategic initiatives than spending money on insurance. Unless disaster strikes, of course, in which case all subsequent progress on strategic plans depends on the quality of the continuity effort.
Thankfully, inherent in the source of the problem is a possible solution. In the cloud age, outsourcing DR—using managed BC/DR or DR as a Service (DRaaS)—is a more viable option than ever before. Increased resources are available to serve as cloud-based DR facilities and cloud-based backup systems.
More companies are in the business of providing BC/DR services for cloud systems as well as on-premises tools, having tools and staff focused on this problem space. And IT has become more accustomed than ever before to consuming critical processes as outsourced services rather than handling them internally, and to allowing cloud management of on-premises software.
The bottom line is that, just as cloud and outsourcing are a consideration for every other IT service decision, so too should they be for managing BC/DR protection.
John Burke is a Principal Research Analyst with Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics. John leads research on private and public cloud; private cloud infrastructure; private and hybrid cloud management and security; network, server and storage virtualization; and software-defined networking (SDN), SDWAN, and network functions virtualization (NFV). He also leads coverage of IT service management and ITIL, big data (especially with application to IT operations management and security), data management and information lifecycle management, analytics and visualization.