Enterprise options for disaster recovery (DR) have changed significantly over the past decade.
Cloud computing and low-cost cloud storage has allowed organisations to keep copies of their data offsite, without the need for expensive secondary or tertiary datacentres, and the growth of web applications and software as a service (SaaS) means much enterprise data is already in the cloud.
Meanwhile, the market for disaster recovery as a service (DRaaS) has grown rapidly. Analyst estimates vary, but the DRaaS market is estimated to be worth around $14bn today, and could be $80bn by the end of this decade.
However, there are still cases where organisations prefer to keep disaster recovery in-house.
In this article, we look at what’s driving the increased use of DRaaS, and why some organisations still find it better to keep DR in-house.
Critical protection
The growth in cyber attacks, especially ransomware, has pushed DR higher up the business agenda. So, too, has compliance, with regulators keen to reduce the impact of cyber attacks and technical outages.
This is the basis of regulations, such as the European Union’s Digital Operational Resilience Act and the UK’s Cyber Security and Resilience Bill. But organisations also need DR to ensure businesses can survive natural outages such as extreme weather events, physical disruption such as power failures, IT misconfiguration, and even supplier failure.
“Disaster recovery must be viewed as more than a compliance checkbox; it’s a business viability issue,” says Darrel Kent, field CTO for storage and recovery at GigaOm. “Cloud-based DR brings automation, geo-resilience and faster RTOs, but only works if businesses define their critical systems based on business impact, not system ownership.”
This reflects the need for CIOs and business owners to work together to categorise systems, in terms of criticality. Recovery time objectives and recovery point objectives will differ from system to system, as well as by the data they hold.
Some infrastructure needs to be protected from almost any failure, and requires deployment on high-availability systems with active-active failover to minimise downtime. Others can be recovered more slowly.
Some systems might still be able to operate with a minimum of data – a few hours or a day’s worth, maybe – while allowing slower recovery of historic files. Others will contain data that’s not needed for immediate operations, but still needs to be protected against long-term loss.
Protecting all systems to the highest levels with the fastest possible recovery times is simply not affordable. Organisations will therefore tailor their disaster recovery metrics to meet their business needs, regulatory requirements, technical maturity and budgets.
Cloud options
The growth of cloud-based storage gives organisations more options to tailor DR provision to differing tiers of applications and data. It also lowers barriers to entry, for off-site backup in particular.
Firms can pay for backup and archiving as they need it to remove up-front IT capital costs, such as redundant datacentres. Meanwhile, provision of backup and recovery with cloud storage in an as-a-service model does away with the need for specialist in-house DR teams.
However, it could be argued that cost has been replaced by complexity, as IT teams now have to support cloud-based applications alongside their own infrastructure. And there are new threats to business operations from cyber attacks and especially ransomware.
“Organisations need to play to their strengths,” says Jon Collins, vice-president of engagement and field CTO at GigaOm. “A large organisation may have the teams and skills needed to do DR properly, but if they don’t, they are leaving a gaping hole in their risk management posture. The advantages of DraaS are immediacy and expertise, but it still needs effort by the organisation to decide what needs to be covered, and how.”
Another consideration, though, is how to provide disaster recovery for cloud-based applications and SaaS.
SaaS providers will go to great lengths to ensure high availability for their services, but they typically do not protect individual customer data unless the customer buys an add-on service.
“If you don’t pay for backup, it’s not backed up,” warns Terry Storrar, managing director at Leaseweb. “It’s a common misperception that you put things in the cloud and suddenly, there’s three copies of it. That isn’t the case.”
Vendors have spotted this gap in the market, with enterprise recovery suppliers increasingly able to backup data from cloud applications and SaaS, as well as on-premise storage.
According to Patrick Smith, field CTO at Pure Storage, this is leading DR suppliers to support hybrid and multi-cloud environments, as well as some SaaS providers to buy up backup suppliers. “What we are seeing is enterprise backup vendors, or as they now brand themselves, cyber recovery vendors, support the public cloud,” he says.
Better integration between on-premise and cloud storage is also making DRaaS more practical and affordable. Pure, which does sell its own DRaaS product, uses the deduplication and compression in its storage technology to make cloud backup and recovery more efficient and cut customer data egress charges.
“We shrink the data as much as possible, and that is also true of replication data going across the wire, so you minimise the amount of data the cloud provider sees leaving their perimeter, which reduces costs,” he says.
Staying local
Despite the growth in DRaaS, however, there are still situations where organisations will want to keep disaster recovery in-house. Some might go as far as keeping a local copy of cloud data, and there are cases where businesses have recovered from what would otherwise have been a catastrophic failure because of a local backup.
“With on-premise implementations, enterprises maintain full control of their disaster recovery capability,” says Grant Caley, UK and Ireland solutions director at NetApp. “The capability meets exactly their requirements, rather than having to bend to meet the limitations of an as-a-service template. As such, the costs are potentially lower if the IT and data infrastructure already exists. That way, any bespoke requirements are more easily met.”
Local DR, though, is increasingly the preserve of highly regulated industries such as banking and finance, or government, or where data sovereignty is critical. It is also really only an option for firms that have the size and scale to run and test complex recovery plans, or where the regulatory environment leaves them no choice.
In-house DR can also be quicker, even if it costs more, and there is the reassurance that an in-house team is focused on your organisation’s recovery, not another customer’s. “In a disaster, no-one else feels the importance as much as you do,” says Storrar.
