Disaster Recovery in Times of Crisis – What Role Can the Cloud Play?

Mounir Elmously cloud, Disaster Recovery

While humanity has always hoped to not have to deal with disasters the last few months have shown that we live in uncertain times and the impact of global warming and pandemics can reach all corners of the globe.

In learning to deal with assessing the risks and how we build resilience in the future could be as simple as finding an alternative way to perform vital tasks or having additional resources to perform those same tasks.

Following the advancement in networking, processor and storage technologies and as the IT industry adopts more standardized components (e.g. Ethernet, x86, Linux, etc.,) the information technology industry has become dependent on the Cloud. The Cloud has its advantages in flexibility and cost especially where IT resources are externally hosted, eliminating the need to build and sustain in-house IT infrastructure and the associated lead time to build it.

The Evolution of IT Disaster Recovery

Since the inception of the computer in the middle of last century data protection has always been an obsession for IT organizations, and we now find ourselves with data sensitive applications where access to the data in a timely manner is a business imperative. Traditional data protection (backup) has many issues and constraints that in many situations cannot meet most organizations recoverability requirements in terms of speed of IT service resumption and potential loss of data in-flight at the time of disaster. Additionally, in many disaster scenarios, the IT infrastructure might become unavailable or inaccessible. Hence, recovering the backup requires a new set of hardware.

Investing in disaster recovery was always an unjustifiable expense considering the potentially prohibitive cost to stand an alternative IT infrastructure that in most cases will sit idle in the expectation of a disaster.

Over time many technologies emerged with innovative approaches for creating recovery tiers and prioritize those tiers based on the critical nature of the business application, however regardless of the efforts, disaster recovery has always been a high cost item that was first to be dropped from the budget.

However, with the introduction of the internet followed by eCommerce, almost all organizations changed their business model to provide non-stop services to their clients. This has put additional pressure to ensure undisrupted business even following a major disaster.

While the term “disaster recovery as a service” is relatively new, the concept has been broadly accepted since it was a low-cost option for organizations to have some level of guarantee to resume business. While this concept was acceptable to some extent, there was a challenge due to the fact that when a major event occurs, multiple organizations could be impacted and if they are subscribed to the same providers, they end up competing for the same infrastructure resources.

Since the Infrastructure as a Service (Cloud) has evolved and matured, it is now readily available in “utility-like” models that eliminate the scalability limitations, and organizations can look into extending their IT disaster recovery capabilities with their preferred cloud provider.

There are a number of factors that have accelerated this change:

  • Social media and its impact of high visibility for organizations, a simple glitch in any organization’s ability to conduct business becomes a public media incident that can severely impact the organization’s reputation.
  • Dramatic enhancement in WAN and LAN technology along with consistent reduction of the WAN services costs provided organizations with a lower point of entry cost into off-site disaster recovery.
  • The commoditization of server and storage hardware coupled with virtualization, have resulted in much lower costs to build an alternate infrastructure which has led to a proliferation of service organizations with major household brands.

So, in most situations, even if an organization has an active disaster recovery site, chances are that keeping it current as the IT infrastructure undergoes a technology refresh is extremely difficult and potentially cost prohibitive to manage, support and keep operational.

In 2002, the first infrastructure as a service (the cloud as we now know it) provider was introduced and the market has expanded rapidly to provide scalable, secure infrastructure services at an extremely low-cost entry point.

The cloud concept has introduced two major values that are pivotal for disaster recovery

  1. Infinite scalability: which eliminated the contention for infrastructure resources between subscribers under a large-scale disaster incident, hence organizations can always have access to infrastructure when needed.
  2. On-demand:  organizations are charged on hourly or daily basis only during the use of the cloud infrastructure, upon completing the recovery back to the original data center, with no further billing and no need for operational support beyond the use case.

Those values have provided small and medium organizations with a smooth entry into disaster recovery with virtually zero Capital Expenditure costs.

It all sounds great, however there are still issues that are holding back adoption:

  1. Security: with on-demand cloud services comes the concept of multi-tenancy, where DR as a service client will share the same hardware with other clients, this creates a level of concern that in many cases CIO’s decide to keep the DR under their control. The alternative would be to use dedicated cloud hardware which defeats the purpose of “on-demand” and brings back the DR TCO to traditional cost of ownership.
  2. Data locality, privacy legislation and safe harbor of data: many organizations will require a level of assurance that their data should remain within a certain geography. Under the cloud concept, data locality can become uncertain depending on the cloud provider.
  3. Legacy infrastructure: despite the ongoing transformation of IT, most organizations are still running many business applications on legacy infrastructure (e.g. z/OS, AIX, Solaris, HP-UX, etc.,).
  4. Storage based replication: Since its introduction in the late nineties, storage array-based replication has become the de-facto standard for data replication and the foundation for most in-house disaster recovery. This storage-based replication is tightly coupled with underlying infrastructure that creates vendor lock and constitutes a major obstacle in any cloud based DR since cloud vendors do not support proprietary hardware.

The above obstacles have kept many regulated industries (e.g. financial services, healthcare, utilities, etc.) away from DR as a service for now and for the foreseeable future.

So, what will happen in the future?  As we have discussed above, disaster recovery to the cloud is an eye opener for an efficient disaster recovery plan that is the ultimate goal for every organization regardless of industry sector.

As all industry sectors undergo technology transformation, they will need to have their eyes set on the Cloud as the path of least financial resistance especially for disaster recovery. However, as the technology matures, every organization should also consider the following:

  1. Consider migrating workloads from legacy infrastructure to hypervisor-based technology. In some situations, this transformation might be extremely challenging and may extend for a few years.
  2. Consider minimizing the dependency on hardware replication and evaluate the option to use software-based replication (e.g. hypervisor-based replication, database replication, etc.,). This will free the organization from hardware vendor lock in and will pave the way to cloud-based disaster recovery.
  3. Carefully consider the regulatory compliance and security aspects of placing sensitive data in the cloud and deploy encryption techniques for data-in-flight and data-at-rest.


About the SNIA Data Protection & Privacy Committee

The SNIA Data Protection & Privacy Committee (DPPC) exists to further the awareness and adoption of data protection technology, and to provide education, best practices and technology guidance on all matters related to the protection and privacy of data.

Within SNIA, Data Protection is defined as the assurance that data is usable and accessible for authorized purposes only, with acceptable performance and in compliance with applicable requirements. The technology behind data protection will remain a primary focus for the DPPC. However, there is now also a wider context which is being driven by increasing legislation to keep personal data private. The term data protection also extends into areas of resilience to cyber attacks and to threat management. To join the DPPC, login to SNIA and request to join the DPPC Governing Committee.

Written by Mounir Elmously, Governing Committee Member, SNIA Data Protection & Privacy Committee and Executive, Advisory Services, Ernst & Young, LLP

Why did I join SNIA DPPC?

With my long history with storage and data protection technologies, along with my current job roles and responsibilities, I can bring my expertise to influence the storage industry technology education and drive industry awareness. During my days with storage vendors, I did not have the freedom to critique specific storage technologies or products. With SNIA I enjoy the freedom of independence to critique and use my knowledge and expertise to help others improve their understanding.

Leave a Reply

Your email address will not be published. Required fields are marked *