Data Centers

Recovery-as-a-service: Should you move DR to the cloud?

Patrick Sweeney looks at the reasons you might consider moving your disaster recovery solution to a cloud service. How feasible would it be for your organization?

Now that early adopters have proven the deployment feasibility and the management and cost reduction advantages of the cloud, businesses are increasingly adopting it for core business applications and IT services. In fact, after successfully piloting cloud usage with SaaS applications such as CRM and ERP, many businesses are now looking to replace their traditional onsite backup and disaster recovery (DR) solutions with cloud-based DR. Gartner states that by 2014, over 30% of midsize companies will have adopted DR in the cloud or recovery-as-a-service. This begs the question: is your business ready to take the leap?

Drivers behind the change

Implementing traditional DR solutions typically involves overcoming a number of hurdles. First, they can be difficult for already overburdened IT staff to deploy, configure, and administer. Moreover, some require the complex integration, coordination and scheduling of disparate systems at multiple backup sites.

Traditional solutions can also be difficult to budget. They often require significant upfront capital expenditures for hardware, software. and networking infrastructure, duplicated across multiple sites. And, once established, they can be costly to scale incrementally. Additionally, these multiple infrastructures must be managed and maintained, adding to administrative overhead costs.

Yet another traditional concern with DR is uncertainty. Many DR administrators simply do not know if they can rely on being able to recover the data they back up.

All else considered, the worst DR is no DR. Yet the awful truth is that most companies have found it difficult to get any DR plan or solution off the ground.

Can taking it to the cloud help?

Cloud-based DR services have the potential to address many of these concerns with traditional approaches. First of all, they are inherently easy to use and manage, as they are typically deployed as turnkey solutions, with the backend all hosted and managed by the provider. Because they operate in virtualized environments, they are generally easier to scale as needed, providing more deployment flexibility, and future-proofing against unanticipated growth. This scalability also provides broader DR options (such as supplementing or enhancing VMware, NAS, or bare metal recovery solutions), thus enabling a best-fit deployment. Perhaps most importantly, by making the process easier, they can enable many overburdened IT organizations to actually get a DR solution deployed in the first place.

Using cloud services can also be more budget-friendly. By eliminating significant hardware costs, they cut out large upfront capital expenses. Instead, DR becomes a flexible, pay-as-you-go operating expense, where companies only pay for the capacity they consume, and can fine-tune or terminate services altogether on demand.

Recovery-as-a-service can also help assure reliability. With no upfront investment, it is easier to test a solution before adoption. Moreover, cloud-based DR technology has matured to the point of providing reliable quality of service and uptime levels, as well as cloud-based validation of backed-up data.

Not all silver linings

Still, there are many challenges that businesses must consider that are unique to cloud-based DR. For example, placing your backups on the cloud may create greater dependency on network availability and, subsequently, in the service levels of your providers.

Likewise, with cloud-based DR, companies can have less control over throughput, and any degraded performance can potentially generate transactional lag time. While this might not significantly affect recovery of static files or email, it can make cloud-based DR inappropriate in other scenarios, such as in recovering dynamically replicated databases. Increased demand for additional bandwidth might also result in unanticipated cost overruns.

Compliance can be another serious concern for many businesses looking at cloud-based DR. While cloud-based security and encryption technology has matured, there may still be gray areas when it comes to meeting regulatory standards, such as with healthcare or financial data.

Ready-or not

Ultimately, DR is about shifting the uncertain to the certain. We cannot be certain when a disaster event may occur, but we should-and must-be certain of the systems and procedures we put in place to recover when they do. To determine whether your business is ready to bring DR to the cloud, you need to consider factors pertaining both to your own organization and to your service provider. The viability of implementing recovery-as-a-service in your organization hinges on both business and technology criteria.

On the business side, you should calculate return on investment by contrasting the projected costs of cloud-based DR against the costs of traditional onsite DR (including equipment and staffing)-as well as against the projected business costs of enduring a catastrophic system failure while having no DR solution in place at all.

As with any DR planning, you should determine your recovery time objective (RTO) within which your core systems must be restored so as not to create a revenue-impacting break in business continuity. You should also identify any system elements which would be negatively affected by potential transactional lag times. Specify what is required to meet compliance with your particular industry's regulatory mandates (such as end-to-end encryption of data in-flight and at-rest, or granular recovery of transactional data).

You will also want to consider what options you need to meet the specific recovery needs of your business. Potential data recovery capabilities your organization might require include file-based backup, multi-platform device and OS support, and archiving. Potential system recovery capabilities might include block-based backups, and being able to rapidly restart applications in the cloud with a subsequent phased recovery on-premise.

On the cloud service provider side, you need to verify that their service level agreement (SLA) meets your defined business requirements, particularly in the areas of reliability, performance and compliance. Closely examine the fine print on costs associated with scaling up capacity or bandwidth.

Be sure you are willing to house your data on your provider's cloud. Confirm your provider's cloud data center security and availability features, such as AES 256-bit encryption for data-in-flight, uninterruptible power (UPS), and seismic rating, as well as physical security measures such as biometric identification and motion-sensitive CCTV monitoring.

The underlying technology used by your service provider can also provide insight into the viability of your solution. Look to providers with a comprehensive, full-featured offering on a mature, established platform, with central management of data and policy, as well as granular reporting.

By closely evaluating all of these criteria, you can determine with certainty whether cloud-based DR will work for your organization.


Implementing a DR solution is never simple. But for some companies, the emergence of cloud-based DR services can make it much easier, affordable and reliable. Whether your business can take advantage of these benefits will depend on taking a hard look at your unique DR needs and matching them to a service that fits. An uninformed decision will only add more uncertainty, rather than alleviate it.

Patrick Sweeney is Vice President, Product Management, for Dell SonicWALL.


We're about to move to a hybrid backup/DR service comprising an onsite backup appliance (that can also act as a DR system for one or more failed servers), plus online backup, with the option of running complete VMs remotely via VPN in the event of a complete site disaster. I wouldn't want to have backup completely online because of the speed and convenience when restores are required. But the online part creates essential extra DR protection. This seems to be the best of both worlds. (Strictly our online backup isn't "cloud" as we know exactly which data centre it'll be in, but the principle's the same.)


Are we talking about using cloud services to give us DR for our land-based enterprise systems? Or are we accepting that the organization already runs their IT in the cloud, and therefore the recovery plan would basically involve having a SECOND cloud provider?? (Thus impacting the overall cost savings gained when going to the cloud to begin with :) .) And of course, what management was told-and-sold about the cloud is that it's so triple-fault-tolerant and distributed, that it's unsinkable, too big to fail, and simply a magical land where unicorns dance joyfully in the data center and disasters don't happen. In even the most simple and uncomplicated IT shop, doing DR that actually works as intended the old-fashioned way is more of an art than a science. Life would be easy if DR only meant deciding where your backups exist and knowing how to restore your mission critical apps. In order for DR to actually work when it's needed, the level of precision and detail goes light-years beyond the level of cooperation and coordination typically found in even the best third-party relationship. If there is even a moderate degree of complexity, DR only works if the recovery site remains in perfect harmony and sync with critical production systems, and it's been tested, and tested, and tested. But all that is a monumental challenge, and is much more difficult if you involve a third party and the cloud. In a true DR scenario, you cannot predict what will fail and how it will fail. This the flexibility to adapt to real DR scenarios is where Cloud-based DR could fall short. And the 10,000 lb elephant in the middle of the room is the fact that the cloud adds a multitude of different risks that people have not even thought of yet, and thus adding a cloud-based DR into the mix may bring up even more inherent risks of it's own. 'DR in the cloud' puts the customers of such a service in the same boat. So, a severed regional weather event, for example could cause a shift of an epic amount of data and processing power over to one or more cloud-based DR providers. If there are, lets say, 1,000 companies all having to declare a disaster at the same time, this DR provider may not be able to handle the load, nor could their network, or perhaps even parts of the Internet where their sites are based. The grand irony here is, theoretically, when an organization goes '100% cloud and they have an empty and dark data center with no IT staff', the best DR site for the cloud is at the organization itself......thus the best plan would be to buy back all the infrastructure they sold on eBay and hire some IT people to manage it :)


Can you actually rely on the one you're handing the recovery service to, or are your lawyers better than theirs?

Editor's Picks