Disaster Recovery as a Service: A Necessity, Not a “Nice-To-Have”

It’s interesting how ancient stories can remain relevant across millennia: despite having made huge strides as a species, humanity continues to wrestle with many of the same shortcomings as it always has. The fable about the optimistic grasshopper who failed to prepare properly for the winter months is a good analogy for an all-too-common error made by organizations who either take shortcuts when implementing disaster recovery strategies or, worst of all, forgo this essential service altogether.

The technological landscape is more complex than ever before. While this brings with it innumerable benefits, it also means that the potential for disaster is at an unprecedented level. You don’t need to dig too deep to find news about companies being rocked by operational disruptions. A recent example is the power outage that made Facebook and its sibling sites, WhatsApp and Instagram, unreachable to users for about six hours. Post-mortem reports named configuration changes on backbone routers as the source of the outage. The downtime is estimated to have cost the company nearly $100 million in revenue.

While constant preparation can feel daunting, companies can’t afford to be anything less than hyper-vigilant at this point in our technological evolution. Fortunately, there are measures that can be taken to protect valuable data and prevent damage to sensitive systems. Disaster recovery as a service (DraaS) is crucial in automating and strengthening preventative testing measures.

What counts as a data disaster?

There are three major categories that are widely recognized as sources of data disasters.

• Natural disasters impacting on-prem sources. Natural events such as hurricanes, floods, wildfires, and earthquakes could adversely impact the physical data centers of an organization. Damage to infrastructure, power outages, and mechanical failures can all lead to data being compromised.

• Cyberattack activity. Organizations can fall prey to ransomware, malware, and even inside threats, which can go undetected for extended periods of time if proper measures aren’t in place. A recent study reveals that employee action is involved in around 25% of electronic crime events.

• Human error. Verizon's 2022 Data Breaches Investigations Report revealed that 82% of data breaches involved a human element. This can show up as lapses in judgment (or lack of knowledge) regarding the sensitivity of certain files, skill-based errors, and inadvertent admittance of phishing software.

How DRaaS has evolved over time

We’re living in an era of rapidly evolving technology. Disasters have always been part of the human experience – some of our own making, some naturally occurring – and computer center managers have been working to protect digital assets since the 1970s when organizations began to rely on physical data centers to maintain business continuity. Initially, the process was very costly and complex, with data centers being designed as “safe places” where backup tapes of data could be stored in locations that weren’t in the path of natural disasters.

When widespread use of computers began to pick up in the 1980s, replacing paper as the main source of data logging. Productivity increased exponentially, but so did the need for data protection. During this time, the first “hot site” location was built. A hot site is a copy of a data center where the entirety of a company’s software and hardware are run concurrently with the primary location so that operations can be maintained at the secondary location in the event of a disaster. Most recently, the transition to Cloud storage has increased efficiency and the need for highly sophisticated disaster recovery planning.

What are the different kinds of DRaaS operating models?

Managed DRaaS. Managed disaster recovery as a service is when a third party handles all elements of a disaster recovery plan and system. This option works best when there is regular communication with the DRaaS provider to ensure they are always up to speed on an organization’s infrastructure and able to implement or adjust anticipatory testing measures. If a company doesn’t have the resources necessary to oversee its disaster recovery plan, it is essential to have a provider who can do so.

Assisted DRaaS. This model requires some expertise on the part of the customer. In cases where an organization’s applications are particularly unique and difficult to pass over, a provider can extend expertise regarding overarching disaster recovery plans while the customer will have to implement those measures using internal talent.

Self-service DRaaS. Self-service DRaaS is best when a company is staffed with seasoned professionals who can plan, test, and manage a specialized disaster recovery program. The company will need to also have its own infrastructure backup, hosted virtually on off-site premises.

What To Consider When Choosing Your DRaaS

When choosing which DRaaS operating model is best for you, you must first define your disaster recovery strategy. This requires determining the impact of hypothetical losses and defining how you’ll balance risk mitigation within your budget.

Recovery time objectives (RTO) and recovery point objectives (RPO) are two significant points of consideration. RTO refers to the targeted amount of time between the event of a disaster and when operations resume. RPO is the time interval that can elapse during a disruption before irreparable data loss is triggered. Determining these intervals is a crucial part of developing a business continuity plan and requires thorough assessment and prioritization of data — in the event of a disaster, which pieces should be given higher criticality? Triaging these metrics will improve the likelihood of less severe repercussions in a data disaster.

Above all, it’s important to find the right partner to support your disaster recovery needs. A good provider will be flexible and help you determine what’s mission-critical in your organization, bringing industry-specific insights and expertise. They will also be able to provide comprehensive and attainable RPO on a per-application basis, with guaranteed deliverables around system reactivation post-outage. Finally, a good provider will have a backup plan for the backup plan and should be able to demonstrate their disaster recovery plan within their organization.

As the saying goes, “if you fail to prepare, you prepare to fail.” No business or organization is without its vulnerabilities. A robust disaster recovery plan is one of the most effective means of preventing irreparable loss and ensuring operations can resume quickly and safely.