The public cloud provides the resources for disaster recovery, but companies still need to put in the work of evaluating risks and potential losses, and ensuring their solution addresses those risks. In this cloud agnostic post, we explain what companies need to do so they can know their SAP landscapes and data are secure.
The public cloud has revolutionized disaster recovery. A decade ago, DR rarely meant anything beyond running a weekly backup, shipping the tapes to a remote facility and hoping for the best. Now, companies have the ability to replicate data in near real time and prepare for almost any contingency.
And yet, even now, most companies don’t know how to prepare. The problems seem too daunting, the risks, too abstract and unpredictable. They put together a plan, throw some money at it, and hope they never have to test it out. Here’s how public cloud disaster recovery can help you move beyond hoping for the best.
Moving to the Public Cloud Helps Disaster Recovery
To understand the benefits of cloud DR, it helps to look at the risks. Here are some of the disaster scenarios that can impact data centers:
- Outages: If the networking between you, your clients and partners goes down, or the data center itself suffers a power outage, it can bring your business to a standstill, resulting in lost productivity and sales, and frustrated customers.
- Data loss: Modern IT hardware is very resilient, but it’s not invincible. If a hardware fault, fire, natural disaster or some other incident harms the hardware holding your data, you can suffer data loss. Even with redundant hardware, a major event such as an earthquake or data center fire could cause data loss without proper planning.
- Intrusion: Outside hackers, disgruntled employees and unscrupulous competitors continue to threaten organizations. This risk is compounded by poor password practices and other unintentional insider threats posed by ordinary workers. Overstretched IT departments compound the risk with lax security practices, unpatched vulnerabilities and lack of visibility.
- Compliance: A wide range of industries face stringent compliance regulations, which can dramatically increase the consequences of a disaster. A major breach, data loss or even excessive downtime could pose severe legal liabilities on top of the damage caused by the disaster scenario.
However, the public cloud has a degree of built-in resilience against these disaster scenarios that very few private cloud and on-premise databases can match. Public clouds like AWS and Azure have vast networks of data centers with built-in redundancy. If a particular hard drive fails, there are other copies of the data that the provider can draw on — often, without any disruption on the user’s end. If a data center has connectivity issues or a catastrophe, traffic can be routed to other data centers.
Even issues that affect entire regions generally pose little threat to data, and downtime is typically very brief. It’s simply not possible for most companies to create that sort of redundancy internally.
From a security standpoint, the public cloud is also far more robust. Public cloud providers implement network hardening and stringent internal security that would be impractical for all but the largest enterprises to perform internally. In a cloud managed services context, you’ll have quicker patching of security vulnerabilities, better oversight and stronger intrusion protection and detection.
This resilience doesn’t just give public cloud disaster recovery an edge — it also makes it easier to meet a broad range of compliance goals. From PCI-DSS, to regional compliance regimes like EU GDPR to industry-specific rules like HIPAA, it’s simply easier to mitigate compliance risk in the public cloud.
Public Cloud Migration Alone Isn’t Enough
There’s a big difference between safer and safe enough. Although the public cloud makes disaster recovery easier and provides a baseline level of protection, you can’t afford to assume you’re safe. Organizations still face a broad range of risks in the public cloud.
Outages and Performance Degradation
Complete cloud outages are rare, although they do happen. However, it doesn’t take a complete outage to disrupt business. Depending on your use case, a moderate to severe performance degradation can be just as bad, and it may not even violate your cloud SLAs. You need to calculate what is an acceptable level of downtime, and adjust your cloud strategy to achieve it.
Data Loss and Recovery
Public cloud reduces the risk of data loss, but it doesn’t eliminate it. Outages, hardware faults, operator error and other scenarios could still threaten your data, or even imperil business continuity. You need to carefully evaluate what level of risk your business can tolerate and take measures to protect your organization — for example, by creating a backup landscape in a second cloud hosting landscape.
A public cloud host will take care of their own internal security, but they won’t be able to do much about yours. If an executive loses control of their account, a cybercriminal exploits a weakness in your network or a disgruntled ex-employee decides to sabotage your landscape, how much damage will they do before you spot it? Will you be able to respond quickly and mitigate the damage, or will it be too late? And if they do sabotage or steal your data, what will that mean for your clients, partners, employees and compliance responsibilities?
Disaster Mode Operation
Your IT infrastructure is only one aspect of your disaster recovery. If a disaster interrupts the functioning of your business, you need to be ready to get your organization up and running, and a communicate with workers, customers and other stakeholders. Will your team be prepared to work together under extremely adverse and stressful conditions?
Hosting is only one small part of compliance. The procedures and safeguards you put in place to protect data security, privacy and integrity are essential. These safeguards overlap with your public cloud disaster recovery efforts in complex ways that go beyond hosting and infrastructure.
Creating an Effective Public Cloud Disaster Recovery Program
You Need a Coherent Disaster Recovery Plan
To be fully prepared, you need a comprehensive plan that can take you from the moment the incident takes place through resumption of business as usual. And each scenario will need its own plan. A data center outage, a hacker attack and a natural disaster are all very different types of events, and they require different skills and procedures to resolve.
Your business will have to weigh the relative risk and potential damage of various disaster scenarios, and decide how to respond to each scenario. Some scenarios may be too costly or unlikely to mitigate, others will require a strong response from the organization. For those DR risks you decide to address, you’ll need to set goals, including:
- Recovery Point Objective (RPO): How much data you can afford to lose
- Recovery Time Objective (RTO): How long your systems can remain offline
- Maximum Tolerable Downtime (MTD): How long it can take from the disaster declaration to the resumption of business as usual
Your goals will need to be backed with a comprehensive plan. Your organization will need to lay out each step of the DR process, assign responsibilities and document contact information, procedures and contingencies in detail.
You’ll Need to Test and Prepare
Having a plan on paper isn’t enough. In a major disaster, your team will be operating under stressful conditions. They may even be missing key members or resources. Additionally, your plan may have flaws, such as dependencies that haven’t been accounted for. And even if everything works as designed, the process may take longer than expected and fail to meet objectives.
You’ll need to test, refine and retest your disaster recovery plan under conditions that are as realistic as possible. To ensure your team remains prepared, you should also continue to periodically test your DR response, and make tweaks as needed to address organizational changes and new risks. If and when disaster strikes, it’s crucial that your team is ready, and your plan is up to date.
You Need the Right Public Cloud Disaster Recovery Partner
Very few companies have the internal competencies to get DR right. Effective public cloud disaster recovery requires a wide range of skills in IT, compliance, security, risk assessment and other areas, along with hands-on experience and a keen eye for detail.
Fortunately, you don’t need to do it alone. A managed cloud services partner with disaster recovery expertise can help you harness the resilience and security of the public cloud to prepare a truly resilient DR solution. You may never need to put your disaster recovery plan into action, but you’ll sleep better, knowing you’re prepared.
To learn more, check out our webinars on SAP disaster recovery in the AWS and Microsoft Azure, or contact us.