What is a hot site? Think of a hot site for disaster recovery as a secure, hardened building that's equipped to support your current IT production activities right now. The building has equipment (e.g., servers) that's comparable to your existing infrastructure; it has your principal business applications in place (these were determined by a business impact analysis); and will also have access to your most current data (usually by some form of data backup activity). The hot site will also have conference rooms for your disaster recovery staff to meet, areas to change clothes if needed, food and beverages available, and possibly even a store to buy clothing, and an exercise area.
What is a cold site?
By contrast, a cold site disaster recovery site is a secure facility that is mostly empty space -- awaiting the arrival of equipment and personnel in the aftermath of a disaster declaration -- and has power, access to communications services, lighting, and possibly preconfigured work areas with furniture, phones, fax machines and copiers. But most often, it is an empty area that is ready for occupancy by customers who have declared a disaster and will be setting up their recovery site in that building.
This is in contrast to a hot site, where the customer who declares a disaster arrives at a fully operational replica of their data center (or subset of same) with live systems and applications as well as access to voice and data communications. For cold site customers, the activation process is more involved, with the need to ship emergency equipment, furniture, applications, data and other items to the designated facility. Given these conditions, it will take longer to set up operations at a cold site, but the assumption here is that the recovery time objectives (RTO) and recovery point objectives (RPOs) are less time-critical than for a hot site.
Cost of a hot site vs. a cold site
The cost for these two options varies greatly, are based on issues like 1) number and type of devices needed; 2) amount of data storage needed; 3) processing speeds needed; 4) recovery time frame; 5) number of staff needed (e.g., furniture, office equipment and supplies, meeting areas); 6) method of activation of the facility; 7) access to shared space or dedicated space at the site; and 8) any other special requirements (e.g., handicapped staff, special dietary needs).
In both hot and cold sites, customers typically contract for access via a monthly contract that spells out what space is to be available, whether it's shared or dedicated space, equipment and services required, and the process for activating the site. For cold sites, the monthly fee could be as little as $300, but when the site is needed, the cost could jump to several thousand dollarsa month while in use. Additional fees could be incurred to have dedicated space and special technology requirements (e.g., video feeds). For hot sites, basic monthly fees usually start at $1,000 to $1,500 for a minimum footprint of space, maybe room for three to four equipment racks with nine to 12 servers and a minimum number of critical applications. For larger installations, the charge can get into the tens of thousands of dollars per month. Data backup and recovery fees, as well as testing fees, may be added. Ideally, find a package arrangement that is all-inclusive; that way there are no surprises later.
For hot and cold sites, the contract is all-important. Have an attorney or experienced consultant review any hot/cold site contract before you sign, so that you have all the facts. Be sure to address all the issues we have been discussing in writing, and also consider costs for insurance at the hot/cold site (does the vendor offer it, or is it your responsibility?), warranties and guarantees, declaration fees, early termination fees, automatic renewal fees, move-in fees, move-out fees, and payment terms.
A word on declaration fees is in order. Some vendors require an immediate up-front payment before you can enter the facility. Other vendors may waive the fee or not require one at all. Shop around. You're suddenly dealing with a disaster and the last thing you want is a large up-front fee.
You should also check to see how the vendor deals with a disaster declaration. Can you contact the site and declare an "alert"? On the chance that you may be able to mitigate the incident and eliminate the need to relocate to a hot/cold site, you may be able -- with such an arrangement -- to minimize your costs for the disaster.
When considering a hot or cold site solution, be sure to make it a business decision, and utilize the results from a BIA, as it will help you pinpoint the most appropriate solution.
Conducting tests at a hot site is very important, as you can see first-hand what you'll need to do in a disaster, and get to know what kind of support you'll be getting from the vendor. Most leading vendors will require at least one test annually as part of their fee structure. Take advantage of it.
Testing is a bit different with a cold site, as the site will probably be empty, and you'll be contacting the cold site firm, various equipment suppliers, transportation firms, office furniture and equipment suppliers, and others following the disaster. You'll have a bit of work to do, coordinating your staff, backing up your data and applications, arranging the moving services, and many other activities. Testing and validating the many steps needed for a cold site recovery is very important -- perhaps even more so that with a hot site.
When considering a hot or cold site solution, be sure to make it a business decision, and utilize the results from a business impact analysis, as it will help you pinpoint the most appropriate solution for your business needs. Negotiate contracts carefully, visit the prospective facilities, and be sure to speak to other customers for their experiences before signing contracts.
A sampling of hot site and cold site disaster recovery services
The following is a sampling of hot and cold site vendors.
- Disaster Recovery Services
- E.V. Bushoff Company
- Hewlett-Packard Co.
- IBM Corp.
- Offsite LLC
- Recovery Point Systems
- Rentsys Recovery Services
- SunGard Availability Services
- Sentinel Data Centers
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.
This was first published in November 2010