By Andrew Burton
Many vendors are positioning cloud backup as an ideal disaster recovery solution, allowing users to replicate data offsite and outside of their company's
CLOUD DISASTER RECOVERY TUTORIAL TABLE OF CONTENTS
According to technical encyclopedia Whatis.com, cloud computing "has three distinct characteristics ... It is sold on demand, typically by the minute or the hour; it is elastic -- a user can have as much or as little of a service as they want at any given time; and the service is fully managed by the provider."
Independent disaster recovery and business continuity expert Paul F. Kirvan, FBCI, CBCP, CISSP, defines cloud computing as "the provisioning of dynamically scalable and virtualized resources as a service, usually provided over the Internet. Users typically don't have knowledge about, expertise in, or control over the technology infrastructure."
So where does that leave cloud disaster recovery? "I don't see people using cloud services, properly defined, for disaster recovery at all," according to Jon Toigo, CEO of Toigo Partners International. "Cloud services are supposed to be a location where you can collaborate, where you can share data or you can share applications across a geographically distributed group. That model, for disaster recovery, hasn't been fully rolled out anywhere yet."
He went on to say that the cloud disaster recovery market today consists of existing online backup services rebranded using the cloud moniker. "They are the services that they always have been, electronic vaulting, data replication, whatever. A lot of software-as-a service offerings are being re-contextualized as 'cloud' whether that name applies to them or not."
As Toigo noted, cloud disaster recovery today centers on online data backup and recovery services. In this model, the online backup provider supplies the hardware infrastructure, and the user accesses the hardware over the Internet or across a private connection. These types of services are often touted as an inexpensive, easy-to-use solution for companies that lack IT resources. However, this cost savings is often overstated. A company may save money initially because there is no need to invest in hardware but, many of these services do require an investment in backup software.
"Don't assume that the 'cloud' will make things simpler," said Kevin Beaver, information security consultant with Principle Logic LLC. "You're almost always going to need someone to manage things locally -- especially where client-side backup components are required."
"If you have a very low recovery point objective, say under an hour, the amount of bandwidth you have to restore data is a very important consideration," said Kirvan.
Toigo agreed, and pointed to the potential costs associated with ensuring sufficient bandwidth. "The gating factor on all cloud services is the size of the pipe," he said. "Obviously the cost of the pipe increases, the larger the pipe is." There also can be fees associated with transferring data to and from a provider. It is important to consider any additional fees when comparing an online backup service to an in-house solution. Toigo said these fees can be "crushing," and that if a small- to medium-sized business (SMB) did the math, they could likely invest in an in-house solution at a lower total cost.
One way the market is responding to the recovery concerns associated with cloud backup is to take a hybrid approach with an in-house appliance synchronized with cloud storage. Simply Continuous, for example, offers a service that requires the deployment of a Data Domain data deduplication array at the customer site, which can then send deduplicated data from the customer's site to the Simply Continuous cloud.
Also, Symantec Corp. recently announced the integration of its Veritas Storage Foundation Basic management software's with Amazon.com Inc.'s Elastic Compute Cloud (EC2) technology. Once associated with an EC2 host, Storage Foundation can perform a variety of sophisticated management functions. Currently, the product requires users to manage Storage Foundation for EC2 separately from in-house deployments. However, analysts have noted that this could be a step toward a hybrid model in which resources could be moved from a private data center to a cloud storage provider easily and managed under a single platform.
Another emerging aspect of cloud disaster recovery today could be referred to as a "data center on demand." "Look at what CA has done with XOSoft, their high-availability solution, working with partners to allow users to failover to a cloud after a disaster and work off that until the production environment is back up and running," said Toigo. "I don't know if they've had a lot of success with this product, but the concept is certainly workable. It's like SunGard without the high cost of a rental facility."
He went on to say that testing is of the utmost importance with this type of setup. "You need to be able to test these things on an ongoing basis, but in many cases you can't do ad hoc testing because the resources could be used for something else until you declare a disaster. So, that can be a big stumbling block."
For a small business with inadequate (or no) backup, online backup can be a huge step in the right direction from a data protection standpoint. However, users should consider some of the security concerns associated with putting your data in someone else's hands.
"How do you know your backups are going to be secure? It's more than just 'we encrypt' and 'you'll have a login,'" said Beaver. "Online backup environments are just like any other Web application. There are literally tons of security flaws that can be exploited to put your backups at risk. Don't fall for the common 'we're SAS 70 certified' response. Ask for an independent penetration test/security assessment of Web-based environment and ensure the vendor's assessing for new security flaws on a regular basis."
Toigo echoed this sentiment. "A lot of cloud vendors will tell you everything you want to hear in order to get your business, but it would take a lot of time and energy for you to go and investigate whether they can deliver what they are saying they can. Interview other customers and make sure there are ironclad security policies in place before choosing a vendor."
This was first published in January 2010