Top three tips for selecting a disaster recovery as a service provider

Considering DRaaS to support your mission-critical systems? Expert Paul Kirvan shows you the pitfalls to avoid.

If your organization is looking for a way to deal with its disaster recovery process without the expense of staff...

and technology resources, it may be time to consider disaster recovery as a service (DRaaS).

Today, with advances in technology, IT can choose from a broad range of managed/hosted services that provide virtually all the disaster recovery capabilities that may be needed. Of course, if your current DR arrangement is satisfactory (supports mission-critical systems, provides ample data storage) and you consider the investment reasonable, no further action is needed.

However, if you view your current DR capabilities as nominal or perhaps insufficient for your peace of mind, a DRaaS arrangement may make sense. Assuming we agree that DRaaS is a viable option, let's examine how to get the best deal and the best results.

Tip 1: Look to your BIA for guidance

Validate your business requirements for DR by reviewing results of a business impact analysis (BIA). The BIA should identify those IT assets and data that are the most mission-critical.

Results of a BIA should also specify recovery time objectives (RTO) and recovery point objectives (RPO) for your mission-critical IT assets. Make sure the vendor can accommodate your RTO and RPO requirements.

Tip 2: Ensure the DRaaS provider's technology is up to snuff

Once you have analyzed the above data, determine what you want in the cloud and then verify that the vendor can support your requirements. Find out what the vendor does if your data is lost or corrupted by asking such questions as:

  • How many backup copies of your data are available and where are they located?
  • Can the vendor reconstruct an image of your data (as well as virtual machines in use) at a given point in the past from available backups?
  • How far back are backups available in calendar terms?
  • What will the vendor do when you perform a failover to DRaaS and are subsequently ready to return to your normal environment?

You should also determine whether servers and other devices that will be used for your infrastructure are dedicated to your organization. You should be wary if the vendor typically houses data from other users on individual servers. Also, be sure to get details on how any DRaaS provider plans to handle the security of your infrastructure (firewalls, anti-virus, intrusion prevention systems and the use of encryption). Understand the vendor's overall philosophy and capabilities for security.

Once you are certain the vendor can provide what you need, consider organizing a phased migration to a DRaaS arrangement -- migrate certain applications, databases and data to the service for six months, using that time to examine how the vendor supports your requirements. If all goes well, you can phase in additional infrastructure elements over time.

Most vendors offer support for DR plan development and testing. Take advantage of all available development and testing resources, as they will help to ensure that your DRaaS plan is appropriate for your needs and will work when needed.

Finally, in addition to establishing service-level agreements (SLAs), consider establishing an emergency remediation process in case the service provider does not fulfill its SLA obligations. Things can go wrong, so be sure you have a "back door" if the integrity of the SLA is compromised. Investigate the process for switching DRaaS providers if you are unsatisfied with the service; however, this can be a painful process.

Tip 3: Check references

Get references from disaster recovery as a service candidates and ask them for opinions about the service, lessons learned and so on. Ask to see confirmation -- via audit reports and attestations -- that vendor data centers used for your requirements are compliant with various standards and regulations, such as the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, PCI-DSS, ISO 27001, ISO 22301, NIST SP 800-34 and others. Additionally, ask the vendor to provide copies of warranties and guarantees, and review them carefully.

You should also ask for details on vendor staff, especially the people who will be managing your infrastructure. Be sure to get bios and any other relevant information on all technicians on all shifts. Examine credentials and references as needed. In other words, make sure you know who will be keeping an eye on your infrastructure.

While the benefits of managed service offerings -- especially for disaster recovery -- are many, the risks must also be investigated.

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].

Next Steps

Considerations for comparing DRaaS providers

10 DRaaS vendors to vet before devising a data recovery plan

How to understand DRaaS pricing and budgeting

5 hot disaster recovery-as-a-service providers

Dig Deeper on Disaster recovery services - outsourcing