Key questions to ask a cloud disaster recovery provider

Cloud disaster recovery offers data protection without the need to invest in in-house infrastructure. This podcast sets out the vital questions you need to ask a cloud DR provider.

A cloud disaster recovery service brings peace of mind to businesses that can't necessarily afford the hardware and capital costs involved with in-house disaster recovery provision. But while cloud disaster recovery can do away with the need for in-house infrastructure and provides a service that scales as the business does,...

it's vital to ask the right questions of a prospective cloud provider to ensure stability, security, compliance and recovery service levels that meet your needs.

In this interview, Bureau Chief Antony Adshead speaks with Tom Brand, service director for cloud computing with GlassHouse Technologies (UK), about the benefits of cloud disaster recovery and the key questions to ask a cloud disaster recovery provider.

Play now:

Download for later:

Download the podcast with Tom Brand
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As What is cloud disaster recovery, and what are the benefits?

Brand: Like cloud computing in general, cloud disaster recovery can mean different things to different people. However, the fundamental principle is that it removes the need for dedicated infrastructure to facilitate a failover.

There's no doubt that server and storage virtualisation have certainly helped reduce the cost of providing and maintaining a disaster recovery solution. However, right-sized and dedicated infrastructure, such as servers, storage, racks and data centre space, are still required.

The cloud changes everything, because thanks to the technical and commercial flexibility cloud solutions are able to offer, organisations can dynamically scale their disaster recovery infrastructure in real time, paying only for the services they actually consume.

In my opinion, the combination of virtual servers, low-cost storage and the overall agility offered by the cloud providers creates a very compelling proposition which is helping IT organisations to further drive down the traditionally high cost of implementing and maintaining a disaster recovery solution.

In terms of how it all works, at the moment, there are two types of disaster recovery offered out of the cloud.

Organisations actually running their production systems in the cloud typically have availability SLAs built into those cloud service offerings, where it is the responsibility of the service provider to restore systems and data. I think it's very important to point out that in the current market, these SLAs are often relatively basic, with the recovery process having little or no intelligence at the application layer, and because of this one could question whether it is really disaster recovery.

For me, cloud disaster recovery is more about using external cloud solutions to provide warm standby systems for your internal applications, where only the application data is continuously replicated into the cloud.

Let's look at an example of a classic three-tier Web application that has seven servers in the primary site. When the disaster recovery infrastructure and systems are provided out of the cloud, the level of resources allocated depends on whether the application is in Replication mode or failover mode. During normal operation, the system stays in replication mode and requires only a single low-cost virtual machine whose role is to facilitate the synchronisation of application and configuration data. However, when a disaster occurs the system enters failover mode, and at this point the resources required to support the full application are brought online, i.e., seven servers, all of which can be automated.

Moving forward, as more organisations adopt virtualisation and build private clouds underpinned by the same technologies as the external providers, who in turn release standard APIs, cloud disaster recovery will become much more viable and more and more integrated. The cloud will essentially become an extension to the live environment so we could see DR become a concept of the past. What are the key questions to ask a cloud disaster recovery provider?

Brand: You need to ask the same questions one would ask a cloud provider when adopting any cloud solution, with a few questions focussing on their specific disaster recovery service capabilities. These questions should definitely include topics such as financial stability, security controls, regulatory compliance, data handling, SLA management -- and only then should you look at disaster recovery service functionality.

So, first of all, you should always establish the cloud provider's financial stability. Ask how long they have been trading, how … they [are] funded and what … their annual revenue is, etc. Research the likelihood of a takeover or buyout. If your data is now handled by a third-party organisation, can you be certain you are still compliant? And even worse, trying to recover data from an organisation under investigation can be a nightmare.

Does the provider adhere to your specific regulatory requirements, such as Basel II, SOX, PCI DSS, SAS 70? If not, why not? In most cases, if they don't, you should swiftly move on.

ID management and access controls are also critical -- i.e., who is authorised to do what and when? Who can see my information? Data loss is a reality, and third-party providers can be held accountable for a sizeable chunk of all data loss incidents. As a result, you need to know whether the administrator of your system -- the cloud service provider -- can see your data. Most admins have this ability. Therefore, does the provider have the controls in place to avoid accidental or planned breaches in security with regards to your data and systems?

Ask them about data handling. "Where will our data be located, and how will it be managed? What are the implications of you losing some of my data?" You need to ask your cloud service provider what its data protection policy is and what its audit procedures are. Due diligence should then be performed on those procedures. What happens in the event of data corruption? How many copies of your data does the third party have and over what time period are they retained? Can they reconstruct an image of your data at a given point from partial backups? Just because this is a disaster recovery solution, in the event of a failover, you still need to ensure the cloud provider can offer backup and recovery of what is now a live system.

Once you have established the suitability of the provider, you can then drill down into the technical requirements, such as their ability to provide database replication and file system synchronisation.

Can they provide dynamic DNS failover and global load balancing across multiple sites? Do their systems offer 24-hour alert notification to IT teams in event of a disaster? Primary site monitoring from two separate locations should be offered as a minimum, so how do they monitor for failures? And finally, for providers who offer managed disaster recovery solutions, how often do they undertake verification tests, and do they offer verification reporting?

Quite simply, you can never ask too many questions.

Read more on Disaster recovery