Building a DR site vs. outsourcing disaster recovery

Paul Kirvan explains some of the pros and cons of using a third-party vendor to provide a backup DR site versus building your own site.

Depending on your business’ continuity needs, it may be necessary to set up a secondary DR site. And with a remote DR site, your organization will have to decide whether to use a third-party vendor to provide DR service, or to build your own site. In our latest podcast, Paul Kirvan, an expert in the DR industry and board member with the Business Continuity Institute’s USA chapter, explains some of the pros and cons of each option.

Play now:
Download for later:

Building a DR site vs. outsourcing disaster recovery.

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As





What are the pros and cons of building your own disaster recovery site versus contracting out the service?

One of the major challenges in disaster recovery planning is how to recover business operations to the point where business can be returned to as close to normal as possible following a disruptive incident. One of the popular strategies is to have an external site that can support business systems, applications and customer data until the primary data center can be returned to normal operation. Two approaches to this challenge are to build your own backup data center or similar facility and contract out for these services with suitably qualified third-party organizations. Key points in favor of building your own backup facility are management control of these specialized resources, utilization of them as alternate processing centers to handle heavy usage periods, security controls managed by your organization, and reduced likelihood of your data being intermingled with other organizations’ data. Negative factors include start-up costs associated with building the facility, increased real estate costs and general overhead for the backup space, and costs for staffing the backup site. Points in favor of outsourcing disaster recovery include minimal or no start-up costs, shared costs of staffing and technology resources, managed security at the site and on-site expertise available 24-7. Downsides of a third-party solution include potential hidden costs or fees associated with declaring a disaster and potential unavailability of facilities if too many subscribers are already using the backup center. Among the key issues to address are costs (both upfront and ongoing), availability of resources (both human and technology) when needed, additional unplanned costs following a disaster, and contractual issues.

Define hot site, a cold site and warm site for the purposes of disaster recovery.

According to international standard ISO 24762, “Information technology - Guidelines for information and communications technology disaster recovery services” we can define these three important options as follows:

A cold site is a type of data center which has its own associated infrastructure that includes power, telecommunications and environmental controls designed to support IT systems, applications and data which are installed only when disaster recovery plans are activated.

A warm site is largely a data center equipped with some or all of the equipment found in a working data center, including hardware and software, network services and supporting personnel, but without customer applications and data; these are introduced at the time when DR plans are activated.

Finally, a hot site is a fully equipped data center with the required equipment, computing hardware and software, and supporting personnel, has customer data and applications, and is fully functional and ready for organizations to operate their IT systems when DR plans are activated.

When designing the physical plant, is it enough that it is remote?

The proximity of a backup data center to the primary data center is an important initial design consideration. However, while a sufficient distance between primary and backup centers is key, it is also important to consider the impact of the distance between facilities on your staff. For example, members of your emergency recovery team may be reluctant to go to work at a significant distance for possibly an extended period of time. They may be concerned about their families or other issues.

One of the critical design issues in building or selecting a backup facility is the source of commercial electric power. Often we are advised to find a location that is in a different power grid than the primary data center. While that is certainly desirable, it is not the only deciding factor.

Do you need to design it so it can resist natural or man-made disasters?

The first thing to do in this situation is to conduct a risk assessment of the areas in which a backup facility may be located. Carefully examine the surrounding region, its utilities, transportation, environment, weather and even crime rates. Review risk assessment findings to pinpoint areas with the least likelihood of disruptive events, knowing that it’s still possible for the unexpected to occur. Any facility selected should be reasonably secure and have good physical and information security provisions to prevent unauthorized access. If you use an architect, be sure he or she has experience designing data centers and similar facilities.

How far away should it be?

A distance of 10 to 50 miles from the primary data center ought to be minimally acceptable, provided risk assessments of the prospective backup site locations are conducted. Always consider the impact of a remotely located data center on your staff, especially if it may be necessary for staff to relocate their place of work to a remote location for an extended period of time.

Particularly when contracting for a DR site, should there be provisions in your agreement to practice a DR scenario with the site? Do vendors typically allow this?

Most third-party recovery site vendors encourage regular testing of the facility in accordance with a scheduled DR plan test. Ensure that your vendor will support at least one annual test of the facility. It’s good if you can schedule more than one annual test, but this impact your DR budget.

What about mobile DR sites? We hear about some vendors parking a tractor-trailer with a portable data center in the back and using that. Is that a realistic option, or is a physical plant a better call, no matter what?

Mobile recovery solutions present an excellent alternative to fixed hot, warm or cold sites as well as building your own backup data center. Evaluate the costs for a mobile recovery solution based on what you think you will need in a disaster, remembering that the mobile trailer will probably need to travel some distance to your site after you have declared a disaster. Once the trailer has arrived, it will take time to set it up, and you will need to have provisions in place to connect power and communications to the trailer so it can begin functioning. Make sure the organization you contract with for such a service has a sufficient number of equipped trailers that your DR requirements can be satisfied. And make sure the firm has plenty of experience in disaster situations.

About the author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at [email protected].

Dig Deeper on Disaster recovery planning and management

Data Backup