Getty Images

Tip

6 DRaaS risks to assess and mitigate

Cloud DR is a popular strategy today, but not exactly invulnerable to threats. Assess the risks associated with DRaaS and learn to mitigate them before a crisis strikes.

Disaster recovery as a service presents an array of opportunities for IT operations personnel to protect their infrastructure and resources. But using disaster recovery as a service comes with risks.

DRaaS uses the infrastructure and computing resources of cloud services to provide a realistic alternative to an on-site DR strategy. Administrators can use it to supplement existing DR activities by adding greater performance capabilities. They can also use the technology to completely replace existing DR activities.

Like any advanced technology, DRaaS and similar cloud options bring risks to the discussion. For example, if an organization's DR program was once completely on-site, managed by the IT department, bringing in cloud service vendors and managed service providers introduces new unknowns to the process. Although a third party can take a more proactive interest in your DR requirements, DRaaS users must increase their diligence when dealing with the new players.

To get the most out of DRaaS tools, users must assess the associated risks. A key tool for assessing and reducing DRaaS risks is a service-level agreement (SLA). It spells out what the DRaaS vendor must provide based on various performance metrics, such as percent uptime, percent availability of resources and security breaches blocked. It also spells out remedies, such as financial penalties or refunds of maintenance costs, for vendor failure to satisfy SLA requirements.

To conduct a more thorough DRaaS risk assessment, IT and DR leaders must examine DRaaS tools and processes carefully. Following are six risks associated with DRaaS, along with some tips on how to mitigate them.

6 DRaaS risks to watch

Using cloud service providers for disaster recovery has several benefits, including flexibility, scalability and reduced costs. However, there are several areas where DRaaS can open an organization up to risks, such as data loss and security breaches. DRaaS might be the right choice for your organization, but you must assess and address the associated risks to reap the benefits.

1. Security

Strong data protection is a key benefit of storing data on-site. The online nature of cloud environments opens data up to new threats. Ensure that the DRaaS provider has comprehensive security resources to guarantee that your critical data is protected and available. One such approach is to work with a vendor that has multiple data centers with redundant storage facilities so that critical data can be stored in more than one location.

2. Access control

In an emergency, secure access to critical systems and data is essential so that unauthorized access -- and potential damage -- can be prevented. If the DRaaS vendor has a Service Organization Control 2 (SOC 2) report, be sure to ask for a copy, as it provides audit data that addresses availability, security, processing integrity, confidentiality and privacy metrics.

3. Slow recovery and restoration

These are two critical metrics in a DRaaS program, as they indicate how quickly an organization's systems and data can be returned to service after a disruptive event. If the DRaaS provider's track record during disasters gives you pause for concern, adjust the parameters in the SLA or consider returning critical systems and data on-site or possibly to another DRaaS vendor.

4. Lack of availability

Resources should be available when and where they are needed. In a disaster, every minute that technology and/or data isn't restored, the business runs the risk of a serious disruption to operations. Data in a SOC 2 report can shed light on possible availability issues. When negotiating an SLA, be sure to include any hardline requirements for data availability.

5. Resource control

One of the principal reasons for the popularity of managed services is their ability to adapt quickly to changing business requirements. Be sure when negotiating contracts and SLAs to investigate what additional resources can be made available in an emergency and how quickly they can be activated. Full disclosure by the vendor of where data and systems are stored, and how resources are federated among other vendors, is essential to ensure that data is available when needed.

6. Inadequate data backups

Lack of adequate data integrity controls can jeopardize customer systems and data. When choosing a DRaaS tool, make sure that the vendor provides suitable data protection controls.

A lack of backup verification and testing can also make a huge difference when it comes to protecting DRaaS data. The vendor's ability to rapidly verify data backup and system recovery is essential for IT management, in that those critical activities can be fully confirmed.

System and data backups must be made according to customer requirements, e.g., full backups and incremental backups, and security access to those backups must be protected. SOC 2 reports can provide useful information on these activities.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.

Dig Deeper on Disaster recovery planning and management