31 Mar 2014

Five Questions You Should Be Asking Your DR-as-a-Service Provider

Despite an increase in natural disasters in the last few years in Australia, disaster recovery (DR) planning is still not ranked highly on the agenda of most organisations. Most organisations, view DR as an ‘expensive insurance policy’, and their investments are made solely for protecting the mission critical systems and applications. The cost of an outage or downtime to a business in the event of a disaster is significant; One minute of downtime, according to Ponemon Institute, costs businesses on average $5,600. That’s before taking into account the various regulatory burdens on data that organisations need to manage, and how an effective disaster recovery solution is essential to ensure compliance. Partnering with a trusted IT service provider for Disaster Recovery and Continuity makes sense and allows various compliance issues around data management to be written into the SLA. However, there is still a number of questions an IT decision maker needs to be able to ask of his or her DR-as-a-service provider before pulling the trigger:
1)      What is the risk if core applications are unavailable for any length of time and what steps do you take to understand how our business functions?
The risk profile of applications is different. Some applications cause catastrophic issues for a business if they’re unavailable for even a minute. Email, on the other hand, might be out for a day, and as frustrating and unproductive as that might be for the business, it’s not the end of the world. The DR-as-a-service provider needs to understand the risk profile of all the critical applications in your business, and the order in which they are a priority. So, one of the first questions that you should be asking your DR-as-a-service provider is “do you know my business well enough to understand where our potential pain points are?”
2)      How are you protecting our applications and are they all protected to the same extent?
One of the biggest benefits to shifting to a cloud-based disaster recovery service is that the service can be customised, and there’s no need for the customer to take on an efficient and potentially expensive one-size-fits-all DR solution. It’s possible to specify which applications need a quick Recovery Time Objective (RTO) and Recovery Point Objective (RPO). So when engaging with DR-as-as-service providers one of the most important questions you can ask is: “are you able to sort my applications into Tier-1 through to Tier-4 applications, and adjust the RTO and RPO to suit my needs?”
3)      Precisely what will happen to our key data in the event of a disaster?
With privacy and data laws in Australia tightening, DR-as-a-service is not just about getting applications back up quickly in the event of a failure; it’s also about securing key data. This data should be properly encrypted, and in the event of a failure your team should have access to decryption keys and pass phrases which can be used to access the encrypted backups. It’s important to nut out with your DR-as-a-service provider just how locked down the data is, how much is at risk, and what would happen in the event of an outage to ensure compliance.
4)      How flexible is the contract?
As with every other cloud service, you want your DR-as-a-service to be flexible, able to scale, and in the event that you need to move to a new provider (or bring the DR back in-house), it’s important that the transition process is seamless and nothing is lost in the process. IT teams often forget that the rapid change in pace in IT does also affect the support structures, such as DR. It’s important that your DR provider is as flexible as it is with other technology.
5)      What disasters are you guarding against?
Not all disasters will impact you to the same extent. Power going out in the office is a low-scale disaster. A flood hitting your building when you’re occupying the lowest floor of the building is on a different level entirely. Some disasters are caused by human error. Others are natural. Depending on the scale of disaster, your own DR-as-a-service provider will need their own DR processes. Having the DR-as-a-service provider in the same suburb, or even city, can be an issue in the event of a wide-scale natural disaster or city-wide blackout, for instance. So, when sitting down with your DR provider, be sure to figure out the precise scale and intensity of disasters that you’re looking for them to manage. It’s also important to be constantly checking in with your DR-as-a-service provider and running regular audits to ensure that, in the event of an outage, there are no nasty surprises, and that your IT team is fully prepared for what it will need to do next, in collaboration with your provider.