There are many good reasons to invest in disaster recovery as a service (DRaaS) - not least because it wipes the floor with traditional disaster recovery (DR) in terms of cost and resource spend, and without much in the way of trade-off.
However, there are also reasons to be wary about who you buy DRaaS from. In order for a DR environment to function as intended, it needs to be resilient to a wide range of risks - and not all of those risks are geographical or operational.
Critically, you need to understand supplier risk. Many established cloud hosting providers now offer DRaaS, backed up by the same availability SLAs and resilient infrastructure as their core offerings. If, however, you buy DRaaS from the same provider you use for your day-to-day production environment, you could be undermining your DR capabilities without knowing it.
The importance of supplier resilience
Let’s say your cloud hosting provider has multiple sites with diverse power feeds and network connections. It’s not unreasonable to want to make use of that to some extent. Nonetheless, it’s not where the sum total of your DR environment should live.
Why? Because it’s next to impossible to guarantee that your provider won’t run into their own problems - such as financial ones - that affect their ability to honour your contract and grant you access to your data, wherever that data lives.
Yes, this is a worst-case scenario, but DR, fundamentally, is about protecting against worst-case scenarios. More importantly, it’s not unheard of for a managed services provider to fail in a way that has catastrophic consequences for its customers.
Perhaps the best-known UK example is 2e2, the collapse of which in 2013 led to a protracted period of uncertainty for its data centre tenants. At one point, administrators seemed almost to hold customers to ransom before Daisy Group stepped in to take control of the 2e2 facilities. A year later, former project services director Sam Simpson wrote a post-mortem that included the following lessons for customers:
“Don’t run live and DR services hosted with the same supplier... Several notable customers did just this with 2e2 and were completely at the mercy of the administrators.”
“Don’t believe that contract clauses covering ‘termination for administration’ will be honoured or will assure prompt access to your equipment and data. The 2e2 debacle demonstrates that you will likely face a protracted battle to gain access to your equipment.”
At the end of the day, the purpose of DR is to ensure your data can be recovered whatever happens to your premises or primary provider and can be restored within an acceptable timeframe. DRaaS reduces the burden of that to some extent, but there’s still an onus on customers to perform due diligence and build resilience into their supplier base as well as their infrastructure.