And the Thunder Rolls: All the Noise about Cloud and What that Means When Lightning Strikes

Disaster Recovery (DR) and Business Continuity Planning (BCP) continue to be driving factors for some organizations looking to move to cloud. Many are looking to manage their Disaster Recovery planning through extensive use of managed cloud services – and for good reasons. These are the most common benefits of leveraging cloud services for disaster recovery planning cited by cloud customers:

1. 1. I only have to pay for what I use. If I don’t declare a disaster scenario, my costs are nominal.
2. 2. I have flexibility with the amount of management my provider requires of me to maintain my DR from “full control” to “no control”.
3. 3. I can leverage a world-class redundant facility to provide the greatest assurance of business continuity in the event of a major event.
4. 4. I can keep my applications as up-to-date as I want, by defining my Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
5. 5. When I declare a disaster, I can rely on my cloud service provider for support rather than expect my staff to travel to a Disaster Recovery site for recovery work.

However, some cloud customers are not sure how their managed cloud service providers deliver redundant cloud environments, Disaster Recovery options, and Business Continuity Planning and execution. After all, not all cloud providers are the same.

Nobody wants to be left out in the rain when disaster strikes. The mistaken notion is, “It is all in the cloud; It must be highly available.” However, that is not necessarily the case. Here are some key questions to ask your managed cloud service provider about its cloud infrastructure:

1. To what level of redundancy do you maintain your cloud infrastructure within the primary location? N + 50%? N + 1? N x 2?
2. To what level of capacity do you maintain your cloud infrastructure Disaster Recovery services in the redundant location or locations?
3. Are Disaster Recovery or Business Continuity services included in my contract and managed cloud environment?
4. How am I billed during steady state?
5. How am I billed in the event of a declared disaster?
6. What are the options for providing the best Recovery Point Objective (RPO) and the costs associated with those options?
7. What are the options for providing the best Recovery Time Objective (RTO) and the costs associated with those options?
8. When I declare a disaster, what are the resources I can rely on to provide assistance to perform full recovery of services and data?
9. How often and to what extent are you willing to perform regular DR tests?
10. Are your cloud data centers diverse in the following manner:
    1. Are they geographically disparate?
    2. Do they have redundant power feeds?
    3. Do you maintain redundant circuits into diverse sides of the facilities?
    4. Is the network distribution to the cloud environment fully redundant?

Another common concern with Disaster Recovery and Business Continuity in the cloud is whether all of the policies, procedures and controls are maintained in the cloud environment when a disaster is declared. Most organizations maintain strict compliance with policies or regulations that could be violated if not maintained in the cloud environment. Here are the common questions regarding policies and procedures:

1. What processes are in place to be sure my data is synchronized?
2. What processes are in place to ensure changes are implemented consistently in all cloud node environments?
3. Are the environments run in an active/active, active/passive, or active/off-line configuration?
4. How often does the managed cloud service provider support DR testing?
5. Are all security measures mirrored in the redundant location, even when inactive?
   1. Auditing
   2. Logging
   3. Authentication and Authorization
   4. Encryption
   5. Security Event Correlation
   6. What options are there to maintain development, quality assurance, and Disaster Recovery environments with version control?
   7. What processes and services are available to ensure a smooth recovery to primary location after the disaster is over, if necessary?
   8. What is the sustainability of the DR environment? Is the DR environment architected to provide degraded or minimal performance?
   9. Are the same compliance controls provided in all Cloud node environments (e.g., SAS70 in every Data Center)?
   10. What processes are in place to maintain backups during disaster declaration, and synchronize backups and restore the backup processes to normal after restoration of services to primary location?

Disaster Recovery and Business Continuity Planning can be extremely difficult to manage and maintain. However, the right managed cloud service provider can ensure that your environment is fully protected, your systems remain available and accessible, and you recover seamlessly when disaster strikes.

Allen Allison, Chief Security Officer at NaviSite (www.navisite.com)

During his 20+ year career in the information security industry, Allen Allison has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform; chief engineer and developer for a market-leading managed security operations center; and lead auditor and assessor for information security programs in the healthcare, government, e-commerce, and financial industries. With experience in the fields of systems programming; network infrastructure design and deployment; and information security, Allison has earned the highest industry certifications, including CCIE, CCSP, CISSP, MCSE, CCSE, and INFOSEC Professional. A graduate of the University of California, Irvine, Allison has lectured at colleges and universities on the subject of information security and regulatory compliance.