Business continuity is an area of increasing complexity in the current multi-cloud IT paradigm. In the old days, we used backups to protect against ‘localized’, limited-impact data loss, like a single system crash, and small-scale data loss. On the other hand, disaster recovery is a set of plans and technical capabilities that help restore entire systems and datacenters after a critical failure.
What constitutes a critical failure and thus a disaster is really up to the individual organization; there are no fixed rules. It can be anything that interferes with normal business operations in a way that threatens the financial continuity of a business, ranging from a single, but critically important data set or failed system, system-wide corruption, network outage or datacenter failure, but also includes planned and unplanned downtime due to system maintenance.
Back in the day, all of our data was neatly stored in a single, well-defined physical location: your own datacenter. Every application, and every piece of data was simply there. Things were neat, clear, clean and well-defined. It ran a single (or a limited number of) technology stack(s) based on products for compute and virtualization, storage, backup and DR that were well-integrated. It was a fairly trivial task to select the right backup and DR solution, and things were orderly, clearly structured and fairly simple to understand.
And sure, files could get lost, applications went down occasionally and data corruption was a risk, but it wasn’t anything a simple but sound backup and DR strategy couldn’t handle. They protected against loss of data due to accidental or purposeful deletions and loss of systems and the entire datacenter with another datacenter on stand-by: the business was ‘insured’ well enough to handle the risk.
But in a SaaS and cloud world, your data isn’t neat, clear, clean or in an identifiable, well-defined location. Instead, your data lives across on-premises datacenters, a patchwork of SaaS services, and scattered across public cloud computing accounts. There’s no longer a single bucket with everything in it, if you will.
With that, is that on-premises focused backup and DR strategy even relevant today? As you can imagine, business continuity is becoming a substantial challenge with the proliferation of cloud services fragmenting data across many different locations, datacenters and services.
For starters, the lines between backup and disaster recovery are blurring due to the increased use of managed services, cloud services and SaaS. In many cases, your data and applications no longer run in a datacenter of your own, but rather in a public cloud or hidden away by the SaaS vendor. So, disaster recovery is no longer something you control, but rather something that is inexplicably and uncontrollably part of the deal.
In best-case scenarios, you can choose between a bronze-silver-gold service level of protection, and if you’re lucky, the vendor actually tells you what their disaster recovery plan for your data is.
The emphasis in the previous sentence should give you a hint about the challenges of disaster recovery and backup, though. Even though using a SaaS, public cloud or managed service provider is great for many operational, financial and functional reasons, you still need a sound backup and disaster recovery strategy to cover outages of regions or even an entire SaaS vendor going dark. And with SaaS in particular, you are responsible to protect your data. Out of the box protection from a SaaS vendor simply isn’t enough.
Because the shift to using someone else’s computer (or someone else’s application service), data protection as a whole is a lot harder now than it used to be, but also a lot more important to get right.
Because remember, it’s your data, and it’s your business being dependent on that data and applications. If we zoom out a little, and talk about data protection instead of backup or disaster recovery, we can simply, unequivocally conclude that yes: you need a data protection strategy that encompasses backup and disaster recovery across on-premises, managed services, public cloud and SaaS.
And we’re still protecting against the same basic risks of business continuity: data loss and systems loss, but the definitions stretch and flex along with the service boundaries of public cloud, managed services and SaaS.
For instance, you still need a copy of your data for disaster recovery purposes, even if the SaaS application already has a backup in place that covers day-to-day risks of data deletion or corruption. Because what happens if the SaaS vendor has an extended, unplanned outage due to ransomware, goes out of business, or you end up in a legal battle? The fact that you own your data is meaningless if you have zero control or access. While it’s great that the vendor has basic backup in place, you still need your own disaster recovery plan with a copy of your data on infrastructure under your own control.
What about when your vendor doesn’t have a backup or disaster recovery in plan at all? Many public clouds do not have such provisions at all for VM-based services (like AWS EC2). In those cases, you are entirely responsible for backup and disaster recovery, just like the old days. The difference? You no longer have access to the underlying infrastructure and network, complicating the technical design and capabilities.
And while you can assume the public cloud provider offers at least some protection against natural disasters and other physical threats, most of the responsibility is shifted to you, the customer. Luckily, most clouds have additional paid services for resilience, where you can protect workloads and data by spinning up those resources in another of their datacenter locations. It does still mean you’re on the hook for designing, planning and executing those disaster recovery plans, though. Providers shift this responsibility entirely to you.
We come to the conclusion that traditional, datacenter-focused backup and disaster recovery systems are on their way out. Instead, we need a data protection strategy that focuses on IT resilience with the ability to protect data anywhere, spin up copies quickly to cope with public cloud failures, and protect data across the SaaS patchwork.
The key in a sound data protection strategy is resilience. If a disaster recovery or data restore takes a long time, business processes still suffer. Being resilient means being flexible and to restoring data and applications quickly, to existing or new cloud accounts. That requires a data protection solution that encompasses backup and disaster recovery across on-premises and public cloud.