Everyone seems to be talking about “the cloud” these days. Unfortunately, that is a REALLY broad term! So, let’s take a closer look at what “the cloud” really means, and then examine some key questions that continuity professionals should ask both their organization and cloud provider when the topic of cloud-based applications and recovery comes up.
“The cloud” is an umbrella term most-often used to refer to an on-demand application delivered over the internet. In this case, on-demand means that the cloud application will automatically scale to accommodate end-user usage. The cloud should not be confused with hosted solutions, which involves an organization simply housing its application at a third-party data center while the hosting organization only maintains responsibility for the physical environment and hardware availability.
In addition, while most clouds are external to your organization, delivered over the internet and accessible from anywhere, some clouds are private and/or internal to your organization. As an example, your organization’s infrastructure group may choose to build an internal, private cloud for hosting in-house applications. In this case, any in-house applications would only be accessible, internally, while using the organization’s network or, externally, via VPN access. However, for the purposes of this article, we’ll focus on the most common cloud use – the on-demand delivery of an application over the internet. This is also commonly referred to as Software-as-a-Service (SaaS).
Organizations considering cloud software (or SaaS) should consider a number of issues before determining if the cloud is right for their organization, or even after having moved technologies to the cloud to help determine risk mitigation steps. These considerations include:
- Do we understand the continuity requirements of this application?
In this regard, SaaS applications should be treated similar to any other application during a business impact analysis. Based on business need and management objectives, what is the amount of tolerable downtime and data loss for this application?
- Can the cloud/SaaS vendor contractually meet our continuity requirements?
This is a tough question to get a complete answer to! The first answer you receive will likely be the vendor’s service level agreement (SLA). However, it’s important to note that most SLAs do not address disaster scenarios, and instead, are written to address the availability of the application due to network or hardware issues (essentially, the issues solved by traditional, single data center high availability solutions). So, while 99%+ uptime SLAs are common in cloud computing, they are almost always limited in their applicability to disaster recovery. Why? Because the penalties associated with SLAs are typically capped at one month’s service fees. As a result, if your cloud-based application goes down for a week or two, you’ll get a month of free service. Unfortunately, that same downtime could cost your organization millions, depending on the application involved. Point being, your SLA isn’t enough! Your organization needs a contractual recovery time objective that involves recovery at alternate site, along with a requirement to test that capability regularly (twice a year or more) and provide you a copy of the results.
One alternative for cloud providers to simplify the process of demonstrating effective disaster recovery capabilities is to obtain an organizational business continuity certification, which demonstrates, through independent audit, that contracted recovery times are tested and achievable. ISO 22301, NFPA 1600, and ASIS SPC.1-2009 are three standards available for certification today under the Private Sector Preparedness (PS-Prep) initiative of DHS. A SAS 70 Type II audit is another common tool used to demonstrate controls; however, it is nearly always used to demonstrate controls at a single site, such as high availability, and almost never addresses disaster recovery at an alternate site.
— (The above section was updated in 2014 to reflect changes in the business continuity standards landscape since the original publication of this blog post.) —
As you begin assessing your needs and vendor capabilities, some additional points to keep in mind include:
- Remember that some cloud/SaaS applications are more important than others. As you pursue each application, remember to prioritize and start with those deemed most critical – similar to how you approach your internal applications.
- Spend some time thinking about the vendor’s perspective. The government, regulatory agencies and non-profits provide some cloud applications, and they will have a harder time providing assurance around a recovery capability compared to a credit card processor, for example.
- Make inquiries regarding optional disaster recovery solutions offered by the vendor for additional fees. If disaster recovery options are unavailable and the application is critical to your operations, you may choose to avoid the vendor since you will not have the option to implement your own solution, as the third-party owns the application and hosting.
Cloud computing and SaaS can significantly simplify an organization’s IT environment while also providing cost-savings. However, your organization should continue to pursue business continuity and disaster recovery solutions regardless of whether an application is in your data center or in “the cloud”.
Avalution Consulting: Business Continuity Consulting