Disaster Recovery as a Service (DRaaS)

Companies are in­creas­ing­ly building their IT in­fra­struc­ture in dis­trib­uted cloud en­vi­ron­ments these days. It’s con­ve­nient, but what if something goes wrong? Disaster recovery, as part of business con­ti­nu­ity man­age­ment, has an important role to play in keeping business processes running. With Disaster Recovery as a Service (DRaaS), the backup of critical systems is out­sourced to a spe­cial­ized partner.

Disaster Recovery as a Service (DRaaS) is a managed IT service. DRaaS is a special case of disaster recovery. “As a service” indicates that the task is assigned to a third party as a service. Disaster Recovery as a Service is one of the most popular and fastest growing IT services in cloud computing.

Disaster recovery is an integral part of business con­ti­nu­ity man­age­ment (BCM). BCM includes plans and prepa­ra­tions to ensure that business processes can continue in the event of a partial or complete failure of critical systems. The task of disaster recovery is to restore systems back to their normal operating state. A Business Con­ti­nu­ity Plan (BCP), which describes the com­po­nents and processes of BCM, is fun­da­men­tal. Let’s take a look at the three main com­po­nents of the BCP:

Cloud disaster recovery (cloud DR) is in­creas­ing­ly being used today as part of the disaster recovery strategy. With cloud DR, the data necessary to recover affected systems is stored in the cloud instead of on physical mass storage on site. Cloud disaster recovery offers many ad­van­tages over tra­di­tion­al backup methods and is becoming the standard.

A char­ac­ter­is­tic of disaster recovery (DR) is that a company only needs it in an emergency. If damage or loss occurs, DR needs to be seamless. When every­thing is operating normally, however, disaster recovery isn’t so important and kind of fades into the back­ground. This means there is the danger of DR being neglected; after all, you don’t need it as long as nothing goes cat­a­stroph­i­cal­ly wrong.

Poorly planned disaster recovery poses a great danger to companies. If critical systems fail, this can result in high costs. Industry estimates range from $100,000 to $1,000,000 per hour of downtime. There are a number of reasons why systems fail, or data gets lost. Let’s take a look at the most common scenarios.

The following incidents can lead to serious in­ter­rup­tions in op­er­a­tions, which make disaster recovery necessary:

• Power failure on the premises
• Hardware and network failures
• Software and IT system failures
• Failure of the company’s own data center
• Attacks directed against IT security

There can be various causes for this:

• Human error
• Malicious acts
• Natural disasters and fire
• Theft of IT equipment and data carriers
• Defective hardware or software

In all these cases, if a company has not taken pre­cau­tions, the con­se­quences could be extremely serious.

The most important rule with regard to business con­ti­nu­ity man­age­ment (BCM) and the disaster recovery it involves is that it must be well planned from the outset. If you don’t think about it until the damage has already been done, it’s usually too late. Here’s a simple example to il­lus­trate the point: you have photos with sen­ti­men­tal value stored on your laptop. If the laptop is stolen, the photos are gone. Only if you’ve taken pre­cau­tions and have carried out regular backups on an external medium or in the cloud, do you still have access to your photos.

The 3-2-1 rule has long been the standard for creating backups. It states that three versions are kept for all data: the original plus two copies. In other words: double re­dun­dan­cy. One copy is kept on a separate data carrier, but on the same premises as the original (on-site backup). The second copy is stored at a phys­i­cal­ly remote location (off-site backup).

Disaster Recovery as a Service focuses on the con­tin­u­ous repli­ca­tion of business data and systems. This goes beyond simply creating data backups and includes all critical in­fra­struc­ture, systems, ap­pli­ca­tions, and data. The goal is to be able to return to the original state as quickly as possible in the event of failures. After all, per­sis­tent failures can result in high costs.

Two metrics have become es­tab­lished to char­ac­ter­ize DRaaS ap­proach­es. The “Recovery Time Objective” (RTO) and “Recovery Point Objective” (RPO) are de­ter­mined according to the re­quire­ments of the specific company. Ap­pro­pri­ate measures are used based on these:

To keep the recovery time objective as small as possible, so-called failover sites are used. These are complete mirrors of critical systems that can be used if something happens to the originals. This ensures that business op­er­a­tions can continue until the original systems are back up and running.

Many providers nowadays have Disaster Recovery as a Service in their program. Re­gard­less of which provider you obtain DRaaS from, what’s offered can be divided into three major types. DRaaS offerings differ mainly in the degree to which the customer is connected to the provider:

What all DRaaS offerings have in common is that the provider has special disaster recovery tools available. These are aimed at mirroring entire IT en­vi­ron­ments including all the com­po­nents. The scope ranges from data and ap­pli­ca­tions to networks and complete systems. Servers and end devices are backed up across operating system bound­aries; this includes files, databases, virtual machines, and con­tain­ers. Once mirrored, the com­po­nents are made available in the event of damage to replace the systems that are down.

Multiple backup des­ti­na­tions are usually used to back up the data. Following the 3-2-1 rule, at least one of the backups is ge­o­graph­i­cal­ly remote. Depending on the design of the DRaaS model used, the remote backup target is a local data center or a cloud-based storage medium. Fur­ther­more, hybrid ap­proach­es can be used. As with backup, data recovery is based on physical, vir­tu­al­ized, or cloud-based storage media, depending on the de­ploy­ment. Data trans­ferred over the network is encrypted for transport.

In addition to re­cov­er­ing affected data and systems, pro­fes­sion­al DRaaS offerings often include another essential business con­ti­nu­ity feature. With cloud-based “failover en­vi­ron­ments”, a re­place­ment system is put into operation when a system is down, allowing users to continue working with minimal dis­rup­tion.

To monitor the protected systems and control the backups and failover en­vi­ron­ments, most DRaaS offerings have man­age­ment consoles. These are usually web-based ap­pli­ca­tions that are used via the browser. This means that it is still possible to access the console in the event of loss and this also works from mobile devices. Some DRaaS offerings also include a VPN function for accessing secured data and failover en­vi­ron­ments.

Since the de­vel­op­ment of network tech­nol­o­gy and the con­nec­tion of servers to public networks such as the Internet, there have been many attacks on company IT in­fra­struc­tures. Usually, ad­min­is­tra­tors and tech­ni­cians protect systems against unau­tho­rized access and denial-of-service attacks. In recent years, another par­tic­u­lar­ly worrisome type of attack has emerged where cyber criminals infect a device with so-called ran­somware, also known as a “crypto Trojan”. This software nests on the device and encrypts the data there. Once encrypted, the actual users can no longer access the data and are asked to pay a ransom.

Crypto Trojans pose a serious threat today. Even con­ven­tion­al backups do not offer any pro­tec­tion, as they are encrypted and therefore rendered unusable in the event of an emergency.

In the course of the new threat situation, ran­somware pro­tec­tion has es­tab­lished itself as an important feature of DRaaS solutions. This involves the use of another copy of all backed-up data. This is marked as “immutable”. Once written, the data can be read again and again, but not changed. This is also referred to as the “Write Once, Read Many” or WORM model.

Before DRaaS came about, there were already backup-as-a-Service (BaaS) solutions. However, simply backing up data is no longer enough these days. A company should con­tin­u­ous­ly mirror data and systems so that they are im­me­di­ate­ly ready for use in case of any in­ter­rup­tions in business op­er­a­tions. Like all tech­no­log­i­cal de­vel­op­ments, there are ad­van­tages and dis­ad­van­tages to DRaaS. We look at these with par­tic­u­lar reference to tra­di­tion­al backup solutions. First, let’s look at the benefits of Disaster Recovery as a Service.

Disaster Recovery as a Service is a cen­tral­ized approach. All data and systems are backed up con­tin­u­ous­ly. Most of a company’s data is easily forgotten dark data. Backing up all data using con­sis­tent methods reduces the risk of data being over­looked during backup or recovery or being lost if something goes wrong. Since multiple versions of backed-up data are usually kept, DRaaS is also an important step toward meeting au­ditabil­i­ty.

Following the 3-2-1 rule, at least three copies of any data should be kept, one of which should be an off-site backup. Using DRaaS with the cloud as the target of the off-site backups results in a shorter recovery point objective (RPO). As a reminder, the RPO defines the amount of time between two backups of the same data. Using cloud-based failover systems as part of DRaaS results in sig­nif­i­cant cost savings. Tra­di­tion­al­ly, to provide com­pa­ra­ble capacity, redundant hardware resources had to be kept on hand as a backup in case of disaster.

Unlike Backup as a Service, Disaster Recovery as a Service includes not only the backup of data, but the mirroring of complete systems. In par­tic­u­lar, this also includes the backup of virtual machines and ap­pli­ca­tion con­tain­ers, which are the basic building blocks of modern IT ar­chi­tec­tures. During recovery, the entire system is assembled from these in­di­vid­ual com­po­nents. In order to correctly resolve the in­ter­de­pen­den­cies of the in­di­vid­ual com­po­nents, DRaaS solutions allow the sequence of the in­di­vid­ual recovery steps to be defined. This is par­tic­u­lar­ly essential for the wide­spread mi­croser­vice ar­chi­tec­ture.

Now let’s look at the dis­ad­van­tages of Disaster Recovery as a Service. First, note that DRaaS usually costs more than Backup as a Service. However, DRaaS solutions also perform sig­nif­i­cant­ly better, making the direct price com­par­i­son lopsided. As with all X-as-a-Service services, DRaaS is at risk of vendor lock-in because you re­lin­quish control to a vendor and become dependent on them. The loss of data sov­er­eign­ty must also be mentioned as a potential dis­ad­van­tage of DRaaS solutions. Here, the location of the DRaaS provider plays a decisive role.

Disaster Recovery as a Service is available from many cloud service providers. There are also es­tab­lished providers that spe­cial­ize in disaster recovery and backup solutions. Backup as a service is also provided by managed service providers or in special cases im­ple­ment­ed by software houses.

To find the right DRaaS provider, follow these steps:

1. The first step is to survey the current situation and determine the scope of the data and systems that need to be backed up.
2. The next step is to define your own re­quire­ments and goals. In par­tic­u­lar, recovery time objective (RTO) and recovery point objective (RPO) for the data, ap­pli­ca­tions, and services involved.
3. If you know how your own in­fra­struc­ture is set up and are aware of your own re­quire­ments and goals, you can move on to selecting providers you like the sound of. In addition to the technical ca­pac­i­ties, the com­pli­ance of the providers with es­tab­lished spec­i­fi­ca­tions as well as a fair and com­pre­hen­si­ble price structure are par­tic­u­lar­ly important here.
4. From the can­di­dates you’ve picked out, the ap­pro­pri­ate provider must now be selected. It makes sense to carry out tests to put the providers through their paces and check out their technical ca­pa­bil­i­ties.

Let’s take a look at the key bench­marks that a pro­fes­sion­al DRaaS provider should meet.

Fun­da­men­tal to a DRaaS solution is the automatic, con­tin­u­ous backup of critical data and systems. Backup should work across operating systems and cover all critical data types. This includes files, databases, server en­vi­ron­ments, and end-user devices, as well as vir­tu­al­ized en­vi­ron­ments in virtual machines and con­tain­ers. Con­tin­u­ous Data Pro­tec­tion (CDP) backs up the state of an entire data center with gran­u­lar­i­ty down to the second.

Before trans­fer­ring to the DRaaS provider, the data collected during storage must be au­to­mat­i­cal­ly encrypted. The backup data and systems should be con­stant­ly checked for errors and de­vi­a­tions in an automated manner. Redundant, globally dis­trib­uted systems should be used to store the data.

In the event of loss, the DRaaS provider should provide at least two services. The first is to restore the affected systems - the recovery must include all essential data, ap­pli­ca­tions, and systems. When selecting a provider, bear in mind that a recovery in multi-cloud en­vi­ron­ments may be necessary. Secondly, the DRaaS provider should employ failover systems during the recovery so that op­er­a­tions continue with minimal in­ter­rup­tions from the user’s per­spec­tive.

Beyond these basic re­quire­ments, it is advisable in view of the current threat situation to choose a DRaaS provider whose offering includes anti-ran­somware. Customers with ex­or­bi­tant re­quire­ments for the amount of data to be stored should consider this when choosing a provider. Trans­fer­ring enormous amounts of data over the Internet can take several years in extreme cases. Much too long for a target-oriented recovery. In these cases, special mobile data storage devices are used, such as the famous “Amazon Snow­mo­bile”: