Subscribe
About

Going beyond backups

It’s time to put your disaster recovery plan to work.
By Tamsin Mackay
Johannesburg, 11 Jul 2024
JJ Milner, MD of Global Micro Solutions.
JJ Milner, MD of Global Micro Solutions.

It’s an interesting dichotomy – disaster recovery (DR) is one of the most important, but neglected aspects of backup preparedness. Even though cloud’s scaling and affordability has made DR somewhat less daunting, particularly if everything is configured properly on the front-end, unavoidable disasters can happen. You need an ironclad DR plan or, at the very least, managed disaster recovery, also known as Disaster-Recovery-as-a-Service (DRaaS). For JJ Milner, the chief cloud architect and MD of Global Micro Solutions, it’s about business continuity. Privacy rules such as GDPR and PoPI require businesses to protect personal data and notify regulators of data breaches within a certain timeframe. Complying with these regulations means having a business continuity plan, “and you can’t do that without a good disaster recovery plan,” says Milner.

While it’s easy to say DR should include a step-by-step plan that addresses each type of downtime or disaster, Milner says that DR is different for every customer. “You practise until you get good at it. That, for me, is the best kind of plan.

“You’ve put it into practice a few times and you’ve learned from it. You’ve built up muscle memory so that no matter where you start, if you do it enough times, it will expose all of the weaknesses in your assumptions,” he says. Global Micro Solutions uses a number of business continuity services, but DR is something that also runs internally. “You cannot treat DR as a checkbox; it should be treated as a learning exercise. So even when we don’t have a successful test, we look at what could have been done better,” he says.

A seamless failover

If anything, a DR plan should be pragmatic. Even though a cyber incident could take your infrastructure offline, there are other disasters to take into account. Doing weekly disaster tests for customers as well as monthly real-world failovers, Milner says that only 10% of DR issues are cyber-related. A great example is the pandemic, when South Africa declared a national state of disaster and, almost overnight, employees were told to go home. “We declared a disaster on the Friday and staff needed to go home… but none of our female staff could carry the UPS devices that we made available. Nobody had thought about this in the rehearsals, no one had picked up their desk before and gone home,” he laughs. “This is a reminder that you can always do better. There are a lot of things that will catch you out in your life, so when you practise, don’t just do virtual sessions – do real-world scenarios.”

One of the biggest challenges with DR is reliable and effective backups. For DR, it’s not only important to know how frequently backups occur and where they are stored, but being able to access them when disaster strikes. With the cloud, there is often confusion around who is responsible for what. Organisations often assume that cloud providers will handle data security when migrating workloads to the cloud, but this isn’t entirely accurate. While cloud providers do implement robust security measures, it’s still the responsibility of the business to ensure its data is protected through proper configurations, access controls, and regular security audits.

Steve Porter, head of business development of Metrofile, explains that what cloud providers offer is a toolkit, but it’s up to the customer to ensure their data is backed up, and “that they have disaster recovery plans.

“Your data is your responsibility,” he says. “Sure, you can have multiregion failover or you can have a relational database service cluster on your secondary [instance], but each one of those is a tick box that raises the price of cloud.” He adds that with backups, the most important part of a DR plan is seamless failover. He compares DR to driving down a highway. If your car stops and you’re in a panic, a good DR plan means having an identical car pull up next to you, “with the same engine, same mileage, same upholstery”.

“You hop in and drive and as soon as everything comes back online, the same car appears to your left and you hop back in. It’s seamless,” he says. The one thing he sees regularly is that with the cloud, IT managers assume their data is going to be safe when it isn’t. “And there’s zero comeback. You’re sitting on a customer support call with the assumption that they can help you, but nine times out of 10, they actually can’t,” he says. “It’s a major concern, especially for the SME that cannot face a loss of revenue – it hurts their bottom line so quickly.”

According to a study conducted by IBM focusing on large enterprises, the average revenue cost due to an unplanned application outage is estimated to be in excess of $400 000 per hour.

“Setting that recovery point objective – how far back in time you need to be able to restore data from backups – very quickly identifies whether that architecture meets the requirements.”

JJ Milner, Global Micro Solutions

Porter recommends starting off with the simple things. First, back up your data. Next, have cybersecurity at the endpoint level and, thirdly, if you have critical business applications, you need a DR plan. A DR plan has to be tested, he adds, but must also be well-documented. “I mean reams of paper so when it hits the fan, you know the triage process,” he says. “If your organisational structure changes or your processes change, then it must be in the document.”

Milner agrees. “Every plan should have step-by-step central recovery point objectives. You need to ask how much data you’re prepared to lose.” What Milner has seen with continuous testing is that businesses often realise that they haven’t architected for what they need. Backups can fail, which is why, for certain industries, continuous transactional backups are often a better approach. “Setting that recovery point objective – how far back in time you need to be able to restore data from backups – very quickly identifies whether that architecture meets the requirements,” says Milner.

WILL AI SAVE THE DAY?

Like every other industry, the integration of AI and machine learning (ML) has shifted how disaster recovery is approached.

“More and more backup vendors are collaboratively engaging with cybersecurity technology partners to bring in the element of ML and AI through analysing behaviours and characteristics. They look for evolving threats and ensure these solutions are constantly updated to meet them,” says Byron Horn- Botha, business unit head at Arcserve Southern Africa.

AI is changing data backup and recovery, with cloud providers like AWS, Azure, and Google Cloud using algorithms to transform these processes. These algorithms prioritise data based on its importance and dynamically schedule backups. By predicting potential failures, they can prevent data loss before it occurs. “That’s one component. The other is AI is drafting DR plans and that is a risky business,” warns Horn-Botha. He says that an AI-generated DR could contain loopholes or create a one-sizefits- all plan. Each organisation’s infrastructure, data and operational priorities are different, meaning a generic plan may not address specific vulnerabilities. And loopholes in AI-generated DR plans could be exploited by cybercriminals.

“A plan generated by AI will most certainly not be fit for purpose for your organisation as it’s not going to consider what all the stakeholders require,” says Horn-Botha. “It may have intelligence, but lacks the why, what, when, who and how. Only your organisation can provide these answers through years of experience and understanding of your environment.”

DRAAS AT A GLANCE

Small and medium-sized businesses may find that DRaaS, or Disaster-Recovery-asa- Service, is the best option because it’s far less expensive to outsource disaster recovery than to manage it internally. According to a report by the Aberdeen Group, the average cost of downtime is approximately $260 000 per hour for small businesses. A proper DRaaS solution should ensure that there’s minimal disruption in the event of a disaster.

There are three types of DRaaS models to consider:

01. Managed DRaaS

Managed DRaaS outsources disaster recovery to external experts. This model requires close collaboration between businesses and DRaaS providers to ensure that infrastructure, applications and services are kept up to date. It’s a good choice for those who lack the expertise or time to manage disaster recovery themselves.

02. Assisted DRaaS

Assisted DRaaS is for businesses that want some control over their disaster recovery strategy. In this model, the business handles certain aspects of disaster recovery while the service provider offers support and expertise. This combines in-house capabilities with professional assistance.

03. Self-service DRaaS

Self-service DRaaS is often the most cost-effective option. Here, the business is fully responsible for planning, testing, and managing disaster recovery. The provider supplies the necessary backup management software and hosts backups and virtual machines in remote locations. Major cloud service providers like AWS, Azure, and Google Cloud offer this model, making it accessible and scalable for businesses of all sizes.

* Article first published on brainstorm.itweb.co.za

Share