Analyst Chat #110: Cloud Backup and Disaster Recovery Done Right

Welcome to the KuppingerCole Analyst Chat, I'm your host. My name is Matthias Reinwarth, I am Lead Advisor and Senior Analyst with KuppingerCole. I'm here today with my colleague Mike Small, who's also a Senior Analyst with KuppingerCole. Hi, Mike. Good to see you.

Hi, Matthias, thanks for inviting me.

Great to have you, and we are talking today on the occasion that you've just recently published a new Market Compass document, which covers an area which is really interesting to me and I really want to learn more about. You did it about cloud backup and disaster recovery. So a Market Compass showing an overview of the market of the products and services that are around there. But as a first start, I think having a backup ready is more or less a truism in IT. So why is it so important that organizations back up their data in the cloud especially?

OK, so having a backup is something that has been necessary ever since the dawn of computing. And originally it came as being necessary because of the unreliability of the systems. Now, clearly, if you've invested an awful lot large amount of money in processing data using computers, it's something of a disaster if you lose data for various reasons. In modern times, the problems have become more related to cybercrime and major disasters, for example, one of the major areas that a backup is important to protect against is, of course, ransomware and organizations are now increasingly suffering the threat of ransomware because the cybercriminals have realized how important data is to an organization. And so how vulnerable they are to paying ransom if access to that data is denied. And so having a way of recovering data when the unexpected or the unwanted happens is an absolutely essential part of an organization's business continuity strategy.

Right, but now that more and more solutions, more and more infrastructure is moving to the cloud, does the cloud not necessarily also take care of backups? Is this nothing this service as a whole usually provides as well?

Well, this is one of the big misunderstandings around the use of cloud services. Depending upon exactly which kind of cloud you are using, the cloud service provider will have different responsibilities for taking care of your backup if the worst happens. So if you consider something like infrastructure as a service, lots and lots of people are using object stores like Amazon S3 or Microsoft Prop Store and so forth. Now those stores provide an incredibly high level of availability. However, if you delete the content of your bucket, it is gone. You deleted it. And even if you did it by mistake, the organization, the cloud service provider is not responsible for bringing it back. So if you look at infrastructure as a service, basically the responsibility of the cloud service provider is to keep the service running, and your responsibility is to make sure you keep your data safe. If you are using software as a service, such as the various productivity tools like Office 365, there, that there is a slightly different perspective in that. This works rather more like your PC. In that if you delete a file, it goes into a temporary storage where it's held for a period usually of 30 days. If you delete it from that temporary storage or if you forget about it for 30 days, it's gone and you can't get it back. And so some organizations have been compromised or their data has been lost, either because they deleted it by mistake or because a malicious employee understood what was happening and deleted all the data and then deleted it from the back... from the recycle bin. And so in effect, just because you're using the cloud doesn't necessarily mean that you are going to have all your data protected against all eventualities.

Right. Having data protected. So protection can be looked at from different angles and the title of your Market Compass is comprised of two parts. It's cloud backup and disaster recovery. So is this the same market segment and how do these two aspects differ? What's the difference between cloud backup and cloud disaster recovery?

OK, so obviously, the most important element of organizations use of IT services is the data that they hold and they process. So being able to safeguard that data and recover it when certain kinds of things happen is a good starting point. But often the disasters go beyond simply losing the data. You can lose access to the systems or the services as well. And indeed, in the last twelve months or so, there was an example of a major fire at a data center that was providing cloud services. And although the cloud service provider did its best to try and restore services, there was a delay in recovering the services for the organization. So disaster recovery depends upon you having a backup, but it is more than having a backup. So disaster recovery is about being, first of all, being able to restore the data from your backup of data. And secondly, it's being able to recover the services. And since most of the services are represented by pieces of data, that data could be a snapshot of the VM. It could be a snapshot of the of the the database or of your application. And so bringing that application back online is an important element. And to do that, it means that your backup has to cover more than just raw data. It has to include all of the parts that are needed to restore the service.

So if we're looking at that market segment of cloud backup and disaster recovery, that of course, has the implicit notion that the cloud is the place where backups take place. So how does the cloud help with backup disaster recovery? Its cloud solutions here, providing a new way of dealing with backups?

OK, well, so, traditionally, when you were taking backups, there was a kind of a rule of three that you had to not only have a single backup. You had to have enough backups to cater for the fact the backups themselves may be destroyed. And indeed, what a lot of organizations used to do was they used to move data around physically. So you would have a backup on premises and you might actually send a backup to a remote site where it will be put in a fireproof safe. Now, all of that movement introduced risk. And one of the interesting things is that, of course, the cloud services provide a widely spread set of resources that are maintained to a very high level of availability, and so it quickly became obvious that one of the places you could store your backups was in a cloud service. And indeed, that has become a very good solution for many organizations and for many circumstances. So this means that if you want to be able to do away with the need to send your backup media around the world, physically, you can actually just move them to a cloud service. And many of the cloud services now provide interfaces, which make it really easy for a traditional backup on site to back up to the cloud. A second part of all of this is that the cloud also provides a component of a disaster recovery solution. So that if, for example, you not only lose your data but you lose your service, say, for example, your data center is compromised, there's no power or it burns down or whatever. Then if you had put your backup data into the cloud, then you can actually, by doing the right things, you could arrange that your service then restores from the cloud, and so the cloud provides both the ability to hold the data and to provide a disaster recovery. And indeed, the second part is one of the reasons why a lot of organizations use the cloud. Because to have two data centers if you're running things on premises is very expensive, but to have a cloud disaster recovery strategy, which means you can fail over to the cloud if you need is a much cheaper option.

Right. We as advisers, we have invested lots of time and worked with many customers in understanding what compliance challenges come with processing data in the cloud. Of course, us being based in Europe, of course, we need to adhere to the GDPR and moving data outside of the European Union and its premises might be a problem when processing data. Does the same hold true for just storing backup data in the cloud? Are there any compliance challenges that we have to look at when using cloud backup?

Well, yes, and and again, what precisely those challenges are depends upon the industry you're in and the regulations that you have to abide with, and certainly privacy is one of those one of those challenges and GDPR is that. But another challenge that you need to consider is to do with the length of time that you need to store that data. So many industries demand that you store data for decades. And so you need to take care of both of those kinds of aspects from the perspective of privacy regulations. Then looking at GDPR in particular, what a lot of people have not realized is the true implications of the Schrems II judgment. And the Schrems II judgment, effectively within organizations that are holding data relating to EU residents, that moving that data out of the EU poses challenges that cannot simply be answered by contracts, by legal contracts, that you have to take technical measures. And in the case of a backup, those technical measures include encryption, but not just encryption, but also retaining complete control over the secrets that are needed to perform the decryption. So that's the major challenge to do with privacy

Right. But if you do things right regarding the privacy aspect that you've mentioned and making sure that the storage periods are as long as required, even when it comes to storing these with backup data, what are other prerequisites that organizations should meet when using cloud for disaster recovery, when using the cloud for for backups? What are challenges that people need to understand before taking that actual step?

Well, ultimately you have to understand your business continuity needs and you have to design your backup and disaster recovery plan around these. And this is where many organizations go wrong because you need to understand what are the most time critical applications that you have, what is the most time critical data and how long do you have to recover? And that is in fact what you have to design your backup system around. Now, in order to achieve those things, the cloud can be very helpful, but you need to be sure that how you use it is going to work. So, for example, if you have your own applications that are running in one environment, you need to be absolutely sure that they will run correctly in your disaster recovery environment. And that often, it sounds simple, but it isn't as simple as it might seem, that moving, even moving a workload from one cloud by one vendor to another cloud by another vendor may not be so simple and you may need conversion. If you look at the problem of what is called restoring the full application stack, when you look at a modern application, it isn't just a single piece of software. It is an incredibly complex web of servers, services and data. And you may be able to recover each of those individual elements, but unless they are properly synchronized when you recover them, they won't work because one bit will think it's in a different state to another bit. So synchronizing the different elements is another important thing. And you also need to consider what you would do about software as a service, what are the options that the software as a service vendor will provide you for business continuity. So so business continuity is the critical thing, and you need to understand how much data you can afford to lose. That is what you is called your recovery point objective and how long you can last without your systems, which is what is called the recovery time objective. And the third thing is, you really, really need to test it. And time and time again, we come across organizations that say, if you ask them, Have you tested your recovery process? they say, Oh yes, and you then say, How did it get on? Then they say, Oh, it failed. And so unless you can successfully test that you can recover your services under the circumstances that you may need to meet. Then it's all not really worth it.

Absolutely. Very interesting. Thank you for sharing this. So it's not only about these services that you cover in this market, but it's mainly also about doing things right. All our audience that is interested in learning more about this market segment there, we really recommend to go to our website and to pick up your market compass that's just been published that gives some insight into what's available, what the services look like, where they differ and where they excel. So that's really an interesting document, interesting read. You've shared some additional information about how doing cloud backup and recovery right in general. So that is also really an important topic to apart from the technology and apart from the services to do things right. But nevertheless, as a groundwork, please go to the KuppingerCoel website and pick up the Market Compass, Cloud Backup and Disaster Recovery. I think when I ask you as a final word for the best advice that you can give, I think you've given it already. It's testing? Anything else that is important when it comes to sharing some insight here?

I think it really is: Think of the worst possible situation that could happen and then test that you can actually recover from it and make sure you can because you know, if you plan for the worst, it's good. You can hope for the best, but always plan for the worst.

Great. Thank you. Thank you very much, Mike, for joining me today for sharing your insight into the market and into how doing backup and disaster recovery right. Looking forward to having you back soon. For the time being, thank you very much and bye bye, Mike.

Cheerio.