Who’s running the data centres for your business? Where are they located and what applications and data are held in situ? When assessing the suitability of Disaster Recovery as a Service provision, Alex Rabbetts examines why security and risk professionals ought to be conducting health checks on the data centres in question
Information Technology (IT) outages in 2014 continue to point an important spotlight on the need for disaster recovery solutions that work for both technical personnel and their ‘line-of-business’ colleagues.
Now, enterprise IT is increasingly turning towards the providers of Disaster Recovery as a Service (DRaaS) remedies that overcome traditional budget, resource and complexity challenges. After all, why deal with problems on site when perfectly good solutions are now available in the form of cloud services?
While many enterprises will no doubt have battened down DRaaS cloud providers to tight Service Level Agreements and 24/7 remote monitoring, there are some fundamental issues at play with the cloud – and, ultimately, the data centres providing these kinds of services – that require mitigation by you, the practising security/IT/business risk professional.
In essence, enterprises need to know what’s behind their cloud, who’s running the data centres, where they’re located and what applications and data are held in situ. When assessing suitability of DRaaS provision, risk professionals should be conducting health checks on the data centres in question.
Fundamental security issues
Is the data centre for your DRaaS at risk of flooding or prone to other environmental factors? In the floods that occurred earlier this year, it became apparent that many data centres located in London Docklands are within the Environment Agency’s 20-year flood plain (ie there’s a probability of flooding at least once every 20 years).
However, what end users probably weren’t aware of was that disaster recovery back-ups for many of these data centres were in Slough and Reading. When London Docklands was under the threat of flooding, the disaster recovery data centres were located in towns that had already flooded.
In most of these cases, I’d hazard a guess that the data centre customers advised to use Slough and Reading as disaster recovery sites were not made aware that these sites were also equally at risk of flooding from the same river.
Are data centres ever at risk from terrorism? The concentration of financial services companies in London’s Docklands renders any data centre in the capital a high risk scenario. Any large urban area could be a target, but London is at the highest risk. According to MI5’s website, the current risk of terrorism is ‘Severe’ (ie an attack is highly likely).
Power: how stable is the supply?
Power is another important consideration. How stable is the power supply to your disaster recovery facility? According to the National Grid/OFGEM, power can no longer be guaranteed by 2015. With power in such short supply, some businesses are already running their own power generators to minimise the risk of outages during business hours.
The UK’s data centres also adopt this same approach, taking power from the grid which is, in turn, backed up by fuel-powered generators. In the event of a blackout, risk assessors know that agreements are in place with fuel suppliers to refuel them. However, larger problems pertain when it comes to logistics.
Take the example of the facilities located in London Docklands. A high concentration in a specific area means that most of the fuel will have to travel either via the Blackwall Tunnel or the A13. Both are likely to be part of a major gridlock which would be compounded by other forms of transport – overground trains and the London Underground – affected by power loss.
Can your DRaaS provider offer you assurances as to the stability of power and, in the event of a power outage, that they carry sufficient fuel to see them through (and that any re-fuelling will be logistically possible)?
Data: the most critical component of the business
Data is arguably the most critical component of any business. What are your options should your DRaaS cloud provider or data centre partner go into administration? Check that there’s a legal agreement in place allowing you to retrieve your data.
What happens if your DRaaS provider is acquired? Will the Patriot Act, for example, or indeed other countries’ laws render your data vulnerable to the likes of the CIA?
Are there provisions in place to protect you?
Connectivity: safeguarding resilience
A choice of carrier networks safeguards resilience in the event of a failure. Multiple carriers offer enough bandwidth to deliver across a breadth of applications. While some data centre providers still claim low or zero-latency as an advantage, latency is rarely an issue in the DRaaS environment. Even if your data centre is thousands of miles away, the delay is so negligible to the point where most businesses wouldn’t notice the difference.
On a technical note, latency (which, ironically, is greater when it has to cross a metropolitan area) is caused by the light and data traversing switch ports. In some instances, the reality is that the more rural your location, the faster the data can move.
Management of the infrastructure
Who actually manages the infrastructure? Is the data centre owner an operator or a property company? If the latter, the probability is that they will not manage the infrastructure. It’s very likely to be outsourced to a facility management company and that introduces a whole new set of risks.
In this scenario you have no relationship or contract with the company that’s actually keeping the data centre up-and-running. If it goes down, who do you call, and what will they do about your emergency scenario?
Risk professionals know that checking the health of the data centre is all part of having a comprehensive disaster recovery and business continuity plan. Make absolutely sure you know who’s behind your DRaaS before disaster strikes.
Alex Rabbetts is CEO at MigSolv