It began as a 30-minute meeting that was intended to revisit a DR plan I had helped a company to develop two years ago.

At that time, the company didn't have a formal DR plan, but it had clients asking how it had planned for disasters and contingencies. The company was processing and storing client data, so a plan was desperately needed.

We developed a DR plan that addressed failover and business continuation for all of the company’s internal systems, and for a handful of systems that were outsourced to cloud providers. Then, as small to mid-sized companies are prone to do, the company got busy with business and didn’t revisit its DR plan (or test it) until nearly two years later, when I got a call.

The 30-minute call turned into 90 minutes, as we collectively discovered that over the two-year period after the initial DR plan was developed, the company had systematically outsourced all of its mission-critical systems to cloud providers, leaving only a skeletal network and IT infrastructure in place to handle internal employee computing needs.

“You don't need a revision of your DR plan,” I said, “You need a total rewrite.”

What happened?

“Well, we met with our vendors, and most of them said that we could eliminate a lot of capital equipment and in-house IT work by moving to the cloud, so we did,” said the IT manager.

I asked the IT manager and the COO if they had vendor contracts and SLAs in their files.

“We did sign contracts, but we can’t find them now,” said the IT manager. We will have to go back to the vendors to see if we can get copies.”

Unfortunately, this scenario has replayed itself in at least a dozen other cases where I have revisited DR plans with companies. The disaster recovery plan did not keep pace with IT evolution and movement to the cloud.

The disaster recovery sea change

The movement of mission-critical applications to the cloud is a sea change for IT risk management and disaster recovery, because now you are commending your disaster recovery and business continuation fate to third-party vendors.

Cognizant, an IT consultancy, comments, “IT managers who have hosted applications through cloud providers, or are thinking of doing so, should perform the same DR due-diligence they would for in-house infrastructure. This includes assessing the risks, laying out the potential solutions and implementing a plan that meets the required service level at the least cost.

Agreed, but how can you shift gears and re-conceptualize your disaster recovery approach when you’re already having trouble keeping your own DR plan updated?

Get your contracts file in order. If you've aggressively outsourced mission-critical applications to the cloud but haven't kept pace with your DR plan, the first step is to take stock of all of your cloud vendor contracts. Do you have them all? If you don’t, contact the vendor and get a copy. Then, file it in a central location.

Find out what your contracts say. Five years ago, nearly two-thirds of the cloud vendors I spoke with didn't have published service level agreements. Then, pressure began to be placed on them by clients, business partners, IT consultants, and the tech media, so most vendors now have them. However, not all cloud vendor SLAs are the same. Some vendors only guarantee “best effort” 99.99% uptime, while others go to the extreme and actually penalize themselves financially and give you money back in any case where they miss an SLA. The rule of thumb for vendor performance, uptime and service response SLAs is that what the vendors offer should minimally match what you expect of your own internal IT performance. If they cannot match, find another vendor.

Review the security and data safekeeping standards of your cloud-based vendors. If a vendor is operating in a multi-tenant cloud environment, you want to ensure that your region of processing and data is uniquely yours, even if you are sharing compute with other companies. You also want guarantees that your vendor isn’t sharing your data with any other parties, and you ideally want to do business with vendors that are at Level Five cybersecurity protection. Level Five protection means that the vendor is capable of defending its networks from attacks that involve multiple, simultaneous breach techniques (or vectors) that move rapidly against systems and are conducted on a large scale. Checkpoint Software, a security firm, reported that its 2018 survey revealed that most companies were at least two generations of cybersecurity behind this latest generation of cyber attacks. If you're moving all or most of your apps to the cloud, the challenge of protecting networks and systems becomes even more daunting, because you must ensure all of your outsource vendors, as well as your own company, are advanced in their IT protection against attacks.

Require regular audit reports from your cloud vendors. Vendor audit reports should address the vendor’s financial stability, since you want to know that your vendor is stable and able to stay with you for the long haul. On the IT side, vendor-furnished audits should be able to give you the peace of mind that the vendor has the proper controls, stewardship, and protection of your applications and your data.

Test DR with your mission-critical vendors. Your customers are going to ask you and you will want to know, if the disaster recovery and business continuation required for your mission-critical systems is really going to work if these systems are outsourced to third-party cloud vendors. Just seeing a system and data recovery SLA in your contract is not good enough. Instead, you should plan to test failover and disaster recovery annually with your mission-critical application vendors in the same way that you should be testing your own systems for failover and recovery. This is the only way to know for sure that failover and DR are working, and to correct your plan for any incongruities.

{image 1}

Mary Shacklett is owner of Transworld Data in Seattle. She is an experienced IT professional, writer, and IT, marketing and advertising consultant. Mary has a bachelor of science degree from the University of Wisconsin, a master's degree from the University of Southern California and a doctorate of law from William Howard Taft University.