This presentation provides an overview of how the Cloud can be used for Disaster Recovery. It discusses the pros and cons and also provides case studies.

1. Leveraging the Cloud for Disaster
Recovery (DR)
Keith Prabhu (@keithprabhu)
Master of Business (Information Systems)
MBCI, CISA, CISSP, CCSK
Executive Director – Confidis (@confidis_co)
Chairman – Cloud Security Alliance – India RCB

2. Why Cloud DR?
Cloud DR for
Cloud based
systems
Cloud DR for
traditional data
centers
Implementation of
Cloud DR
Case Studies

3.  Pay-as-you-go pricing
 Minimal DR expertise required
 Unlimited scalability
 Secure and reliable infrastructure
 More flexible short-term contracts
 Recovering workloads on the Cloud
 Easier, more frequent, and less
expensive testing
 Increased complexity is
taking its toll
 Executives are losing focus
on the need for DR
preparedness
 DR is still an all-or-nothing
investment
DR Concerns Cloud Benefits
The Cloud offers exciting possibilities for
DR planners
Why Cloud DR?

4.  Security (e.g. SoD, Access Control) and compliance are difficult to achieve in the
cloud
 Providers are often unwilling to negotiate SLA penalties
 Not all cloud providers can support adequate site separation
 Some apps don’t work in cloud environments
 Recovery resources are oversubscribed
 There is a lack of trusted vendors in the market
 Jurisdiction
 Metadata Retention, Separation, Protection
 Cloud Service Provider Resilience
 Licensing
Cloud DR Concerns

5. • Location of the CSPs DR site
• Latency
• Survivability
• Regulatory
• If CSP has multiple data centers in same jurisdiction,
no contractual or legal issues there is no real prob
• SLAs are important
• Ensure cloud services are backed up/replicated to
other sites
• Sometime default DR, sometime addition fees,
sometime a mix
• Failover automation
Cloud DR for Cloud Apps
Source: Cloud Security Alliance,
SecaaS_Cat_9_BCDR_Implementation_Gu
idance

6. • Virtualization is needed as CSP support virtual
systems, easy if heavily virtualize
• Can the systems be virtualized?
• Is virtualization supported by CSP
• Any non-standard physical components? e.g.
dongles, PCI cards, telephony cards?
• Licensing issues?
Cloud DR for Traditional Apps
Source: Cloud Security Alliance,
SecaaS_Cat_9_BCDR_Implementatio
n_Guidance

7. Approaches
• Do It Yourself (DIY)
• DRaaS
Implementing Cloud DR
Techniques
1. Cold Cloud DR
• Backup images.
• Achievable RTOs are usually 6 to 48
hours and RPOs are 24 to 48 hours.
• Pay for storage
2. Warm DR
• Production VMs up to date. resulting in
RTOs usually of 2 to 6 hours and RPOs
of minutes to hours.
• Pay for only storage
3. Hot DR
• RTOs in this approach are usually less
than 1 hour.
Source: The Forrester Wave™: Disaster-
Recovery-As-A -Service Providers, Q1 2014

8. • Founded in late 2009, Cooper River Financial offers the mortgage industry a financial
services tool that tracks loans
• Uses cloud-based infrastructure for production
• It needed to find a solution that could comply with strict financial regulations and
deliver an aggressive RPO of zero data loss and an RTO of 15 minutes
• It selected Hosting.com as the IaaS cloud provider with cloud-to-cloud DR enabled by
Geminare
• Its architecture includes active-passive configurations for databases (where a
secondary copy constantly runs at the recovery site) and rapid VM restarts for the
remaining infrastructure
• It constantly monitors production VMs and if even one fails, it can spin a recovery VM
within minutes at the recovery site
• With this configuration, it only pays for the majority of the recovery site in the event of a
disaster or testing
Cooper River Financial (C2CDR)

9. • IJM is a global human rights organization that supports 15 offices outside of the
US
• Previously, the DR strategy consisted of a tape backup system, making it
difficult to recover in a timely manner
• Lack of funding for DR limited its options
• IJM turned to WAN optimization partner Riverbed Technology to create a DR
strategy that met its needs and budget restrictions
• IJM uses Riverbed’s Whitewater appliance to compress and optimize backups
of VMs to the cloud
• In the event of a disaster or outage, IJM can rapidly spinup VMs at the cloud
provider and failover
• It has successfully tested the implementation for both single remote site failure
and organization-wide failure
International Justice Mission (DIY)

10. • Psomas is a consulting engineering firm with offices in Arizona, California, and
Utah.
• The company’s DR strategy was not only costly, it was a struggle to keep up-to-
date as production changed. Furthermore, Psomas could only manage a test
once or twice a year
• Psomas worked with iland, Riverbed’s Whitewater appliance, and DynTek to set
up a new cloud-based DR plan based on VMware Site Recovery Manager 5.0
(SRM).
• This solution met its required RTO of 4 to 5 hours and RPO of 6
• Testing is now so much easier — the push of a button can bring up the
recovery site and test all processes up until the actual failover of production
Psomas (DRaaS)

11. • Develop a Cloud DR Strategy
• Understand Cloud SLAs and be realistic
• Right size the recovery resources that you
will provision on the Cloud
• Prioritize testing, with Cloud DR you can
test more frequently with lesser risk of
disruption
Final Notes

12. About Confidis
• Confidis is based in India and works at the
intersection of Business and Technology
• The services we offer in Business Resilience
space include:
• Business Continuity Management
• Crisis Management
• IT Disaster Recovery
• BCM Training
• We follow a creative approach to make your
business resilient by involving all stakeholders
especially your staff
• Our team has experience in planning for
business continuity in various sectors including
airports, insurance, software development
etc.
• We are also a Global Licensed BCI Training
Partner
“The more you sweat in peace,
the less you bleed in war.” –
George S. Patton
 How do we continue business if
we are hit by a disaster?
 Are we geared to handle the
negative publicity that a
disaster may entail?
 Who will be in charge in case of
a disaster?
 What if our IT infrastructure
collapses?
Unprepared for disasters?

13. Contact Information
For any further
information, please
contact:
Keith Prabhu
Executive Director
Confidis
Email: keith DOT prabhu AT
confidis.co
Follow us:
Twitter:
https://twitter.com/confidis_co
LinkedIn:
https://www.linkedin.com/company/
confidis
Facebook:
https://www.facebook.com/confidis

14. References
• https://www.forrester.com/An+Infrastructure+And+Operations+Pros+Guide+To+Clou
dBased+Disaster+Recovery+Services/fulltext/-/E-RES61066?objectid=RES61066
• https://cloudsecurityalliance.org/download/secaas-category-9-bcdr-implementation-
guidance/
• https://www.forrester.com/The+Forrester+Wave+DisasterRecoveryAsAService+Prov
iders+Q1+2014/fulltext/-/E-RES101041