If you had all your critical IT systems located miles away from your office, and if there was any kind of flood, fire, meteor strike or the like – the data and applications would be safe, surely, as they are being looked after remotely?
Read that sentence with one set of IT glasses and you will see a cloud message. Read them with another and you would easily get a traditional business continuity (BC)/disaster recovery (DR) reading of that scenario. Therefore, does cloud negate the whole raison d’être of BC/DR?
There does seem to be a kind of blurring going on – at a very abstract level, at least – between the old hot standby, dummy trading room ready at a moment’s notice if they ever blow up Canary Wharf, BC/DR position and the more modish, ‘put it all in the cloud and it’s safe and accessible all over the world’ argument.
There are two ends of that argument: one, in effect, don’t be silly – we will always need BC/DR and nothing’s changed; the other, to slightly parody it, ‘I have put Exchange into the cloud, therefore I have de facto Business Continuity’. In the middle, as CBR found while exploring the debate of BC ‘versus’ the cloud, are as many positions as an unexpurgated copy of the Kama Sutra for CIOs to choose from. This really is a question that has no clear answers as yet.
Let’s start with the BC/DR heartland position, which would be harder to find anywhere better put than by stalwart player SunGard. "By putting things in the cloud, you may spread the risk, but then that risk just shifts to the quality of the individual sites themselves, which could of course have problems," its chief strategy officer Dave Gilpin told CBR. "And it doesn’t address the issue of recovery at all. Say you lost SalesForce.com; how long until users started screaming for it to be back? That gap is why you will always need a BC service to get critical applications back up as soon as the business feels they need them back up."
"At the end of the day, technology platform aside, recovery will always be an issue," adds John Linse, who heads up BC services globally for EMC. "There’s the difference between a short term outage and a smoking hole in the ground, so we have no problem with a cloud based BC as a concept. But let’s make sure we have resilience and recoverability always architected into any IT solution that needs it."
"Cloud has a part to play – but it will be a very long time until there’s no longer a need for firms like us," says Andrew Barnes, SVP business development at BC player Neverfail. "As a storage platform – sure. But there’s some real liberties being taken here with concepts like backup, failover and so on. In any case, complex processes are very far off being cloud-able, unlike basic email."
At the other, there is definitely a school of thought that is convinced that the cloud equals what we used to mean by BC and therefore we don’t need firms like Gilpin’s any more. "IT-based Business Continuity will disappear completely," claims Andy Lockwood, transformation director, Opal, which provides next generation networks for TalkTalk. "Why would you need standalone disaster recovery as any cloud based on good enough networks will basically never fail? It will be built into networks from now on and CIOs just won’t need to spend money on any expensive BC services."
Reality bites
The reality is, of course, somewhere in the middle. Can we seriously say BC is unaffected at all by the cloud? Patently not. There’s even a question how much real BC there is out there anyway.
"Most companies’ BC policy is a tick in the box and if you start looking under the onion there’s often not a lot there," says David Skinner, a Partner at law firm Morrison Foerster. "There’s a huge difference between stated policy and what actually happens, a whole disconnect. We are also going away from all boxes under one roof. The fact that Amazon has 300 data centres suggests that if one did go down, the rest probably wouldn’t. Cloud will change the BC picture for definite."
"BC will still be required but we will see changes like data escrow coming to the fore – ways to protect the integrity of data put into the cloud – which will change the picture," thinks Julian Cook, European general manager for RainStor.
Very possibly. At the same time, we can’t be naïve and say that the cloud is by itself a way to offer Business Continuity. To say so means that you miss out the distinction between IT and Business Continuity.
"Workplace recovery is about people, not IT," points out Ian Masters, sales and marketing director at Double-Take, a provider of software-based BC. "Protecting Exchange just isn’t the same as getting the business back up and running, dealing with customer issues and so on."
Perhaps another way to read the argument is to say that cloud changes BC/DR – as it is supposed to, well, change everything. "Companies like IBM, HP, they’re all evolving their BC services to take account of cloud as a way to extend their services, and new players like former ISPs are coming into the market, too," says Hamish Macarthur, CEO of analyst house Macarthur Stroud International.
What, then, is the sensible course of action for a CIO regarding the boundary between cloud and BC? Any response that factors out cost in this equation is just not useful. BC is expensive – it just is. BC has just been too pricey for most mid-size firms, as independent consultant Graham Oakes puts it: "A good cloud service provider will probably have multiple data centres that are well separated from each other, so will be fairly resistant to major disasters. And if you’re using cloud services, then you have a certain amount of DR built into the service. Cloud starts giving smaller organisations some more options, though not in itself BC."
But there could be layers of BC and perhaps the real point of cloud in this context is that it could make BC more affordable – if it is purchased in a BC format. Thus, "Amazon Web Services’ hosting contracts look very ISP-like – there’s a lot of assumptions the service is expected to be as-is and as-available," warns Mark O’Conor, Partner at law firm DLA Piper. "If you want more security from a cloud service you have to face up to the fact it will need SLAs and cost more than the default service normally expected to be provided."
"The shorter the gap between the start of the service interruption, the more expensive the BC service," says Paul Lightfoot, CTO at BC provider The Bunker, which has just launched a partly cloud-based BC service, interestingly. "BC is and always will be a balance between budget and appetite for risk."
Out with the old?
So it seems in conclusion that the jury is still very much out on this issue – but cloud is raising enough questions that some dependable old orthodoxies may need to be re-examined.
"Don’t get distracted – watch the mouth as well as the feet," says Jon Collins of UK analyst firm Freeform Dynamics. "The default with cloud is you will get what everyone else is getting and there are no service level agreements that give anything like BC equivalence as yet. BC principles still make sense. At the same time, cloud does start giving more options; I know of a big bank that’s using its stand-by DR site as a test cloud site for analytics, for example. It could be we will soon be BC-ing our clouds and cloud-ing our BC, as it were."
There is, finally, the cosmic perspective. Ultimately, if we all end up in clouds (public or private) and have a radical de-coupling of physical box and physical site IT with physical company, then yes, we will have a virtual world that would be safe from physical impact. But even in that scenario, it will be down to individual CIOs to make risk management decisions about just how much they’d rely on the default service of such clouds versus what they’d be prepared to pay for as insurance to repair their companies if anything bad happens.
As it always will – which is why we will always need something like Business Continuity, irrespective of how it is actually delivered or consumed.
A CIO’s perspective
One CIO who has recently implemented a BC service that has absolutely no cloud element is Nick Doughty, IT and facilities manager at London solicitors Magrath. "The cloud is a big buzzword but is still the great unknown," he told CBR. "I’d like some reassurance it actually works before I take my applications out of the office." Doughty says he is also sceptical about the fact that so much cloud depends on copper "laid down for the phone"; "In theory, we have great network infrastructure but I think we’re still playing catch up. So the cloud as stands is only as good as its weakest link."
Doughty is much happier with a standard BC service from supplier Plan B, which he says offers him much better peace of mind. "It’s better to have a third party that is actively looking out for you that is in constant communication with me, and I am sure I am not alone in wanting that from a Continuity service."
