What are the differences in protection between Outsourced Backup and Managed Disaster Recovery?

Over the last ten years or so, IT solutions have been moving towards the "as a Service" model. Backup and Disaster Recovery Plan solutions are no exception.
Backup as a Service is also known as Backup as a Service (BaaS) and Disaster Recovery as a Service is also known as Disaster Recovery as a Service (DRaaS). These services refer to solutions provided by service providers to businesses.
This means that the company's IT teams do not need to install and maintain the solutions locally in their own data centres. Test management (reboot, disaster recovery, network) and operational service maintenance can also be included in the service providers' offerings.
IT Departments are at the heart of the choice of these solutions. They need to understand the different options on offer and the implications for the protection of their data before making a decision. These two methods of protection, often perceived as similar, do not cover the same risk scenarios.
Definition of Backup as a Service (BaaS)
More and more service providers are offering Backup as a Service solutions. These correspond to the purchase of an online backup service, generally in a Cloud (public, private or private).
BaaS can cover several different areas:
- backup of files and folders
- backup of an entire disk
- application backup (Domain Controller, Exchange) or database backup (SQL server, PostgreSQL, Oracle, etc.).
Recent developments in BaaS have made it possible to automate tests for restoring or restarting servers (complete or partial). These tests can then be carried out either manually or via APIs or automata.
Definition of Disaster Recovery as a Service (DRaaS)
The concept of Business Disaster Recovery Plan as a Service is more recent, but is expanding rapidly as it responds to new issues, such as cyber threats.
It's a complete service provided and administered by a supplier, based on the cloud model and offering a guaranteed recovery time (RTO).
These solutions exploit the main advantages of the Cloud (elasticity, pay-per-use) and therefore reduce the costs associated with infrastructure size.
The perimeters addressed by these DRaaS solutions are potentially very different:
- In terms of OS covered: while x86 architectures are always covered, rarer OS (OS400, proprietary Unix, etc.) are only rarely supported.
- RTO times (restart in the event of activation of the DRP): the technologies used can be very different, allowing RTOs of between a few tens of minutes (this is referred to as a Continuity Plan rather than a Recovery Plan) and a few hours.
- The services provided: this can be either a partially managed DRP (the customer is responsible for maintaining operational conditions and carrying out DRP tests independently) or a fully managed DRP provided by the supplier (regular server restart tests, monitoring of cloud backups, etc.).
These different elements are important to take into account when choosing your solution. That's why you need to carry out an analysis beforehand , to find out what you need in terms of servers to protect, restart times and data freshness.and freshness of data (RTO and RPO) and, finally, the management requirements, depending on the availability and skills of your technical teams.
Risks covered and not covered by these two solutions
To fully understand the difference between these two services, we first need to look at the different risks that each of the two solutions deals with.
We are going to analyse several types of risk to be covered by backup (BaaS) and disaster recovery (DRaaS), broken down into families.
Risk family | Risks | Potential sources | Main recovery mechanism |
Loss or corruption of data |
Loss or corruption of files Data, OS or DB corruption |
User error or procedural error | Backup |
Unavailability of server infrastructure |
A server down A set of servers down Entire infrastructure down |
Hardware or software problem | Backup or PRA |
Unavailability of the data centre |
Long unavailability due to a disaster Unavailability of fluids (electricity, etc.) Unavailability linked to telecoms |
Fire, storm, terrorist attack, works, etc. | PRA |
Ransomware |
Ransomware on a file server Ransomware on IS OSs |
Malicious software propagated by email, vulnerability, etc. | Backup or PRA |
Cyber attack |
Sophisticated attack Denial of service (DoS) Advanced Persistent Threat |
Coordinated attack on IT infrastructure | DRP |
Risk scenarios: data loss or corruption
Loss or corruption of files: this may be due to user/computer error, a hardware problem or a procedural error.
Risk coverage with Outsourced Backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
This is the main risk covered by all outsourced backup solutions. The specific points to consider are
|
Depends on the backup or replication mechanisms used by the DRP solution:
|
Questions to ask in relation to the risk scenario :
- Cloud backup storage:
- How many replications of the backed-up data are performed in the cloud (1, 2 or 3 replications?)?
- Are replications of cloud backups performed on several remote DCs?
- Ability or not to have different backup retention periods:
- By file type,
- By keeping N versions of each file.
Risk scenarios: loss or corruption of operating system (OS) or database
Risk coverage with Outsourced Backup (BaaS) |
Coverage of the risk with a Managed Disaster Recovery Plan (DRaaS) |
Coverage of this risk depends on the functional coverage of the outsourced backup:
|
Coverage of this risk depends on the backup or replication mechanisms used by the DRP solution:
|
Questions to ask in relation to the risk scenario:
- Are there mechanisms for backing up Linux OSs in infrastructure contexts where hypervisor mechanisms cannot be used (typically in public or private clouds)?
- Does the solution have the capacity to back up only certain disks/partitions of the machine to limit the amount of data to be backed up and speed up recovery?
Risk scenarios: complete unavailability of one or more servers
Risk coverage with Outsourced Backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
Depending on the coverage of the backup solution, this risk is covered. But you need to analyse :
|
In general, this risk is not well covered by a disaster recovery solution:
|
Questions to ask in relation to the risk scenario:
- Without testing, there is no salvation: has the solution taken into account the need to carry out regular server restart tests (either fully automatic or manual)? A minimum frequency of annual restart tests is recommended.
- What are the lead times for supplying IT infrastructure on site: these are often not compatible with business needs (especially at present with component shortages) and therefore do not allow an infrastructure to be recreated on site within an acceptable timeframe.
Risk scenarios: unavailability of the data centre
Datacentre completely unavailable, either following a disaster (fire, storm, flood, attack, etc.), or due to long-term unavailability of the network or fluids (electricity, air conditioning, etc.).
Risk coverage with Outsourced Backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
Not covered | This risk is fully covered by a DRP solution, as this is its main objective. The notions of RTO and RPO are predominant. We therefore need to ask ourselves the following questions:
|
Questions to ask about the risk scenario:
Without a DRP test, there is no salvation, so you need to check that regular DRP tests are carried out: a six-monthly test frequency or less is recommended.
Your DRP tests should cover infrastructure recovery, network tests, user reconnection and functional tests of the recovery space by the end user.
Risk scenario: ransomware on a file server or OS servers
Infection by ransomware via malicious software propagated by email, exploiting a vulnerability.
Risk coverage with Outsourced Backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
Risk coverage depends on the ransomware-tightness of the backup:
|
This risk is fully covered by a DRP solution, because that is its main objective. The notions of RTO and RPO are paramount. So we need to ask ourselves the following questions:
|
Questions to ask about the risk scenario:
- Does the chosen solution take into account watertightness against a ransomware attack? The backup space must not be easily accessible by ransomware (e.g. Windows mount point, etc.).
- The time taken to bring all the cloud backups back on line via the network must correspond to your business needs. The question to ask is: does the solution allow data to be brought back locally via specialised boxes (NAS type, SSD disk, etc.) from the service provider?
Risk scenarios: sophisticated cyber attack combining several attack mechanisms
Constructed attack enabling the attacker to take control of the customer's infrastructure with privileged rights.
Risk coverage with Outsourced backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
Depends on how impervious the backup is to attack:
|
Same risk coverage as for backup. |
Points to watch: the watertightness of cloud backups has become a major issue in the event of a sophisticated cyber attack.
Risk scenarios: Advanced Persistent Threat or dormant attack
Infection by an APT or dormant malware that can be activated several months after infection, requiring long retention of OS data (more than 6 months).
Risk coverage with Outsourced Backup (BaaS) |
Risk coverage with a Managed Disaster Recovery Plan (DRaaS) |
Depends on the depth of the OS backup. This requires the service provider to offer long-term archiving on cold storage. |
Generally not covered by DRP solutions. Unless the DRP solution offers long-term archiving on cold storage. |
Questions to ask in relation to the risk scenario:
- In this case we are talking more about archiving VMs over long periods (1 monthly for 24 months, for example).
- The solution of completely rebuilding the OS is sometimes unavailable.
In summary, the 3 pieces of good advice
1 - Understand the business challenges
The first piece of advice, as with many IT projects, is to fully understand the challenges faced by the company's businesses:
- their needs in terms of backup (depth of backups, data archiving mechanisms, etc.),
- their needs in terms of critical applications to be restarted in the event of a disaster or cyber-attack:
- prioritise them (RTO),
- define the freshness of the data required (essentially databases).
2 - Identify the risk scenarios to be covered
Next, we need to identify the risk scenarios to be covered for the company's business activities and infrastructure (loss of data, ransomware, loss of data centre):
- This risk mapping will inevitably reveal a trend: either a BaaS solution is sufficient, or there is a need for DRaaS;
- Have this risk coverage validated by management. Despite their lack of understanding when it comes to Backup and DRP, IT risk coverage is a major issue that management is well aware of. While they may not understand anything about Backup and DRP, they are increasingly aware of the IT risks that need to be covered.
3 - Identifying and expressing your requirements
Once the risks to be covered have been identified, it is time to identify the requirements for the solution:
- First of all, expectations of the service provider: do you want a partially managed solution or a fully managed solution with contractual commitments?
- If backup is required:
- What is the scope to be covered: OSs, types of DBMS, etc.?
- How should the data be initially loaded (availability of dedicated appliance)?
- In the event of a disaster recovery plan :
- Which servers need to be protected in the event of a disaster and which ones will a backup solution suffice for?
- What are the specific network requirements: how do you reconnect sites (MPLS, SD-Wan), mobile users (SSL VPN, etc.)?
- What are the specifics in terms of security: the security solutions needed in the event of a back-up?
Article translated from French