What are the differences in protection between Outsourced Backup and Managed Disaster Recovery?

Over the last ten years or so, IT solutions have been moving towards the "as a Service" model. Backup and Disaster Recovery Plan solutions are no exception.

Backup as a Service is also known as Backup as a Service (BaaS) and Disaster Recovery as a Service is also known as Disaster Recovery as a Service (DRaaS). These services refer to solutions provided by service providers to businesses.

This means that the company's IT teams do not need to install and maintain the solutions locally in their own data centres. Test management (reboot, disaster recovery, network) and operational service maintenance can also be included in the service providers' offerings.

IT Departments are at the heart of the choice of these solutions. They need to understand the different options on offer and the implications for the protection of their data before making a decision. These two methods of protection, often perceived as similar, do not cover the same risk scenarios.

Definition of Backup as a Service (BaaS)

More and more service providers are offering Backup as a Service solutions. These correspond to the purchase of an online backup service, generally in a Cloud (public, private or private).

BaaS can cover several different areas:

• backup of files and folders
• backup of an entire disk
• application backup (Domain Controller, Exchange) or database backup (SQL server, PostgreSQL, Oracle, etc.).

Recent developments in BaaS have made it possible to automate tests for restoring or restarting servers (complete or partial). These tests can then be carried out either manually or via APIs or automata.

Definition of Disaster Recovery as a Service (DRaaS)

The concept of Business Disaster Recovery Plan as a Service is more recent, but is expanding rapidly as it responds to new issues, such as cyber threats.

It's a complete service provided and administered by a supplier, based on the cloud model and offering a guaranteed recovery time (RTO).

These solutions exploit the main advantages of the Cloud (elasticity, pay-per-use) and therefore reduce the costs associated with infrastructure size.

The perimeters addressed by these DRaaS solutions are potentially very different:

• In terms of OS covered: while x86 architectures are always covered, rarer OS (OS400, proprietary Unix, etc.) are only rarely supported.
  
  
• RTO times (restart in the event of activation of the DRP): the technologies used can be very different, allowing RTOs of between a few tens of minutes (this is referred to as a Continuity Plan rather than a Recovery Plan) and a few hours.
  
  
• The services provided: this can be either a partially managed DRP (the customer is responsible for maintaining operational conditions and carrying out DRP tests independently) or a fully managed DRP provided by the supplier (regular server restart tests, monitoring of cloud backups, etc.).

These different elements are important to take into account when choosing your solution. That's why you need to carry out an analysis beforehand , to find out what you need in terms of servers to protect, restart times and data freshness.and freshness of data (RTO and RPO) and, finally, the management requirements, depending on the availability and skills of your technical teams.

Risks covered and not covered by these two solutions

To fully understand the difference between these two services, we first need to look at the different risks that each of the two solutions deals with.

We are going to analyse several types of risk to be covered by backup (BaaS) and disaster recovery (DRaaS), broken down into families.

Risk scenarios: data loss or corruption

Loss or corruption of files: this may be due to user/computer error, a hardware problem or a procedural error.

Questions to ask in relation to the risk scenario :

• Cloud backup storage:
  • How many replications of the backed-up data are performed in the cloud (1, 2 or 3 replications?)?
  • Are replications of cloud backups performed on several remote DCs?
• Ability or not to have different backup retention periods:
• By file type,
• By keeping N versions of each file.

Risk scenarios: loss or corruption of operating system (OS) or database

Questions to ask in relation to the risk scenario:

• Are there mechanisms for backing up Linux OSs in infrastructure contexts where hypervisor mechanisms cannot be used (typically in public or private clouds)?
• Does the solution have the capacity to back up only certain disks/partitions of the machine to limit the amount of data to be backed up and speed up recovery?

Risk scenarios: complete unavailability of one or more servers

Questions to ask in relation to the risk scenario:

• Without testing, there is no salvation: has the solution taken into account the need to carry out regular server restart tests (either fully automatic or manual)? A minimum frequency of annual restart tests is recommended.
• What are the lead times for supplying IT infrastructure on site: these are often not compatible with business needs (especially at present with component shortages) and therefore do not allow an infrastructure to be recreated on site within an acceptable timeframe.

Risk scenarios: unavailability of the data centre

Datacentre completely unavailable, either following a disaster (fire, storm, flood, attack, etc.), or due to long-term unavailability of the network or fluids (electricity, air conditioning, etc.).

Questions to ask about the risk scenario:

Without a DRP test, there is no salvation, so you need to check that regular DRP tests are carried out: a six-monthly test frequency or less is recommended.

Your DRP tests should cover infrastructure recovery, network tests, user reconnection and functional tests of the recovery space by the end user.

Risk scenario: ransomware on a file server or OS servers

Infection by ransomware via malicious software propagated by email, exploiting a vulnerability.

Questions to ask about the risk scenario:

• Does the chosen solution take into account watertightness against a ransomware attack? The backup space must not be easily accessible by ransomware (e.g. Windows mount point, etc.).
• The time taken to bring all the cloud backups back on line via the network must correspond to your business needs. The question to ask is: does the solution allow data to be brought back locally via specialised boxes (NAS type, SSD disk, etc.) from the service provider?

Risk scenarios: sophisticated cyber attack combining several attack mechanisms

Constructed attack enabling the attacker to take control of the customer's infrastructure with privileged rights.

Points to watch: the watertightness of cloud backups has become a major issue in the event of a sophisticated cyber attack.

Risk scenarios: Advanced Persistent Threat or dormant attack

Infection by an APT or dormant malware that can be activated several months after infection, requiring long retention of OS data (more than 6 months).

Questions to ask in relation to the risk scenario:

• In this case we are talking more about archiving VMs over long periods (1 monthly for 24 months, for example).
• The solution of completely rebuilding the OS is sometimes unavailable.

In summary, the 3 pieces of good advice

1 - Understand the business challenges

The first piece of advice, as with many IT projects, is to fully understand the challenges faced by the company's businesses:

• their needs in terms of backup (depth of backups, data archiving mechanisms, etc.),
• their needs in terms of critical applications to be restarted in the event of a disaster or cyber-attack:
  • prioritise them (RTO),
  • define the freshness of the data required (essentially databases).

2 - Identify the risk scenarios to be covered

Next, we need to identify the risk scenarios to be covered for the company's business activities and infrastructure (loss of data, ransomware, loss of data centre):

• This risk mapping will inevitably reveal a trend: either a BaaS solution is sufficient, or there is a need for DRaaS;
• Have this risk coverage validated by management. Despite their lack of understanding when it comes to Backup and DRP, IT risk coverage is a major issue that management is well aware of. While they may not understand anything about Backup and DRP, they are increasingly aware of the IT risks that need to be covered.

3 - Identifying and expressing your requirements

Once the risks to be covered have been identified, it is time to identify the requirements for the solution:

• First of all, expectations of the service provider: do you want a partially managed solution or a fully managed solution with contractual commitments?
• If backup is required:
  • What is the scope to be covered: OSs, types of DBMS, etc.?
  • How should the data be initially loaded (availability of dedicated appliance)?
• In the event of a disaster recovery plan :
  • Which servers need to be protected in the event of a disaster and which ones will a backup solution suffice for?
  • What are the specific network requirements: how do you reconnect sites (MPLS, SD-Wan), mobile users (SSL VPN, etc.)?
  • What are the specifics in terms of security: the security solutions needed in the event of a back-up?