search Where Thought Leaders go for Growth

What are the differences in protection between Outsourced Backup and Managed Disaster Recovery?

What are the differences in protection between Outsourced Backup and Managed Disaster Recovery?

By Eric Deronzier

Published: 7 May 2025

Over the last ten years or so, IT solutions have been moving towards the "as a Service" model. Backup and Disaster Recovery Plan solutions are no exception.

Backup as a Service is also known as Backup as a Service (BaaS) and Disaster Recovery as a Service is also known as Disaster Recovery as a Service (DRaaS). These services refer to solutions provided by service providers to businesses.

This means that the company's IT teams do not need to install and maintain the solutions locally in their own data centres. Test management (reboot, disaster recovery, network) and operational service maintenance can also be included in the service providers' offerings.

IT Departments are at the heart of the choice of these solutions. They need to understand the different options on offer and the implications for the protection of their data before making a decision. These two methods of protection, often perceived as similar, do not cover the same risk scenarios.

Definition of Backup as a Service (BaaS)

More and more service providers are offering Backup as a Service solutions. These correspond to the purchase of an online backup service, generally in a Cloud (public, private or private).

BaaS can cover several different areas:

  • backup of files and folders
  • backup of an entire disk
  • application backup (Domain Controller, Exchange) or database backup (SQL server, PostgreSQL, Oracle, etc.).

Recent developments in BaaS have made it possible to automate tests for restoring or restarting servers (complete or partial). These tests can then be carried out either manually or via APIs or automata.

Definition of Disaster Recovery as a Service (DRaaS)

The concept of Business Disaster Recovery Plan as a Service is more recent, but is expanding rapidly as it responds to new issues, such as cyber threats.

It's a complete service provided and administered by a supplier, based on the cloud model and offering a guaranteed recovery time (RTO).

These solutions exploit the main advantages of the Cloud (elasticity, pay-per-use) and therefore reduce the costs associated with infrastructure size.

The perimeters addressed by these DRaaS solutions are potentially very different:

  • In terms of OS covered: while x86 architectures are always covered, rarer OS (OS400, proprietary Unix, etc.) are only rarely supported.

  • RTO times (restart in the event of activation of the DRP): the technologies used can be very different, allowing RTOs of between a few tens of minutes (this is referred to as a Continuity Plan rather than a Recovery Plan) and a few hours.

  • The services provided: this can be either a partially managed DRP (the customer is responsible for maintaining operational conditions and carrying out DRP tests independently) or a fully managed DRP provided by the supplier (regular server restart tests, monitoring of cloud backups, etc.).

These different elements are important to take into account when choosing your solution. That's why you need to carry out an analysis beforehand , to find out what you need in terms of servers to protect, restart times and data freshness.and freshness of data (RTO and RPO) and, finally, the management requirements, depending on the availability and skills of your technical teams.

Risks covered and not covered by these two solutions

To fully understand the difference between these two services, we first need to look at the different risks that each of the two solutions deals with.

We are going to analyse several types of risk to be covered by backup (BaaS) and disaster recovery (DRaaS), broken down into families.

Risk family Risks Potential sources Main recovery mechanism
Loss or corruption of data

Loss or corruption of files

Data, OS or DB corruption

    User error or procedural error Backup
    Unavailability of server infrastructure

    A server down

    A set of servers down

    Entire infrastructure down

    Hardware or software problem Backup or PRA
    Unavailability of the data centre

    Long unavailability due to a disaster

    Unavailability of fluids (electricity, etc.)

    Unavailability linked to telecoms

    Fire, storm, terrorist attack, works, etc. PRA
    Ransomware

    Ransomware on a file server

    Ransomware on IS OSs

    Malicious software propagated by email, vulnerability, etc. Backup or PRA
    Cyber attack

    Sophisticated attack

    Denial of service (DoS)

    Advanced Persistent Threat

    Coordinated attack on IT infrastructure DRP

    Risk scenarios: data loss or corruption

    Loss or corruption of files: this may be due to user/computer error, a hardware problem or a procedural error.

    Risk coverage with
    Outsourced Backup (BaaS)
    Risk coverage with a
    Managed Disaster Recovery Plan (DRaaS)

    This is the main risk covered by all outsourced backup solutions.

    The specific points to consider are

    • Backup duration and retention policy (depth in days/weeks/months, etc.).
    • The customer's autonomy to carry out the restoration.

    Depends on the backup or replication mechanisms used by the DRP solution:

    • Some solutions use synchronous or near-synchronous disk replication (without taking historical snapshots) and therefore do not cover this risk.
    • Other solutions are based on backup mechanisms and are therefore comparable to outsourced backup solutions with the same monitoring points (minimum retention time, etc.).

    Questions to ask in relation to the risk scenario :

    • Cloud backup storage:
      • How many replications of the backed-up data are performed in the cloud (1, 2 or 3 replications?)?
      • Are replications of cloud backups performed on several remote DCs?
    • Ability or not to have different backup retention periods:
      • By file type,
      • By keeping N versions of each file.

    Risk scenarios: loss or corruption of operating system (OS) or database

    Risk coverage with
    Outsourced Backup (BaaS)
    Coverage of the risk with a
    Managed Disaster Recovery Plan (DRaaS)
    Coverage of this risk depends on the functional coverage of the outsourced backup:
    • Does it enable OS backup and restore of a complete OS?
      • via one of the hypervisors on the market (VMware, Hyper-V, HAV, Xen, etc.),
      • but also via an agent in the increasingly frequent case where the customer no longer has direct access to the hypervisor (third-party hosting, cloud, VPS, etc.).
    • What autonomy does the customer have to restore the OS or DBMS?
    Coverage of this risk depends on the backup or replication mechanisms used by the DRP solution:
    • Some solutions use disk replication (without taking snapshots) and therefore do not cover this risk.
    • Other solutions are based on backup mechanisms and are therefore comparable to outsourced backup solutions with the same monitoring points (minimum retention time, etc.).

    Questions to ask in relation to the risk scenario:

    • Are there mechanisms for backing up Linux OSs in infrastructure contexts where hypervisor mechanisms cannot be used (typically in public or private clouds)?
    • Does the solution have the capacity to back up only certain disks/partitions of the machine to limit the amount of data to be backed up and speed up recovery?

    Risk scenarios: complete unavailability of one or more servers

    Risk coverage with
    Outsourced Backup (BaaS)
    Risk coverage with a
    Managed Disaster Recovery Plan (DRaaS)
    Depending on the coverage of the backup solution, this risk is covered.

    But you need to analyse :

    • The ability to restore the server to :
      • a physical server,
      • a hypervisor other than the original one.
    • The autonomy of the client to execute the restart.
    • The time required to bring all cloud backups back to the local network.
    In general, this risk is not well covered by a disaster recovery solution:
    • It is generally easy to reboot a single server or a few servers.
    • On the other hand, managing the network and the addressing plan can be complex if part of the IS remains in the original datacentre and part switches to backup mode.
      Some disaster recovery solutions have integrated MPLS or SD-WAN models to get round this problem.

    Questions to ask in relation to the risk scenario:

    • Without testing, there is no salvation: has the solution taken into account the need to carry out regular server restart tests (either fully automatic or manual)? A minimum frequency of annual restart tests is recommended.
    • What are the lead times for supplying IT infrastructure on site: these are often not compatible with business needs (especially at present with component shortages) and therefore do not allow an infrastructure to be recreated on site within an acceptable timeframe.

    Risk scenarios: unavailability of the data centre

    Datacentre completely unavailable, either following a disaster (fire, storm, flood, attack, etc.), or due to long-term unavailability of the network or fluids (electricity, air conditioning, etc.).

    Risk coverage with

    Outsourced Backup (BaaS)

    Risk coverage with a

    Managed Disaster Recovery Plan (DRaaS)

    Not covered This risk is fully covered by a DRP solution, as this is its main objective.

    The notions of RTO and RPO are predominant. We therefore need to ask ourselves the following questions:

    • How are they guaranteed?
    • How are they tested?

    Questions to ask about the risk scenario:

    Without a DRP test, there is no salvation, so you need to check that regular DRP tests are carried out: a six-monthly test frequency or less is recommended.

    Your DRP tests should cover infrastructure recovery, network tests, user reconnection and functional tests of the recovery space by the end user.

    Risk scenario: ransomware on a file server or OS servers

    Infection by ransomware via malicious software propagated by email, exploiting a vulnerability.

    Risk coverage with
    Outsourced Backup (BaaS)
    Risk coverage with a
    Managed Disaster Recovery Plan (DRaaS)
    Risk coverage depends on the ransomware-tightness of the backup:
    • If a seal is built in by design, via security mechanisms (immutability of backups, change of technology between backup source and target, etc.) preventing the virus from propagating in the backup environment, the risk is covered. Otherwise, the risk is little or not at all covered.
    • The time required to bring all cloud backups back to the local network is generally incompatible with business needs.
    This risk is fully covered by a DRP solution, because that is its main objective.

    The notions of RTO and RPO are paramount. So we need to ask ourselves the following questions:

    • How are they guaranteed?
    • How are they tested?

    Questions to ask about the risk scenario:

    • Does the chosen solution take into account watertightness against a ransomware attack? The backup space must not be easily accessible by ransomware (e.g. Windows mount point, etc.).
    • The time taken to bring all the cloud backups back on line via the network must correspond to your business needs. The question to ask is: does the solution allow data to be brought back locally via specialised boxes (NAS type, SSD disk, etc.) from the service provider?

    Risk scenarios: sophisticated cyber attack combining several attack mechanisms

    Constructed attack enabling the attacker to take control of the customer's infrastructure with privileged rights.

    Risk coverage with
    Outsourced backup (BaaS)
    Risk coverage with a

    Managed Disaster Recovery Plan (DRaaS)

    Depends on how impervious the backup is to attack:
    • Does the attacker have a way of destroying or encrypting cloud backups?
      • If he takes control of the AD?
      • If they gain system administrator privileges?
    • On the other hand, if the customer does not have access to the cloud backup space, the risk is covered.
    Same risk coverage as for backup.

    Points to watch: the watertightness of cloud backups has become a major issue in the event of a sophisticated cyber attack.

    Risk scenarios: Advanced Persistent Threat or dormant attack

    Infection by an APT or dormant malware that can be activated several months after infection, requiring long retention of OS data (more than 6 months).

    Risk coverage with

    Outsourced Backup (BaaS)

    Risk coverage with a

    Managed Disaster Recovery Plan (DRaaS)

    Depends on the depth of the OS backup.

    This requires the service provider to offer long-term archiving on cold storage.

    Generally not covered by DRP solutions.

    Unless the DRP solution offers long-term archiving on cold storage.

    Questions to ask in relation to the risk scenario:

    • In this case we are talking more about archiving VMs over long periods (1 monthly for 24 months, for example).
    • The solution of completely rebuilding the OS is sometimes unavailable.

    In summary, the 3 pieces of good advice

    1 - Understand the business challenges

    The first piece of advice, as with many IT projects, is to fully understand the challenges faced by the company's businesses:

    • their needs in terms of backup (depth of backups, data archiving mechanisms, etc.),
    • their needs in terms of critical applications to be restarted in the event of a disaster or cyber-attack:
      • prioritise them (RTO),
      • define the freshness of the data required (essentially databases).

    2 - Identify the risk scenarios to be covered

    Next, we need to identify the risk scenarios to be covered for the company's business activities and infrastructure (loss of data, ransomware, loss of data centre):

    • This risk mapping will inevitably reveal a trend: either a BaaS solution is sufficient, or there is a need for DRaaS;
    • Have this risk coverage validated by management. Despite their lack of understanding when it comes to Backup and DRP, IT risk coverage is a major issue that management is well aware of. While they may not understand anything about Backup and DRP, they are increasingly aware of the IT risks that need to be covered.

    3 - Identifying and expressing your requirements

    Once the risks to be covered have been identified, it is time to identify the requirements for the solution:

    • First of all, expectations of the service provider: do you want a partially managed solution or a fully managed solution with contractual commitments?
    • If backup is required:
      • What is the scope to be covered: OSs, types of DBMS, etc.?
      • How should the data be initially loaded (availability of dedicated appliance)?
    • In the event of a disaster recovery plan :
      • Which servers need to be protected in the event of a disaster and which ones will a backup solution suffice for?
      • What are the specific network requirements: how do you reconnect sites (MPLS, SD-Wan), mobile users (SSL VPN, etc.)?
      • What are the specifics in terms of security: the security solutions needed in the event of a back-up?

    Article translated from French