Cloud Disaster Recovery: CIOs Must Lead - InformationWeek
IT Leadership // IT Strategy
11:00 AM
Connect Directly
Threat Intelligence Overload?
Aug 23, 2017
A wide range of threat intelligence feeds and services have cropped up keep IT organizations up to ...Read More>>

Cloud Disaster Recovery: CIOs Must Lead

IT teams wary of public cloud often discount its value in disaster recovery. That does a disservice to the business.

and willing to push their teams to at least test, offerings that combine public cloud infrastructure and SaaS automation software and promise to save money to boot.

We dug into the technical details of the disaster-recovery-as-a-service market in a recent issue. Here we'll explore the role of CIOs in breaking through resistance, because infrastructure teams are not only not excited, they're often outright hostile -- 65% won't even use cloud storage such as Amazon S3. Of those IT groups supporting branch or remote sites, where cloud should be a no-brainer, 28% back up to disk and 14% to tape in each office. Because employees at remote sites can totally be trusted to properly manage tape systems, right?

Security Doesn't Equal Span Of Control

What's the big problem CIOs must overcome when it comes to cloud-based disaster recovery? Control freaks.

Ask an infrastructure team leader about his biggest beef with cloud, and the answer will almost always be "security." But when they talk about "secure," too many times these pros really mean "inside my span of control."

That is, "if it resides on our premises and is managed by us, that's good security; if it resides elsewhere or is managed by someone else, that's bad security." That's just about as logical as the idea that "If someone is a W2 employee at our organization, she is much more trustworthy than someone who is a W2 employee at another organization."

Of course, security isn't about internal span of control. It's about assessing risk and making choices based on the threat level, cost and benefit balance, and a statistical understanding that things go wrong, and it's our job to adapt and respond. If a technique or a technology reduces risk and keeps other variables the same, we should look at it.

We asked security expert Bruce Schneier to weigh in on the notion of cloud-based disaster recovery, specifically how CIOs should answer staffers who throw down the security card. "Like everything else, from tax preparation to cleaning services, it's a question of trust," says Schneier. "Can you trust a company you're doing business with? There's nothing magic about cloud services that isn't true about other services. Does the person who signs the paycheck of the employee make any difference in how trustworthy they are? That seems implausible."

The message: Your company no doubt has processes to vet third-party providers. Establishing trust is possible.

What about the argument that public cloud presents a gigantic attack surface -- that is, Amazon Web Services is a high-value target in the same way Windows is? "Amazon is going to spend a lot more money protecting their attack surface than you are," Schneier says. It'll likely do a better job, too. "It's the same reason you don't have your own doctor no matter how wealthy you are," says Schneier. "You get better medical care because your doctor sees more than one patient."

Cloud providers like DigitalOcean, Google, SoftLayer, and Rackspace have deep experience dealing with attacks. They're doing heavy lifting every day. For most shops, the notion that internal IT staff can do a better job is laughable. Now, that doesn't mean you can laugh off the risks of cloud, including cloud DR. What you can do is take a comprehensive approach that factors in technical realities, security risks, and business needs. And that's an effort that only the CIO, with one foot in IT and one in business, can lead. We'll discuss 12 areas to assess, but first, let's look at two variables that many companies miss in their planning: SaaS use and app dev team needs.

Read the rest of this story in the new issue of
InformationWeek Tech Digest (free registration required).

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/9/2014 | 5:11:42 AM
IT teams wary of public cloud often discount its value in disaster recovery. That does a disservice to the business. Inferior framework reliability may lead to issues during peak periods, restricted and complete recovery in the fastest time possible after a disaster. thats why thanks to cloudwedge it support to us. thanks
User Rank: Ninja
6/19/2014 | 10:26:24 AM
Re: Regional solutions for global customers
Great point, many folks forget that many business continuity issues are best handled by a provider who has multiple locations to mitigate against these regional factors.  If you operate on a global basis but only operate in a certain region, you could put the global customer base at risk should something happen.  Cloud providers with multiple locations make it easier to ensure that should something happens, they can transfer your services to a location not facing the same outages to keep you up and running.
User Rank: Ninja
6/19/2014 | 9:15:30 AM
Regional solutions for global customers
I think the problem stems from the approach most IT groups still follow.  A regional solution that is hardened and should withstand all but the worst natural disaster as a way to improve uptimes.  Then those companies do business outside of their geographic region and a regional solution isn't enough because their customers don't go offline with them.  That is of course the most basic level but everything builds from there.  Until that mentality changes any Cloud based solution is going to suffer from the same problem.
D.M. Romano
D.M. Romano,
User Rank: Moderator
6/19/2014 | 7:51:26 AM
Eggs into one basket...
DR is simply an extention of security measures. No one thinks it'll happen to them, until it does, and it's too late. While it may not be a malicious act that comes at you like a wrecking ball, something as simple as someone gaining access to your AWS console can shut down your business operations for good. Granted that was malicious, it teaches you a valuable leason about having all your eggs into one basket. Relying on the cloud (or one service in the cloud) might not be the best strategy these days. Rather a diversified cloud might be a safer reality for those business critical applications.

As the great military general Sun Tzu once said,

"Know your enemy and know yourself and you can fight a hundred battles without disaster."

User Rank: Author
6/18/2014 | 11:20:44 AM
Common sense
A dose of common sense from Jonathan and Bruce Schneier. I can see that quote being highlighted by many people for later use.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll