Strategic CIO // IT Strategy
News
6/18/2014
11:00 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Cloud Disaster Recovery: CIOs Must Lead

IT teams wary of public cloud often discount its value in disaster recovery. That does a disservice to the business.

and willing to push their teams to at least test, offerings that combine public cloud infrastructure and SaaS automation software and promise to save money to boot.

We dug into the technical details of the disaster-recovery-as-a-service market in a recent issue. Here we'll explore the role of CIOs in breaking through resistance, because infrastructure teams are not only not excited, they're often outright hostile -- 65% won't even use cloud storage such as Amazon S3. Of those IT groups supporting branch or remote sites, where cloud should be a no-brainer, 28% back up to disk and 14% to tape in each office. Because employees at remote sites can totally be trusted to properly manage tape systems, right?


Security Doesn't Equal Span Of Control

What's the big problem CIOs must overcome when it comes to cloud-based disaster recovery? Control freaks.

Ask an infrastructure team leader about his biggest beef with cloud, and the answer will almost always be "security." But when they talk about "secure," too many times these pros really mean "inside my span of control."

That is, "if it resides on our premises and is managed by us, that's good security; if it resides elsewhere or is managed by someone else, that's bad security." That's just about as logical as the idea that "If someone is a W2 employee at our organization, she is much more trustworthy than someone who is a W2 employee at another organization."

Of course, security isn't about internal span of control. It's about assessing risk and making choices based on the threat level, cost and benefit balance, and a statistical understanding that things go wrong, and it's our job to adapt and respond. If a technique or a technology reduces risk and keeps other variables the same, we should look at it.

We asked security expert Bruce Schneier to weigh in on the notion of cloud-based disaster recovery, specifically how CIOs should answer staffers who throw down the security card. "Like everything else, from tax preparation to cleaning services, it's a question of trust," says Schneier. "Can you trust a company you're doing business with? There's nothing magic about cloud services that isn't true about other services. Does the person who signs the paycheck of the employee make any difference in how trustworthy they are? That seems implausible."

The message: Your company no doubt has processes to vet third-party providers. Establishing trust is possible.

What about the argument that public cloud presents a gigantic attack surface -- that is, Amazon Web Services is a high-value target in the same way Windows is? "Amazon is going to spend a lot more money protecting their attack surface than you are," Schneier says. It'll likely do a better job, too. "It's the same reason you don't have your own doctor no matter how wealthy you are," says Schneier. "You get better medical care because your doctor sees more than one patient."

Cloud providers like DigitalOcean, Google, SoftLayer, and Rackspace have deep experience dealing with attacks. They're doing heavy lifting every day. For most shops, the notion that internal IT staff can do a better job is laughable. Now, that doesn't mean you can laugh off the risks of cloud, including cloud DR. What you can do is take a comprehensive approach that factors in technical realities, security risks, and business needs. And that's an effort that only the CIO, with one foot in IT and one in business, can lead. We'll discuss 12 areas to assess, but first, let's look at two variables that many companies miss in their planning: SaaS use and app dev team needs.

Read the rest of this story in the new issue of
InformationWeek Tech Digest (free registration required).

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sarasota786
50%
50%
sarasota786,
User Rank: Apprentice
7/9/2014 | 5:11:42 AM
cloudwedge
IT teams wary of public cloud often discount its value in disaster recovery. That does a disservice to the business. Inferior framework reliability may lead to issues during peak periods, restricted and complete recovery in the fastest time possible after a disaster. thats why thanks to cloudwedge it support to us. thanks
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
6/19/2014 | 10:26:24 AM
Re: Regional solutions for global customers
Great point, many folks forget that many business continuity issues are best handled by a provider who has multiple locations to mitigate against these regional factors.  If you operate on a global basis but only operate in a certain region, you could put the global customer base at risk should something happen.  Cloud providers with multiple locations make it easier to ensure that should something happens, they can transfer your services to a location not facing the same outages to keep you up and running.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
6/19/2014 | 9:15:30 AM
Regional solutions for global customers
I think the problem stems from the approach most IT groups still follow.  A regional solution that is hardened and should withstand all but the worst natural disaster as a way to improve uptimes.  Then those companies do business outside of their geographic region and a regional solution isn't enough because their customers don't go offline with them.  That is of course the most basic level but everything builds from there.  Until that mentality changes any Cloud based solution is going to suffer from the same problem.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/19/2014 | 7:51:26 AM
Eggs into one basket...
DR is simply an extention of security measures. No one thinks it'll happen to them, until it does, and it's too late. While it may not be a malicious act that comes at you like a wrecking ball, something as simple as someone gaining access to your AWS console can shut down your business operations for good. Granted that was malicious, it teaches you a valuable leason about having all your eggs into one basket. Relying on the cloud (or one service in the cloud) might not be the best strategy these days. Rather a diversified cloud might be a safer reality for those business critical applications.

As the great military general Sun Tzu once said,

"Know your enemy and know yourself and you can fight a hundred battles without disaster."

Laurianne
100%
0%
Laurianne,
User Rank: Author
6/18/2014 | 11:20:44 AM
Common sense
A dose of common sense from Jonathan and Bruce Schneier. I can see that quote being highlighted by many people for later use.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.