Cloud Disaster Recovery: CIOs Must Lead

IT teams wary of public cloud often discount its value in disaster recovery. That does a disservice to the business.
and willing to push their teams to at least test, offerings that combine public cloud infrastructure and SaaS automation software and promise to save money to boot.

We dug into the technical details of the disaster-recovery-as-a-service market in a recent issue. Here we'll explore the role of CIOs in breaking through resistance, because infrastructure teams are not only not excited, they're often outright hostile -- 65% won't even use cloud storage such as Amazon S3. Of those IT groups supporting branch or remote sites, where cloud should be a no-brainer, 28% back up to disk and 14% to tape in each office. Because employees at remote sites can totally be trusted to properly manage tape systems, right?

Security Doesn't Equal Span Of Control

What's the big problem CIOs must overcome when it comes to cloud-based disaster recovery? Control freaks.

Ask an infrastructure team leader about his biggest beef with cloud, and the answer will almost always be "security." But when they talk about "secure," too many times these pros really mean "inside my span of control."

That is, "if it resides on our premises and is managed by us, that's good security; if it resides elsewhere or is managed by someone else, that's bad security." That's just about as logical as the idea that "If someone is a W2 employee at our organization, she is much more trustworthy than someone who is a W2 employee at another organization."

Of course, security isn't about internal span of control. It's about assessing risk and making choices based on the threat level, cost and benefit balance, and a statistical understanding that things go wrong, and it's our job to adapt and respond. If a technique or a technology reduces risk and keeps other variables the same, we should look at it.

We asked security expert Bruce Schneier to weigh in on the notion of cloud-based disaster recovery, specifically how CIOs should answer staffers who throw down the security card. "Like everything else, from tax preparation to cleaning services, it's a question of trust," says Schneier. "Can you trust a company you're doing business with? There's nothing magic about cloud services that isn't true about other services. Does the person who signs the paycheck of the employee make any difference in how trustworthy they are? That seems implausible."

The message: Your company no doubt has processes to vet third-party providers. Establishing trust is possible.

What about the argument that public cloud presents a gigantic attack surface -- that is, Amazon Web Services is a high-value target in the same way Windows is? "Amazon is going to spend a lot more money protecting their attack surface than you are," Schneier says. It'll likely do a better job, too. "It's the same reason you don't have your own doctor no matter how wealthy you are," says Schneier. "You get better medical care because your doctor sees more than one patient."

Cloud providers like DigitalOcean, Google, SoftLayer, and Rackspace have deep experience dealing with attacks. They're doing heavy lifting every day. For most shops, the notion that internal IT staff can do a better job is laughable. Now, that doesn't mean you can laugh off the risks of cloud, including cloud DR. What you can do is take a comprehensive approach that factors in technical realities, security risks, and business needs. And that's an effort that only the CIO, with one foot in IT and one in business, can lead. We'll discuss 12 areas to assess, but first, let's look at two variables that many companies miss in their planning: SaaS use and app dev team needs.

Read the rest of this story in the new issue of
InformationWeek Tech Digest (free registration required).