Q&A: DRaaS offers help in a complex cloud

In March of last year, a fire took down a data center belonging to OVHcloud, a major hosting provider in Europe.

Smaller businesses that have moved their IT services to the cloud may not have a plan for data-center-disaster recovery, according to Kurt Seifried, Chief Blockchain Officer and Director of Special Projects for the not-for-profit Cloud Security Alliance.

“You’ve been using the cloud, and now your IT data center burned down. By definition, you don’t have the expertise to fix this,” said Seifried.

Seifried, however, does use the cloud and possesses enough expertise to fix this. In addition to being the Cloud Security Alliance’s chief blockchain officer and director of special projects, Kurt Seifried also provides IT services for the organization.

Cloud Security Alliance promotes best practices for both the cloud industry and its customers, so, fittingly, Seifried and the CSA use an array of cloud services to operate—everything from Auth0 for public-facing authentication, Heroku for web servers, Calendly for scheduling, and Grammarly for writing assistance.

Seifried spoke to IT Brew about a set of technologies known as disaster-recovery-as-a-service, or DRaaS.

In a 2021 "Market Guide for Disaster Recovery as a Service," the consulting firm Gartner describes DRaaS as a stand-alone restoration of enterprise applications at another location in the event of a disaster that can range in scope from a self-service to fully managed offering.

The service should minimally include, according to Gartner:

• On-demand recovery
• Server image and production data replication
• Automated failover and failback
• Recovery time service-level agreements

DRaaS vendors offer a possible option for companies that lack the capability of data recovery.

“They’re providing not just access to resources, but [also] the access to the expertise to get it all working,” said Seifried. “If Salesforce goes away, how do I get that data imported into another provider? I can probably figure it out, given a day or two, but paying somebody to just make it work now? I would prefer to do that.”

Below Seifried answers three questions about an increasingly complicated cloud and the role of an “as-a-service” provider to—potentially—ease it.

Seifried’s responses below have been edited for length and clarity.

What do you think is driving the disaster-recovery-as-a-service market?

Complexity. One hundred percent: complexity. Think about how complex IT is. CSA is a good example. We have over 100 vendors that we use. I mean, everything from Amazon Web Services and Heroku for server stuff, all the way down to, like, Grammerly, and Calendly…How do I back [all of] that up? Or how do I even understand what’s going on? And the answer is: I don’t. It’s so complex. I have 100+ vendors that I’m, like, tying together in a giant ball of yarn.

How do you ensure that a disaster recovery firm can handle that complexity?

This basically boils down to trust of your vendors. For example, in security, you have things like SOC 2 audits, or they do a STAR entry. Essentially, there’s a third-party that attests that they’re competent in the disaster recovery field.

There are sort of no standards., I mean, how many horror stories have you heard about people who bought cheap car insurance, got into an accident, and then had a horrific experience with their insurance company? And I’ll be blunt: Part of it is you get what you pay for. So if you go with a cheap [disaster recovery] company, that might not end well. Like, you might end up going out of business.

So, with respect to that, I would look for public signals. For example: do they have a bug bounty program? Are they incorporated in a safe place? Are they incorporated in America? I would ask them things like, “How do you test your disaster recovery?”

I work for the Cloud Security Alliance. And we’re at the edge of this, right? Like, I’m sorry, but, just, the complexity is too much. Ideally, you farm it out to a disaster recovery firm that can have, like, 20, full-time people working on just Amazon, and do a really good job of it. Now, whether or not they’re actually doing that, I don’t know.

What do you think are the most important questions to ask a provider, when it’s contract time?

One of the biggest things is, are they actually going to sit down with you and help you understand how often do you need to back this [data] up? Is it hourly? Daily? Weekly? Monthly? Are they going to sit down with you and actually help you do some business risk analysis if you haven’t already? …IT is, by definition, complex now. We’re integrating and plugging together all these weird different systems in ways that nobody ever could have imagined. If one part of that chain fails or goes out of business, what do I do now? Like a great example is Salesforce, let's assume Salesforce goes out of business tomorrow, poof, gone. Okay, who's your alternative provider? Well, you're going to Google “alternatives to Salesforce,” and you're gonna get 10 or 20 ads in Google, and now what? You go through, read their websites, you look through them, you try and research, you look for some article rating them, you know, ‘best Salesforce alternatives of 2022,’ Right?…In theory, that's the kind of value-add that a disaster recovery company can be doing where, not only do we know, like, how to build a house, but we know who to call at 6pm on a Tuesday, when, you know, your house falls down.