Disaster recovery as a service in the time of coronavirus (COVID-19)

Disaster recovery as a service in the time of coronavirus (COVID-19)

TMT analysis: Given the increased focus on business continuity during the coronavirus (COVID-19) pandemic, Daniel Gallagher, senior associate, and Ian Stevens, partner at CMS, explain the use of disaster recovery as a service (DRaaS).

What is DRaaS? What types of DRaaS are available, who provides DRaaS and how has the market evolved in recent years?

DRaaS is a service that provides for the recovery and continuation of a business’s software, platforms and technology infrastructure following a disaster or some other form of business disruption. In essence, the service is intended to replicate a customer’s critical applications and systems in a second IT environment so that the customer can switch (or ‘failover’) to a working system while their primary IT environment is unavailable. DRaaS is usually cloud-based, although some providers adopt different solutions such as the use of a dedicated secondary site.

There are a range of DRaaS types available and a range of suppliers—assessing which type and supplier will be suitable for an organisation is a key step in contracting for a DRaaS solution (see further below). For example, some suppliers will make available backup and replication tools and the customer will be responsible for performing the backups and replication, monitoring and testing the secondary environment, and executing the disaster recovery (DR) plan in the event of a failure. At the other end of the spectrum, there are suppliers who offer fully managed DRaaS, which includes developing DR policies, defining the DR solution, implementing and testing the solution, and carrying out the recovery process (either in conjunction with the customer’s IT team or alone in accordance with pre-agreed plans). In addition, DRaaS suppliers may offer different options for hosting the replicated applications and systems, for example, using infrastructure based on premises, in private or public clouds (or a hybrid solution using a combination of those).

There are many suppliers of DRaaS, including many major suppliers of cloud computing services (who will utilise their cloud services to deliver DRaaS), suppliers whose DRaaS may leverage one of the major cloud computing services, as selected by the customer, as well as specialist suppliers that primarily focus on DRaaS and Backup as a Service (BaaS) solutions (see below).

The rise of cloud-based services and the increasing focus by organisations on operational resilience following some high profile cyberattacks (such as the WannaCry ransomware attack) and major IT outages has seen DRaaS become increasingly commoditised and viewed as a mainstream IT service offering.

The outbreak and spread of the coronavirus has led many organisations to think further about their business continuity and DR arrangements, in particular while team members are required to self-isolate or work from home. Remotely managed DRaaS may be a solution that organisations consider deploying to mitigate the risk that key employees are unable to physically access locations necessary for reassembling infrastructure following a disaster or failure.

What is the difference between DRaaS and BaaS? How do these services relate and why might a business prefer one over the other?

BaaS is a service that simply copies files or databases so that they are available in case of a disaster or some other failure in a business’s technology infrastructure. Any failed or unavailable infrastructure would need to be reassembled (and the data inputted). DRaaS goes further than this because, in addition to backing up data, it replicates infrastructure so that in the event of a failure a working system is available.

There are many reasons why a business may choose BaaS or DRaaS over the other. For example, if a business can easily reassemble its infrastructure following a disaster or failure, or fail it over to a backup infrastructure solution, and has the necessary inhouse expertise to manage the recovery process itself, BaaS may be sufficient. However, businesses that do not have inhouse capability or require fast access to critical applications and systems (within timeframes that will be agreed with the supplier) may opt for DRaaS. Cost is likely to play a part in deciding which type of service a business may prefer. For example, the additional expense of procuring DRaaS may outweigh the financial cost to a business resulting from downtime (as well as lost trust and reputational damage).

What key issues do legal advisors acting for customers need to consider (or ensure their clients consider) when contracting for a DRaaS solution?

  • what is the business’s expectation about what it will get back from the DRaaS solution and what is actually offered by the DRaaS solution? If those are not aligned, the negotiation may not have a successful outcome. For example, what are the business’s recovery point and recovery time objectives? These will determine how much downtime the business can afford and how quickly it needs to failover into the secondary environment. Can the supplier achieve those objectives?

  • are there any restrictions to using a DRaaS solution? For example, businesses may hold personal data or data belonging to their customers or clients under terms that place restrictions on how or where that data may be hosted (eg not in a multi-tenant environment and only in certain jurisdictions) or do not permit a third party to host or process the data. Based on the sensitivity of the data or other restrictions imposed on the business, consider whether a hybrid solution may be better, ie using a combination of on premise, public and private cloud solutions (responsibility for which may be split between the business and the supplier)

  • what additional technology will need to be deployed in the business’s IT environment in order to enable replication to the DRaaS solution? An additional layer of software may be required and if so, it should be clear what this is, how long it will take and how much it will cost to implement

  • which applications and systems are most crucial to the recovery of the business and which are of a lesser priority? The target times for recovery should be prioritised accordingly and be reflected in the service level agreement, which is a key document

  • how frequently will the business be able to test its DR plan and the DRaaS solution and what level of reporting will be given? Suppliers may offer a set number of ‘testing days’ with controls on how those are used. The business will need to consider whether the standard offering meets its requirements (including in frequency and scope)

  • the supplier may want the customer to take responsibility for certain activities (for example, to notify the supplier of issues, problems or changes to the primary environment). Those should be clearly defined and set out in the contract

  • what controls are there in the contract about where data may be located? Some suppliers will allow customers to specify a geographical location in which their data will be hosted and not moved without consent. Those terms and conditions should be checked carefully as they may come with a list of exceptions that allow the supplier to move data without notice or include unexpected locations within the specified geographical region

  • what information security measures, DR and backup procedures does the supplier have in place in respect of the services and its own operations and do those meet the standards required by the business?

  • the contract should comply with the requirements of applicable information laws and provide a security incident notification process that meets the business’s requirements under applicable law (for example, the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, Data Protection Act 2018 and the Network and Information Systems Regulations 2018 (NIS Regulations) SI 2018/506)

  • what financial limitations and exclusions from liability are appropriate, given the nature of the service and its degree of customisation (if any) and should the supplier be liable for data loss?

To what extent do the contractual terms on which DRaaS is provided tend to be negotiated? What are the key issues are most commonly negotiated?

As with other ‘as a service’ solutions, the level of negotiation will likely depend on whether the solution being purchased is ‘off the shelf’ (or in some way bespoke) and the level of fees being paid. Typical key issues for negotiation include: the responsibilities of the customer and those of the supplier, data location, data protection (and data loss), security standards, security incident notification, the supplier’s liability under the contract, customer audit rights, and the rights of the supplier to use subcontractors.

Interviewed by Elodie Fortin.

Related Articles:
Latest Articles: