What You Need To Know: Cloud Computing and Business Continuity

Cloud computing is potentially the most important technology development of this decade, so business continuity professionals should rightly be asking: “What does it really mean and how does it affect me?” This perspective is designed to address common questions about cloud computing.

What is the Cloud?
Bottom-line – it is a marketing term. Like all great marketing terms, it can be used to mean anything, and thus, it actually means very little. For our purposes, I’d like to suggest the following explanations for “the cloud”, which have proven broadly true in practical experience:

  • “Clouds” are on demand services, meaning, you pay for the service when you use it.
  • The primary service delivered by the cloud is software (known as “Software as a Service” or “SaaS”).
  • Clouds also can deliver “Infrastructure as a Service” and “Platform as a Service (I’ll define these later).
  • “Virtualization” (the ability to run many logical servers on one physical server) is the enabler of most clouds.

See the table below for a comparison of traditional IT services and cloud services:


In addition to the distinctions above, clouds also vary by scope and location.

Ownership describes who manages the cloud:

  • Internal (managed by your company)
  • External (managed by a third party)

Scope describes how resources are allocated in the cloud among the different tenants:

  • Dedicated: Individual servers are exclusively allocated per tenant.
  • Shared: Individual servers have multiple tenants allocated (the cloud owner manages aggregate capacity). This is less expensive than dedicated because of the ability of the cloud owner to utilize unused capacity for other tenants.
  • Hybrid:Tenants can choose between utilizing a fully dedicated environment or a shared environment.

Using this nomenclature, here are examples of common cloud services:


Bad Cloud Assumptions
When utilizing cloud-based services, it’s easy to lose sight of key business continuity risks. The term “cloud” creates a visualization that the service and your data is as pervasively available as the internet itself (that’s why it’s such a great marketing term!).

Unfortunately, that leads to a number of bad assumptions, including:

  • Clouds are ‘always on’ and include high availability and/or disaster recovery
    At any given moment, your cloud service is delivered to you from a SINGLE data center somewhere. If that data center has issues, can the owner of the cloud move it quickly to a new data center? The answer is often NO, but you need to check!  By default, you should always assume NO! Note: Most cloud providers identify where their data centers are located. Amazon is unique in that in each data center region there are “availability zones”. “Availability zones” are physically separated data centers but located in the same region (and in some cases, these physically separated data centers are VERY close to one another, subject to a higher probability of being affected by the same threat). For example, there is an Amazon Region “US-East Virginia” with five availability zones: 1A, 1B, 1C, 1D, and 1E.

As a result, Castellan does not recommend recovering to a different availability zones in the same region without careful examination.

  • Data is protected in a cloud
    Because your cloud service is delivered from a single data center, data isn’t automatically protected in the cloud. If you don’t have an SLA for backup and recovery of your data, it might not be protected. You have to check.  Again, by default, you should always assume NO, your data isn’t backed up!
  • Data is retrievable from a cloud
    If you have a cloud service owned by a third party and they shut down unexpectedly one day, what happens to your data? It might be gone forever. It is your responsibility to do due-diligence on the third parties that you’re trusting your data to. On top of that, if the data is essential to your business, you may want a weekly backup of the data that you control.
  • Clouds are available from anywhere
    Clouds are frequently available from anywhere that has an internet connection, but be careful – nearly all internal cloud services (and many external services) can be secured so you can only access them from inside the company network. This has a big implication for IT disaster recovery planning! For example, you assume salesforce.com is always available because it’s an external cloud but don’t realize that your Information Security team has worked with salesforce.com to limit access to only your corporate network. In this scenario, you wouldn’t realize, until a disaster occurs, that salesforce.com is down when the corporate network is down. Another key risk in this area is single sign on. If you’re using single sign on for cloud applications and your data center goes down, often your access to the cloud application will be lost also.

How Do I Plan For It?
There are three key business continuity activities that are necessary to effectively plan for a loss of your cloud services:

Business Impact Analysis (BIA)
During the business impact analysis, it’s critical to identify ‘third party’ and ‘hosted’ applications, along with who procured the application. Cloud applications are frequently purchased outside of IT and thus not on established application listings. The focus at this point should be to identify these services and determine how critical they are based on requested recovery time objectives.

Recovery Strategy
If critical cloud services are identified during the BIA, it is important to evaluate and then select appropriate recovery strategies. In some ways you can leverage any existing processes used for vendor assessments, but there are a couple distinctions:

  • SLAs with financial penalties are important, but not a comprehensive solution, because most penalties are small (limited to 1 month’s fees) compared to the impact of a critical application being down for an extended period.
  • Typical vendor backup strategies (e.g., dual sourcing, alternate supplier) often don’t work for cloud services because the data can only be in one place at a time.

As a result, the most effective way to confirm the recovery capability for cloud services is to:

  • Review their plans and observe their testing, or
  • Require a third party certification (the only comprehensive certification for business continuity/disaster recovery available today is an ISO 22301 certificate).

As a reminder, the level of due diligence for a cloud service should be commensurate with its criticality.

Plan Development
When you start building business continuity plans for the groups that utilize cloud services, there are a few considerations to keep in mind:

  • Document manual workarounds (if available) for when the application is inaccessible.
  • Document key contacts for the cloud service, including the support desk, account manager, and the address of any websites that display the status of the service.
  • Consider how the department will work if the organization’s internal applications go down and the cloud service is still running – what can get done in this scenario?

Clouds are here to stay and an increasingly important aspect of how organizations achieve their goals with technology. Business continuity professionals can effectively support this evolution by clearing up misperceptions about what the cloud is and providing a robust mechanism to protect the organization even when it relies on “the cloud”.

Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help! Please contact us today to get started. We look forward to hearing from you!

Get The Business Continuity Business Case Template

Ready for some hands-on help? Let’s discuss how to best achieve your business continuity goals.