Considering BCP in relation to Cloud/SaaS
10 August 2010
I was writing some notes around a few questions that I get asked regularly regarding cloud and SaaS, and how Business Continuity Plans (BCP) are affected.
I’ve tidied them up and have placed them here as they should be a good starting point if you are looking into your DR/BC plans in relation to cloud/SaaS.
What are the implications for business continuity plans in relation to cloud computing and SaaS?
When it comes to planning a business continuity strategy, many businesses will see software as a service (SaaS) as the answer to their prayers, often because they will believe – or will be told by a salesperson – that they can now ignore business continuity in relation to the SaaS solution they have purchased. Unfortunately, it’s often an “out of sight, out of mind” scenario; you’d be surprised how many buyers will simply accept a salesperson’s promise and forget about business continuity plans (BCP) in relation to the service. That’s obviously completely negligent and puts a business at risk.
As an example, one particular company is currently migrating to our services after having its systems down for a full working day due to an air conditioning failure at its current supplier’s ‘data centre’ – which meant that staff had to open the windows! I can’t think of any calibre of data centre where the air-conditioning could fail, let alone one that has windows that can be opened to cool it!
Typically, assuming that you choose a reputable business to deliver SaaS, the company will build its systems to a much greater level of resilience than many businesses could ever build internally. At the end of the day, its whole business depends on the service provided, and even small outages can deeply damage its reputation and revenue, let alone the reputation and revenue of its customer base. In the majority of cases, as long as you choose a solid SaaS solution, your business will be much more resilient to failure, and it will also strengthen your business continuity plans.
How does moving to cloud computing/SaaS affect existing business continuity plans? What areas of your plan do you need to re-evaluate?
You must include any major third-party supplier within your plans when moving to cloud computing. Some areas you need to cover are :-
- You need to ensure that the provider’s plans fit your requirements for availability and return to service – so look at the service level agreements;
- You need to plan for your provider to potentially stop trading for a set amount of time and permanently;
- What happens if the provider is bought out and the new owner wishes to cease the service?
- Know how you will you get your data out of the provider in a disaster situation, and how you will be able to access your data, i.e. your entire CRM or ERP exported in excel format may be useful for the short-term;
- Ask for detail on their infrastructure and evaluate it as your own;
- Check the provider’s indemnity;
- Check Service Level Agreements and make sure they are heavily UK focused. For example, some SaaS providers only run support services during US working hours;
- Think about systems integration. An in depth analysis is required to identify which internal systems and services interface with the SaaS solution and how they will be affected in a disaster;
In short, evaluate your provider as if they are part of your own operation as they hold your data – and an element of your business is in effect outsourced to them. Be sure and comfortable, know how you will get your business operational if your cloud/SaaS provider suffers a disaster.
Also think about the below -
- It is important to re-evaluate areas that perhaps don’t need to be as resilient internally due to the SaaS solution. This may deliver cost savings: for example 24×7 support, redundant hardware, network support;
- If there is a tube strike or snow storm and you are going to allow your staff to work remotely from home, how are you going to be sure that any communication into your SaaS service is secure? As a business, are you willing to take that risk? Or will you build an IT solution that will protect your company’s data and communications on unsecured PCs and laptops?
Does cloud computing/SaaS make it easier to carry on in the event of a incident?
Using a SaaS solution could make it easier for an organisation to continue operating if its business suffers a disaster from a technical/systems availability standpoint.
- If it is your business that suffers the disaster, then Disaster Recovery /Business Continuity Plans for that application/service aren’t directly your problem, and your SaaS services should keep on running automatically. It’s very likely that you can build a solution that allows your staff to access your system remotely through their home internet connection or from your DR site
- Traditionally, if a multi-site business were to lose service at the main HQ (where internal server rooms/data centres are based), then it would be dead in the water. However, with SaaS solutions, this may no longer be a problem. Satellite offices solutions can continue to run and even operate much of the main HQ’s function.
What questions should you be asking of cloud computing/SaaS vendors with respect to their own business continuity plans?
The key questions any business should be asking cloud computing vendors with regard to business continuity plans include:
- Can I see the business continuity plans, at least on a broad level? It’s unlikely that you’ll be able to see a full BCP, since they are business sensitive by their very nature;
- Ask them to explain what would happen if the data centre your systems/data sits in was hit by a jumbo jet.
- Don’t just focus on the technical side of things: ask how the provider will manage the people side of the business and their 3rd party suppliers in the event of a disaster;
- How does your chosen vendor guarantee services such as the connectivity and power into its data centres when a disaster strikes?
- How do they deal with hardware failure – what are their contracts for fix? Do they carry spare equipment? What resilience is built-in?
- Does the vendor replicate all of your data? And if so, to what location? Is it in the same city, county or country? From a security point of view, make sure it’s not all held in the same city;
- Who are your provider’s other clients? Are their business activities similar to yours?
- Can you see your vendor’s data centre specifications? You may not get a guided tour, but you should be comfortable with the specification that they provide;
- Ask for their figures on downtime within the last 18 months;
- Ask how often they do a full DR test and can you see the last report;
- Ask your provider how you will be able to get your data out? It may be possible for some SaaS providers to allow you to backup your data out of their platform and into your own premises. This may incur additional charges, but you’ll need to balance that against your level of comfort.
Hopefully the points listed in this Blog entry will give you some food for thought.