The mainstream press is full of <a href="https://www.smartcompany.com.au/information-technology/051078-icloud-failure-businesses-told-to-back-up-after-hacker-wipes-tech-reporter-s-devices.html”>articles about Cloud failures at the moment. Continuing on from my recent thoughts on the Cloud, it is clear that people are now starting to realise this ‘cloud’ thing needs to be backed up. OK, great. But how exactly do you do that? In short, with extreme difficulty.
Backup is not (just) a product you purchase or something you set up – it is a factor in a multi-faceted disaster recovery plan that spans the entire infrastructure (and, if done well, business processes as well). This is fundamentally at odds with most cloud implementations, which are designed to abstract away having to care about “low level details” like backup. After all, isn’t that what you pay the cloud provider for, to look after these things? Whilst that’s true and even largely true, it doesn’t necessarily satisfy your Risk Management Plan. Such a plan needs to be created (and not just by IT – the business’ directors need to understand and sign off on it) independently of how it is implemented. Cloud makes much of it easier, compared with your typical incompetent IT guy anyway. However, it makes some components of it exponentially harder. Whether this trade-off is worth it is up to you and your company (or individual)’s risk profile. But there’s no panacea; no shortcut to understanding this stuff.
Whilst it adds a little more to the conversation upfront, information reliability and disaster recovery is one of the first conversations we have with our clients and certainly one we have before implementing any systems improvements. There are so many targets you could be aiming at. How can you measure success if you don’t define it beforehand?
I am prepared to be proven wrong, but as of the time of writing, I have never seen a company (that isn’t one of our clients of course!) without extremely obvious, high risk, critical backup-related issues. i.e. The kind of issues that should be flagged as unacceptable risks to the business regardless of any risk management objectives. Backups are often missing, incomplete, untested, run using buggy error-prone software, dumped to dodgy media, stored right next to the main data source and are almost never monitored. Even if all these things are done, a Disaster Recovery Plan (even an informal one) is almost never in sight.