Disaster recovery and data protection have always been complex functions, but the pandemic has made them even more complex. Many organizations were unprepared even before COVID-19, especially when it comes to DR. However, even those who had solid DR and backup plans in place will now need to re-evaluate, given how profoundly the world of work has changed.
COVID-19 forced companies of all sizes to go 100% remote for weeks, even months, often with just a day or two of prior notice. Lockdowns have since been lifted or significantly loosened, but many companies are still operating largely with remote employees who work from home. Plus, now that so many employees and organizations have experienced remote work and its benefits, this genie is not going back into the bottle. Most IT organizations will need to continue supporting remote work, even once the pandemic has passed. When you have a significant portion of your people working from home, the IT infrastructure changes substantially.
Pre-COVID, most IT resources were largely centralized on premises at a company or nearby data center. When the pandemic first hit, IT’s immediate concern was providing access to resources. IT departments emptied Best Buy shelves of laptops and handed them out as people walked out the door or relied on employees to use their own devices, typically connecting to the centralized servers and applications via virtual private network (VPN).
This is not a good long-term solution. Managing and provisioning VPNs is complex, plus they’re difficult to scale and typically provide poor performance. As a result, organizations are moving resources and infrastructure into the cloud and relying increasingly on SaaS and IaaS providers for applications and infrastructure. Even if IT doesn’t move digital assets out of the data center immediately, when the new budget year comes around, money that was previously allocated to on-premises resources will likely go elsewhere. For example, an organization which now relies on the on-premises version of Microsoft Dynamics will likely transition to Office 365 so remote employees can access it more easily with better performance.
This trend means IT will be managing data in the corporate datacenter, one or more clouds, employees’ endpoint devices, and multiple SaaS services. It’s a fundamental change to the nature of the production landscape, and that means IT needs a new kind of DR and data protection plan to ensure it all remains available.
Protecting SaaS data
The first question many may ask regarding SaaS applications and data is why they need to be backed up at all. After all, isn’t that the responsibility of the service provider?
That’s certainly the view of most IT professionals, according to a survey by 451 Research. Nearly 50% of respondents said they depend on their SaaS vendor to protect data and another 25% don’t protect it all. That’s a problem, because most SaaS vendors operate under the shared responsibility model. In practice, this means the vendor ensures their service infrastructure is secure, applications remain available, and all data is protected in case of a catastrophic failure or disaster. But protecting the data itself over the long term? That’s on the customer. SaaS services are not designed to recover that email your VP of marketing deleted.
For example, let’s say someone in marketing accidentally deletes key Microsoft Office 365 documents which are used to create a quarterly report. If these files are accidentally moved to the recycle bin at the beginning of the quarter, and their deletion isn’t noticed until two months later, when people start to work on the report they’re in for a nasty surprise. After 30 days, Microsoft automatically deletes all data in the recycle bin. Unless the customer has backed them up, those files are gone forever.
Here’s another, potentially more serious example. If an employee deletes emails or documents in order to destroy evidence of illegal activity, when authorities launch an investigation, emails will likely be unrecoverable by the time a subpoena is ordered. The organization could then find itself in serious legal trouble.
But let’s say the vendor does offer robust backup services. If IT relies entirely on the vendor, what’s the plan if there’s a disagreement with the vendor and the service shuts down? What if the vendor goes out of business or suffers a disaster for which it didn’t adequately prepare. It’s critical to protect against these kinds of risks.
Vendors have created point solutions to back up the most popular SaaS applications, such as Microsoft Office 365, but there aren’t any general-purpose SaaS data protection solutions. So, if there isn’t a point solution for a specific SaaS application, be sure to make data protection part of the contract and require they send copies of your data at regular intervals.
Protecting Infrastructure-as-a-Service (IaaS)
When it comes to cloud, some IT professionals may have the same questions they had about SaaS — after all, there’s never been an IT infrastructure as robust and redundant as those operated by the big hyperscale cloud companies. While that’s true, just as with SaaS, cloud providers also operate on a shared responsibility model. They protect the infrastructure, but granular data protection is up to the customer.
Most cloud services have their own backup solutions, and backup vendors have introduced cloud backup capabilities. There’s no shortage of backup platforms for cloud data, so there’s really no excuse for leaving it unprotected.
The problem of data on employee endpoints
With employees working from home, it’s a certainty they will store important data on their local machine if they have the ability to do so. This data needs to be protected, but there are two key challenges to doing so:
- Where to store backup data: Organizations operating from on-premises resources already have a finite bandwidth pipe, and many employees will be working on less-than-optimal connections themselves. Drawing all that data down into the corporate data center from remote users throughout the day will kill performance for everyone.
- BYOD and privacy issues: If employees are using their own machines, you’re going to run into some thorny privacy issues (not to mention a serious deployment headache) adding backup clients and / or software to these devices.
There are several options for protecting endpoints. If employees are using a company-issued machine, there are a number of strong endpoint protection options on the market. Deploying and configuring clients for each machine will likely be a tedious process, but you’ll know you’re not leaving any data unprotected.
Alternatively, you can also push a group policy to endpoints that maps the “My Documents” folder directly to the cloud files storage solution of your choice, whether that is Dropbox, Google Drive, OneDrive, or some other solution. This approach makes it easy to protect file data, but it depends at least in part on the employees’ willingness to store documents in the proper place. If they simply drop them on their desktops, for example, they won’t be protected.
If you have employees who are using their own machines, your best bet is likely to switch to remote desktops. Certainly, some readers are already smirking. It’s been a running joke in IT circles for more than a decade, “this is the year of virtual desktop infrastructure (VDI).” In 2020, it’s no longer a joke. Performance in the better remote desktop solutions has improved dramatically, and they offer a number of important benefits to employees and IT.
So long as you’ve got a strong platform and have configured it properly, end-users will be unable to store data on their local machines. Instead, it will remain behind the firewall where IT can apply its existing, on-premises backup systems to protect and secure it. Additionally, IT can set up most virtual desktops so information cannot be cut and pasted to the device itself, providing another layer of protection. Finally, many solutions no longer require a client, which gives end-users the flexibility to use any machine they like, so long as they possess proper credentials, which should include multi-factor authentication.
The biggest question of all: Recovery
In a highly distributed environment, recovery gets tricky very quickly, especially when it comes to recovery from a large-scale disaster. For instance, the first question IT needs to answer is where the organization will store DR and backup data. The cloud would seem to be the obvious choice, but there are some big drawbacks. First, hyperscale cloud providers make it cheap and simple to upload data into their service, but it gets expensive fast when you need to retrieve it, especially if you’re undergoing a large-scale recovery.
Another consideration: If your original server is toast or the data center is completely MIA, where will you recover? If IT wants to recover to the cloud, that’s going to require a great deal of specialized expertise to mount virtual machines (VMs) and provide end-users with access, as cloud networking is a very different beast from the standard model used on on-premises. Cloud-native apps have a multi-tenant architecture, which requires far fewer resources and costs much less to run in the cloud.
Finally, if IT is using the cloud directly and admins run into issues while attempting to recover, they’re going to be on their own. Good luck getting hold of a human being to help troubleshoot and address any problems.
SaaS applications are particularly difficult to recover if they fail, somewhat due to the speed at which the solutions evolve. Make sure the underlying data is protected, ideally in a form which can be exported to a native file for an on-premises application. Still, when it comes to protecting the application itself, you’re at the mercy of the service provider. Application diversification is one strategy to overcome this challenge. If you are using Office 365 for email and it goes down, employees can communicate via Slack. If that goes down, they may need to rely on Teams or Zoom. Whenever possible, have a failback identified that can at least partially recreate the functionality you need for as many SaaS apps as possible.
Now the challenge is to stitch all of these various systems protecting distributed data into a unified strategy for backup and DR. Plan out recovery for each application, create a plan for restoring from disaster — making sure to track all dependencies properly — and then test, test, and test again. You don’t want to be troubleshooting recovery when you’ve got a boardroom full of executives breathing down your neck asking when things will get back to normal.
The pandemic has thrown a monkey wrench into our production environment, scattering employees and data to the four winds. And while that makes backup and DR more complicated than it was prior to COVID-19, with good planning and the right technology solutions, the enterprise doesn’t have to sacrifice data protection.