So you’ve moved many of your IT systems to the cloud. And if disaster should strike?
The “disaster” in question refers to an IT systems event that leads to the loss of critical data. Let’s assume that most IT shops, including in healthcare, have long-established disaster recovery (DR) plans for their in-house systems, but the cloud has been growing so quickly that many IT managers may well have overlooked the fact that a considerable amount of their data is now off-site.
Writing recently at Information Week, Mardty Shacklett, president of Transworld Data, a technology analytics firm, tells the rather bracing story of a company her firm had helped launched a few years back that realized almost by accident that it had no back-up plan for the data it had recently moved to the cloud.
“We (had) developed a DR plan that addressed failover and business continuation for all of the company’s internal systems, and for a handful of systems that were outsourced to cloud providers,” she relates. “Then, as small to mid-sized companies are prone to do, the company got busy with business and didn’t revisit its DR plan (or test it) until nearly two years later, when I got a call.”
In that call, it came to light that “the company had systematically outsourced all of its mission-critical systems to cloud providers, leaving only a skeletal network and IT infrastructure in place to handle internal employee computing needs.”
Needless to say, Shacklett and her client addressed the matter immediately.
Based on that and several other similar experiences, Shacklett lays out of list of steps companies should take as they update DR plans for the cloud.
First, get your contracts file in order. “If you've aggressively outsourced mission-critical applications to the cloud but haven't kept pace with your DR plan,” she says, “the first step is to take stock of all of your cloud vendor contracts. Do you have them all? If you don’t, contact the vendor and get a copy. Then, file it in a central location.”
Next, not surprisingly, find out what your contracts say. Advises Shacklett, “The rule of thumb for vendor performance, uptime and service response SLAs is that what the vendors offer should minimally match what you expect of your own internal IT performance. If they cannot match, find another vendor.”
Other steps she recommends include reviewing the security and data safekeeping standards of cloud-based vendors, requiring regular audit reports from those vendors, and testing DR with your mission-critical vendors.
“Your customers are going to ask you and you will want to know, if the disaster recovery and business continuation required for your mission-critical systems is really going to work if these systems are outsourced to third-party cloud vendors,” she warns. Just seeing a system and data recovery SLA in your contract is not good enough.