Disaster Recovery Center and Business Continuity

Today’s business environment is one in which the risk of downtime and data loss is greater than ever before. Natural disasters, infrastructure failures, cyberattacks, human error or power outages – any of these factors can cripple a company’s operations in a matter of minutes. Threats echoing geopolitical events, such as war, disruption of raw material supplies or unavailability of cloud services in a particular region, are also increasingly common.

The dizzying pace of change we are experiencing in the IT sphere is also generating new threats. In the race for customers’ attention, system and application vendors are releasing underdeveloped solutions with code bugs that can be exploited to breach systems. Specialized hacking groups, often funded by hostile foreign governments or technology competitors, exploit all vulnerabilities – both technological and those resulting from human error. As many as 40% of system hacks occur through a phishing attack or are the result of simple carelessness.

Any successful cyberattack affects business continuity, damages a company’s reputation, and can even lead to bankruptcy. What, then, should be done to ensure that a company can operate without risks originating from its IT systems?

First, there is never enough employee training in preventing infiltration and resisting social engineering techniques.

Second, it is essential to ensure data protection in case of damage, unavailability, or encryption.

We store company data in various locations. Some resides in private or public cloud solutions (such as Amazon Web Services, Google Cloud Platform, Microsoft Azure and dedicated clouds like SAP S/4HANA Cloud). Other data is stored in SaaS applications from various providers. Some companies opt for solutions based on local Data Centers in a given region or their own facilities at company headquarters or branch offices.

Data can be copied across regions, exist in a high availability solution, and be copied to another location within the company. In the case of SaaS applications hosted in vendor clouds, we usually do not have access to information on how the data is stored and in what location.

Knowing all this, it is difficult to avoid the question: what happens if data is deleted, encrypted, or corrupted?

A key component of a business security strategy is becoming a Disaster Recovery Center (DRC) – a backup data center that enables business continuity even in the event of a major failure of the primary IT environment. Data protection relies on various types of backups created in remote locations, safeguarded against unauthorized deletion and regularly tested for recovery, as well as on the establishment of a recovery site to ensure uninterrupted operations. It is not enough to have a backup: it is equally important to determine how quickly an organization can restore its systems and where those copies are physically stored.

There are as many options for building a DRC as there are organizations. Each solution is built individually, taking into account first of all the size and characteristics of the IT environment, the importance classification of IT systems, the RPO (Recovery Point Objective, acceptable data loss) and RTO (Recovery Time Objective, maximum acceptable downtime) times, as well as the IT technologies used and the available transmission links.

In the following sections of the article, we will explore how to effectively plan and implement Disaster Recovery mechanisms for systems maintained in various cloud models, as well as on-premise and SaaS environments.

In public clouds, data replication within a region across zones is not sufficient protection. Preventive measures such as backup to another region are required. The optimal solution to secure data in the second region in an encrypted space, without the possibility of deletion.

To maintain business continuity, consider replicating data to another provider, such as from Azure to AWS, so that if the entire infrastructure of one public cloud is unavailable, data can be run in another public cloud or data can be withdrawn and run in a designated data center outside the cloud location.

It is also important to remember that for a Disaster Recovery Center (DRC) to operate fully without access to cloud resources (for example, with replication of applications and databases), a dedicated environment for identity credential services must be provided, for example, EntraID in hybrid mode.

For example, after migrating data to SAP in a private cloud model, there is limited ability to replicate data at the virtualization or operating system layer. This leaves application-level replication as the only option, which introduces additional costs for the organization.

When we choose SAP S/4HANA Cloud, we have very limited options for organizing our own DRC for SAP systems, as the systems are administered entirely by SAP. The situation is different with SAP RISE Private – we can use SAP HANA System Replication (HSR), i.e. synchronous replication for “short-distance" replications, or asynchronous replication for “longer" distances. However, this requires designing a suitable topology and purchasing additional licenses. There are also other options for strengthening security – either through backup to blob storage or the use of hyperscaler tools like Azure Site Recovery or AWS DR patterns.

For in-house resources, there are a number of options for replicating data between other centers, both transactional data and backups. There are solutions that replicate data also to public clouds, as well as other data centers.

For solutions such as Microsoft 365 or Google Workspace, available in the Software as a Service model, it is also advisable to create a data recovery strategy (email, file resources, meeting information). For these tools, there are options to replicate data in the designated DRC.

All for One has many years of experience in maintaining a Disaster Recovery Center (DRC) for both SAP systems and other IT tools. We provide end-to-end DRC implementation – from concept and design, through deployment, to regular recovery testing. The backup center can be physically located in one of All for One’s Data Center facilities, in the public cloud or in another designated location. We have the experience and tools to achieve near-zero times when synchronizing data and running a backup center.

Rafał Grześkowiak, IT Project Manager, All for One Poland, about business continuity in the context of NIS2: “IT availability is no longer an internal matter of companies. It has become a shared objective of the entire economy. Audits of counterparties, taking into account a broad range of IT-related issues such as cybersecurity, high availability and contingency planning, are now common practice.

Some business sectors – such as automotive and audio-video – have developed information security standards (VDA ISA/TISAX and TPN – Trusted Partner Network, respectively), whose implementation and certification de facto determine the possibility of cooperation in these industries. One of the core pillars of these standards is business continuity.

For example, for organizations required to have the TISAX label, controls 5.2.8 (IT service continuity planning) and 5.2.9 (Backup and recovery) explicitly point to the need to analyze the impact of IT service unavailability on the business and require the development of contingency plans and the identification, as well as the definition of recovery timeframes and resources needed to restore IT services within specified time limits.

Analogous requirements are imposed by ISO 27001 in its latest edition (in controls A.5.30 and A.8.13, respectively).

ISO 22301 is entirely devoted to systemic business continuity management, focusing on ensuring that an organization can maintain critical business operations during emergencies and quickly restore them after disruptions. From a business perspective, this means minimizing operational and reputational losses and increasing the organization’s resilience to risks such as IT failures and cyberattacks.

Good IT service management practices described in standards have been reflected in legislation over time. The 2016 NIS Directive and the Polish Act on the National CyberSecurity System (NSC) emphasized the need for appropriate organizational and technical solutions. However, it was not until the 2022 NIS2 Directive in Article 21 that the requirements were made more specific, imposing the obligation to prepare, among other things, a risk analysis and disaster recovery procedures.

A Disaster Recovery Center is one of the measures supporting IT business continuity. It allows organizations to include in their continuity plans an independent, external location where, if necessary, key IT systems will be brought back online without delay.

The requirements introduced by the NIS and NIS2 business continuity directives mean that the group of organizations that should at least analyze the rationale for implementing DRC make up a significant part of the economy, including the energy, transport, banking, healthcare, water utilities, pharmaceutical and food sectors, as well as the chemical and cosmetics industries."