Disaster Recovery Center vs. business continuity

Today’s business operates in an environment where the risk of downtime and data loss is greater than ever before. Natural disasters, infrastructure failures, cyber attacks, human error or power outages – any of these factors can cripple a company’s operations in a matter of minutes. Threats echoing geopolitical events, such as war, disruption of raw material supplies or unavailability of cloud services in a particular region, are also increasingly common.

Also, the dizzying pace of change we are experiencing in the IT sphere is generating new threats. In the race for customers’ attention, system and application vendors are releasing underdeveloped solutions with bugs in the code that allow hacking into systems. Specialized hacking groups, often paid by unfriendly foreign governments or technology competitors, exploit all vulnerabilities – both technological and those resulting from human error. As many as 40% of system hacks occur through a phishing attack or are the result of simple carelessness.

Any successful attack affects the continuity of a company’s operations, crumbles its reputation and can even lead to bankruptcy. In such a case, what should be done so that the company can operate without risk from IT systems?

First of all, never enough training for employees on how to counter infiltration and resist the social engineering used.

Secondly, it is worth taking care to secure the data in case it is damaged, inaccessible or encrypted.

We store company data in various locations. Some in proprietary or public cloud solutions (such as Amazon Web Services, Google Cloud Platform, Microsoft Azure and dedicated clouds like SAP S/4HANA Cloud). Others in SaaS applications from various providers. Some companies opt for solutions based on local Data Centers in the region or in-house at the company’s headquarters or branch office.

Data can be copied between regions, can exist in a high availability solution, and can be copied to another location within the company. For SaaS applications in vendor clouds, we usually do not have access to information on how the data is stored and in what location.

Knowing all this, it’s hard to escape the question: what happens if the data is deleted, encrypted or corrupted?

A key component of a business security strategy is becoming a Disaster Recovery Center (DRC) – a backup data center that enables business continuity even in the event of a major failure of the primary IT environment. The basis for securing data is a variety of backups made to a remote location, protected from unauthorized deletion, tested for recovery, and the creation of a recovery site so that the business can operate uninterrupted. Just having a backup is not enough: it is equally important to determine how quickly an organization can restore systems to operation and where those copies are physically stored.

There are as many options for building a DRC as there are organizations. Each solution is built individually, taking into account first of all the size and specifics of the IT environment, the importance classification of IT systems, the RPO (Recovery Point Objective, acceptable data loss) and RTO (Recovery Time Objective, maximum acceptable interruption time) times, as well as the IT technologies used and the available transmission links.

In the following sections of the article, we will look at how to effectively plan and implement Disaster Recovery mechanisms for systems maintained in various cloud models, as well as on-premise and SaaS.

In public clouds, region-to-region data replication between zones is not sufficient protection. Preventive measures such as backup to another region are required. The optimal solution to secure in the second region in the data on an encrypted space, without the possibility of deletion.

To maintain business continuity, consider replicating data to another provider, such as from Azure to AWS, so that if the entire infrastructure of one public cloud is unavailable, data can be run in another public cloud or data can be withdrawn and run in a designated data center outside the cloud location.

In doing so, it is important to ensure that the Disaster Recovery Center (DRC) has the ability to fully run without access to cloud resources (for example, along with replication of applications and databases) you should secure a place for an identity credential, such as EntraID in hybrid mode.

For example, after migrating data to SAP in a private cloud model, there is limited ability to replicate data from virtualization or operating systems. What is left is the ability to replicate data application-wise, which is an additional cost to the organization.

When we choose SAP S/4HANA Cloud, we have very limited options for organizing our own DRC for SAP systems, since the systems are administered entirely by SAP. The situation is different with SAP RISE Private – we can use SAP HANA System Replication (HSR), i.e. synchronous replication for “short-distance" replication, or asynchronous replication for “longer" distances. However, this requires designing a suitable topology and purchasing additional licenses. There are also other options for strengthening security – either through backup to blob storage or the use of hyperscaler tools like Azure Site Recovery or AWS DR pattern.

For in-house resources, there are a number of options for replicating data between other centers, both transactional data and backups. There are solutions that replicate data also to public clouds, as well as other data centers.

For solutions such as Microsoft 365 or Google Workspace, available in the Software as a Service model, it is also advisable to create a disaster recovery strategy for data (mail, file resources, meeting information). For these tools, there are options for performing data replication in the designated DRC.

All for One has years of experience in maintaining a Disaster Recovery Center (DRC) for both SAP systems and other IT tools. We provide end-to-end DRC implementation – from concept and design, through implementation and cyclic restoration testing. The backup center can be physically located in one of All for One’s Data Center facilities, in the public cloud or in another designated location. We have the experience and tools to achieve near-zero times when synchronizing data and running a backup center.

Rafał Grześkowiak, Manager ds. Projektów IT, All for One Poland, o ciągłości działania w kontekście NIS2: “Dostępność IT przestała być wewnętrzną sprawą firm. Stała się wspólnym celem całej gospodarki. Audyty kontrahentów uwzględniające w szerokim zakresie zagadnienia IT, takie jak cyberbezpieczeństwo, wysoka dostępność i plany awaryjne, są obecnie powszechną praktyką.

Some business sectors – such as automotive and audio-video – have developed information security standards (VDA ISA/TISAX and TPN – Trusted Partner Network, respectively), the implementation and certification of which de facto determines the possibility of cooperation within these industries. One of the substantive pillars of these standards is business continuity.

For example, for organizations required to have the TISAX label, controls 5.2.8 (IT service continuity planning) and 5.2.9 (Backup and recovery) point directly to the need to analyze the impact of IT service unavailability on the business and require the development of contingency plans and the identification of times and resources to restore IT services within an assumed timeframe.

Analogous requirements are imposed by ISO 27001 in its latest edition (in controls A.5.30 and A.8.13, respectively).

ISO 22301 is entirely devoted to systemic business continuity management, focusing on ensuring that an organization can maintain critical business operations during emergencies and quickly restore them after disruptions. Business-wise, this means minimizing operational and reputational losses and making the organization more resilient to risks such as IT failures and cyber attacks.

Good IT service management practices described in norms and standards have been reflected in legislation over time. The 2016 NIS Directive and the Polish Act on the National Cyber Security System (NSC) emphasized the need for appropriate organizational and technical solutions. However, it was not until the 2022 NIS2 Directive in Article 21 that the requirements were made more specific, imposing the obligation to prepare, among other things, a risk analysis and disaster recovery procedures.

A Disaster Recovery Center is one means of supporting IT business continuity. It allows organizations to include in their continuity plans an independent, offsite location where, if necessary, key IT systems will be brought back online without delay.

The requirements introduced by the NIS and NIS2 business continuity directives mean that the cluster of organizations that should, at the very least, examine the rationale for implementing DRC includes a significant part of the economy, including energy, transportation, banking, healthcare, water utilities, drug and food manufacturers, and the chemical and cosmetics industries."