Stephen Young, Director of AssureStor
The OVHCloud data centre fire in March this year, raised questions regarding the perceptions of the services and guarantees that are provided when technology is deployed into a data centre.
The fire demonstrated that the inconceivable can become a reality, and organisations that hosted their equipment at the Strasbourg site in the belief they were mitigating risk, potentially left themselves exposed. As a result, many of them may have suffered a permanent loss of data, potentially jeopardising their business.
Service providers hosting their own physical or virtual servers appear to have been affected the hardest. With possible misunderstandings regarding the security of systems and the data they hold, there had been an incorrect belief that a disaster of such magnitude could not occur, but that if by chance it did, systems data was somehow being backed up as part of the service. Some organisations were, in fact, carrying out data backups or replication. However, these were to hosted systems in the very same data centre.
Responsibility for your data
The data centre fire has brought the responsibility of data and system resilience into sharp focus with the potential for a complete system outage and permanent loss now a very real possibility. Regardless of where you are hosted, the responsibility for ensuring you can recover your systems and data quickly and reliably often falls to the customer.
Looked at from another perspective, the data and system recovery contingencies in place with some organisations hosting at OVHCloud were far short of what was required, and a system outage with permanent data loss was possible without a catastrophic fire.
In a very similar vein to the data centre fire, there are many organisations hosting servers at data centres, or running services from online providers or SaaS, believing that their systems and data are secure, being backed up, and will still be available in the event of an outage.
Keep an eye on the Ts & Cs
It’s possible that providers will only supply a ‘reasonable endeavours’ service to retrieve lost data; it’s not usually a prominent aspect in the Ts & Cs. So diligence is essential to understand just what is being provided. Consider the outcome if the provider of a prominent online service was hosted at the Strasbourg data centre and did not have the appropriate data resilience in place.
A simple solution of off-site replication or backup to a cloud service, such as disaster recovery-as-a-service (DRaaS) or backup-as-a-service (BaaS) – importantly provided from another data centre – would have minimised downtime and prevented any data loss.
The founder of OVHCloud has said that the incident highlights the need for the data centre industry to offer backups as standard to customers. This is a positive step forward.
But until that happens, users should consider these steps to help protect their data:
- Whilst extremely secure, the notion that your systems and critical data are impervious to downtime or data loss when hosted in a data centre has been challenged. Like any physical structure, it can be affected by fire, flood, acts of God or even a cyber-attack.
- Can you afford prolonged downtime or the permanent loss of data? Consider what you deem to be a disaster and the potential impact. Some companies are satisfied knowing their data can be recovered from backup, even if it takes hours or days, while others cannot afford any downtime and need systems back online within minutes, maybe even seconds.
- Microsoft 365, Google Workspace and other top tier providers typically include some level of backup protection. However, many of these ‘backup features’ are designed with the SaaS provider in mind and may not meet your own recovery needs. Ambiguity in service level agreements and those missing key features could have serious consequences. Granular recovery and flexible retention timeframes are critical for a good backup platform and may save your service if disaster strikes.
- If you decide you need to take ownership of your own backup requirements, one of your initial considerations should be geographic diversity. Having a disaster recovery solution with an RPO (Recovery Point Objective) of seconds and RTO (Recovery Time Objective) of minutes is compromised if it’s in the same data centre or too close.
- Regardless of the capability of the technology applied to ensure data resilience, many disaster recovery plans fail due to a lack of testing. Even if the systems are ultimately recovered after an unexpected, stressful and lengthy process, it could still be financially costly to the business, as well as causing reputational damage. Ensure you have the knowledge, time and capacity to build in comprehensive tests on a regular basis.
- The best products deployed incorrectly can significantly compromise a real disaster invocation. Consider utilising an external disaster recovery provider where you benefit from specialised expertise and objectivity by using these services – such as DRaaS – where testing and trial invocations are provided as part of the service.
- The importance of testing cannot be over-emphasised. Technical staff that are well versed in trialling a disaster recovery invocation are more likely to deliver a less stressful system recovery and, if the unexpected does occur, be better prepared and drilled to deal with these situations.
Consider carefully whether your business can survive downtime with little or no real-world impact. You cannot assume your systems are protected and that your data cannot be lost. IT services are embedded into every aspect of our business life. An outage like this will affect the service you provide and likely impact the financial security of your company.
Regardless of the cause and irrespective of the circumstances, if your data is lost and your recovery options compromised, your data, and potentially your business, is gone for good.
Stephen Young is a Director at AssureStor, working with the company on the next stage of its development as one of the fastest-growing providers of cloud-based disaster recovery, data resilience and backup in Europe. Leveraging his depth of knowledge, he is helping AssureStor to become a leader in its field.