Security implications of moving Disaster Recovery (DR) to Azure
Security implications of moving Disaster Recovery (DR) to Azure

There are many reasons why you might be thinking about using Azure for your Disaster Recovery (DR). Things such as pay-as-you-go pricing, full scalability and global coverage are all attractive considerations. Azure certainly remains an extremely enticing option when compared to other relatively expensive DR sites.

However, is it all perfect in the world of Azure? What potential hurdles need to be overcome? You will have to get all of your production systems Azure-ready so that your DR system operates with a minimum of fuss. It is no mean feat to get your production system working on the Azure platform from its current working state. With cyber security at the forefront of everybody's minds these days, what are the security implications of such a move? Let us take a closer look.

A self-service cloud platform is excellent for fast deployment, which lends itself well to disaster recovery. However, in order to maintain appropriate levels of security, companies embracing Azure still need to go through ISO27001 processes to mitigate risk.  Such processes will cover everything from requirements analysis at departmental level and at business level, through to risk assessments, supplier assessments and security audits. We should also include here the mundane procedures for things such as on-going maintenance, assessments, verification of processes, backup, DR capability, security audits and regular risk assessments. Azure is very easy to deploy and so often, these processes get overlooked because you get the functionality without doing your homework; the business then becomes vulnerable to threats. ICT departments don't get involved in the on-going assessment of risk because the processes are never implemented, as the proper deployment channels don't get engaged accordingly.

Even large companies such as Deloitte can mess things up, demonstrated by their recent cyber-attack that resulted in email data being hacked. Had they fully implemented the correct security processes, the breach would have been discovered much earlier, and maybe even prevented altogether.

Azure can seem attractive due to the associated cost benefits (the pay-as-you-use model is very appealing). Whilst the potential cost savings of Azure can seem compelling, it can also be a false economy to drive down costs. The security of your data will be compromised if you mistakenly assume someone else is taking care of things for free. Azure can be an evil genie, it will give you exactly what you ask for, but make sure you have the right expertise to ensure you specify your requirements in line with the business needs. Failure to do so can result in some very critical security elements being missed out.  Bearing in mind the financial penalties that GDPR will herald, the security of your data can be mismanaged if compliance/ risk and IT security leaders aren't involved. Azure is a complex solution requiring appropriate levels of expertise to remain protected – this will have cost implications. Companies should certainly invest more time and money in thinking about how things are done in Azure in order to improve their security and avoid the risks of penalties and damage to brand reputation.

Another consideration is the growing aspect of ‘Shadow IT', whereby non-IT departments buy IT functionality, for example the marketing department buying a CRM SaaS solution. These solutions are often brought into production via a free 30 day trial; marketing might get the functionality they want, but who knows whether it's robust and secure enough until there's a breach? Something else that companies should be thinking about in light of GDPR legislation coming into force next year.

If your SaaS providers are using Azure then how do you control the security of your data? You won't have any control over how many copies of your data are being kept, what levels of security are being implemented, nor where your data is kept. Due to the flexibility of Azure, it is down to the SaaS provider to decide on these aspects. If you don't have an in-house back up of your data then what happens if the Azure data centre where your data is kept goes down, or the SaaS provider goes out of business? If your only backup is kept at the same datacentre then you lose everything. It's worth exploring the DR strategies of your SaaS providers and contemplating SaaS Escrow services that provide for the continuation of SaaS services.

In our modern 24/7 workplaces, staying one step ahead when it comes to data protection has never been more important. If you're considering the Azure cloud, then ensuring that you have every base covered is a must - your employees, partners and customers will thank you for it.

Contributed by Ian Daly, director, Plan B Disaster Recovery

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.