Disaster recovery as a service offers advantages, experts say, but agencies must understand the risks.
Dark clouds can be ominous signals of an approaching storm, but for federal IT managers, they could mean relief from network and systems disasters -- if agencies are careful.
"Dark cloud" is the nickname being applied to cloud-based disaster-recovery-as-a-service capabilities that have emerged for commercial networks and are just surfacing for federal agencies as they move toward virtual environments. The label's refers to the fact that users don't "light up" the cloud capacity until disaster strikes.
Big infrastructure-as-a-service companies such as Symantec and Amazon Web Services are already providing commercial clients with continuity services via public cloud infrastructure and automation software. As agencies increase their use of cloud-based services under the Federal Risk and Authorization Management Program (FedRAMP), virtualized disaster recovery capabilities could add another option to the federal IT playbook, according to some experts.
The financial case for cloud-based recovery services can be compelling. Traditional IT disaster recovery plans rely on physical backup systems, said Pat Park, regional vice president at Metalogix, which provides management tools for Microsoft content and collaboration platforms. A recovery site is a centralized physical location to which IT managers fall back, he added.
But with virtualized dark cloud capabilities, data is replicated to the provider's cloud, where it can be sent to single or multiple data centers. That approach makes recovery more cost-effective and flexible for users, Park said.
The cloud-based recovery model eliminates huge expenses such as duplicate personnel, sites, hardware and software for physical disaster recovery sites, said Tom Tittermary, Symantec's technical architect for information management. Customers pay for the cost of transmitting and storing data in the cloud and for accessing it when needed.
"It makes sense to use the cloud for some recovery services," said Van Hitch, former CIO at the Justice Department and now a senior adviser in Deloitte Consulting's federal practice. "By definition, cloud implies a more efficient economic model."
The next few months could see more agencies taking a look at dark cloud applications, Hitch, Tittermary and Park agreed. "You could see a lot more with FedRAMP," Hitch said. Cloud service providers are required to meet the government's baseline cloud security standards by June 5, which will provide some concrete paths for agencies to follow in their pursuit of cloud services.
Nevertheless, experts cautioned that there are bigger issues that could delay agencies' complete embrace of disaster recovery as a service.
Hitch and Tittermary said that even with FedRAMP approvals, agencies must think long and hard about using cloud-based disaster recovery services. Agencies that use data containing an abundance of personally identifiable information or other sensitive records had better think even longer, Tittermary added.
Cloud services' greatest strength -- shared infrastructure -- can also be the greatest weakness for federal users because it raises security concerns, Tittermary said.
Agencies with large amounts of sensitive data would be better off using a federal cloud service provider that is responsible for shared security, he said. Agencies with lesser amounts of sensitive data might consider using a mix of public and federal cloud providers.
Furthermore, an agency might not know the extent of the sensitive data it has and could unwittingly lose control of that data once it's on a public cloud, Tittermary said. For instance, it would be problematic or even impossible for a public cloud provider to selectively delete data from a storage facility shared with other entities.
"This will be an evolving thing," Tittermary said. "Agencies will approach [cloud] cautiously." He added that the next few years will be very revealing as agencies learn how to use the services effectively and securely.