Jumbo2010 - Fotolia

Where disaster recovery strategy stands post-2020

Predictably, some 2019 forecasts of what disaster recovery might look like in 2020 didn't quite hit the mark. However, funding and cybersecurity were evergreen concerns.

Disaster recovery strategies have had to change drastically from expectations in 2019. The COVID-19 pandemic presented many disaster recovery challenges for teams in 2020, as remote work became the norm. At the same time, cybersecurity grew in importance compared to what experts predicted from the vantage point of late 2019.

Last year, for example, one of the standout issues for disaster recovery was a stronger focus on compliance, given the importance of GDPR and the California Consumer Privacy Act (CCPA).

Growth in cloud-based DR was evident at the end of 2020, but much was in flux. Enterprises, for instance, had not fully embraced the cloud while many smaller and midsize organizations were all-in. At the time, IDC analyst Phil Goodwin predicted the rise of "Goldilocks solutions." In other words, DR as a service or other cloud-based options present such breadth that almost any organization could find something right for their needs.

That specific development is still in process, but what's the broader outlook on the cusp of 2021?

The state of DR spending

Daniel Kennedy, research director for information security and networking at 451 Research, said the outlook for disaster recovery strategy is "one of the most complicated questions" he has examined recently.

"We saw some early doom and gloom regarding expected budget cuts and people having to do more with less," Kennedy said. However, that turned out to be almost the opposite of the eventual reality. "We run surveys all the time and 90% of organizations have been increasing their budgets related to data security, and by an average of 20%," he said. Not that many companies weren't asked to try to control spending, but the reality of today's disaster recovery challenges seem to have gotten in the way.

People somehow fail to understand the intensity and impact of ransomware. They think it is just about having an air-gap infrastructure, but that's not enough.
Naveen ChhabraAnalyst, Forrester Research

Other top IT spending priorities also included connectivity and collaboration, he said, and spending on development projects also continued to show strength. However, the DR side of the house was healthy, with most survey respondents indicating there was no effect on spending.

Kennedy also said anecdotal evidence points to more spending related to remote end users who may be having difficulty maintaining connectivity or are simply "forced to share connectivity with Xbox users."

He said, "That seems like an indication that DR for remote workers hasn't been as well planned as it should have been." On the other hand, momentum may be shifting to better serving that audience because, in Kennedy's estimation, many companies have had fairly positive remote work experiences and some are planning to make it permanent.

Looking ahead, Kennedy said, having spent lavishly to equip more workers with laptops, the concerns about data protection will lead to wider use of services such as Box. He also said that with the corporate world orienting more toward remote work, there may be a devolution away from VPN as the standard way to support connectivity and data protection. "With so much happening remotely, it may not make sense to force everything to go through the data center when there are good SaaS cloud options," he said.

COVID-19 hasn't put ransomware on pause

Christophe Bertrand, senior analyst at Enterprise Strategy Group, has picked up on the growing concerns about data protection, which COVID-19 has only exacerbated. "Perhaps because of the increased attack surface provided by so many people working from home, we have seen a rise in ransomware and other cyber issues," he said.

With ransomware and other cybersecurity issues top of mind for IT leadership in 2021, Bertrand said "there has never been a more important time for DR." Ransomware, in particular, is not just an attack but a "logical disaster" and, therefore, within the purview of DR. Until recently, data backup was often the corporate savior, because a recent, untainted version of data was usually readily available to replace data seized by attackers. However, Bertrand said, some of the newer attackers have grown more sophisticated and have discovered ways to infiltrate the backup process, effectively eliminating that source of protection.

That is accelerating the use of air-gapping, where backup data is not connected directly to applications or normal operations as a default. A prime example of air-gapping is traditional tape storage, which requires intermediary steps before granting access. This may not be an absolute guarantee against corruption, but it adds an inherent layer of protection. Similar "virtual air-gapping" is appearing in cloud-based services, Bertrand said.

Another technology likely to get more attention is immutability, or having the ability to guarantee data has not been changed and cannot be changed, he said.

Bertrand said the upshot of these developments is cybersecurity and data protection people and functions will increasingly operate from a shared playbook.

"This new focus on looking inside the data is where DR is becoming more like cybersecurity," he added.

Looking ahead to 2021

Forrester Research analyst Naveen Chhabra also sees a growing connection between DR and cybersecurity. In his surveys, as of the end of 2019, cyberattacks went from the fourth ranked concern to second. Given the experiences of 2020, Chhabra said it might even be the top concern today.

Despite its growing importance, Chhabra said a problem is that responses are now divided among infrastructure people and cybersecurity function itself. "These organizations don't always talk to each other and may not have mutually intelligible plans about what to do in the event of an attack," he said. Organizations will need to sort out which tasks belong to DR and how coordination will occur.

Chhabra divided the DR response into four sections: people, process, technology and governance. As organizations plan for 2021, they must ask if they are doing the activities they should, and if they have an effective way of measuring and assessing progress.

Chhabra said businesses need to focus more on technology, especially technology that is related to disaster recovery and resilience. "For recovery technology, in particular, the industry is lagging far behind," he said. Regarding backup, Chhabra said there has been too little innovation. "People somehow fail to understand the intensity and impact of ransomware," he said. "They think it is just about having an air-gap infrastructure, but that's not enough."

Dig Deeper on Disaster recovery planning and management