Auditor Insights: Business Continuity and Disaster Recovery Plans for the Cloud

by Joseph Kirkpatrick / May 10th, 2018

Most business owners understand the importance of Business Continuity and Disaster Recovery Plans. These documented sets of policies and procedures can be a lifeline to organizations following a disaster because they determine loss of operations, reputation, and revenue. But how does the cloud impact Business Continuity and Disaster Recovery Plans?

Myths about Business Continuity and Disaster Recovery Plans for the Cloud

When it comes to Business Continuity and Disaster Recovery Plans for the cloud, we often hear this feedback:

“I don’t have to worry about Business Continuity and Disaster Recovery Plans because my cloud provider does those for me.”
“We don’t need to test our Business Continuity and Disaster Recovery Plans, we’ve thought it through.”
“Our cloud service provider is taking care of our availability concerns.”
“Everything is in the cloud, so we aren’t at risk.”

These myths about Business Continuity and Disaster Recovery Plans for the cloud are hurting businesses. This way of thinking couldn’t be further from the truth. Business Continuity and Disaster Recovery Plans are not simply a technology roadmap; they describe how to recover business operations, which includes people and processes. How could a cloud service provider determine how your people and processes will recover?

Everything can’t possibly be in the cloud. Physical office locations, employees, weather patterns, heating and cooling systems, power regulation — these things don’t exist in the cloud. The shared responsibility model accounts for this. Microsoft Azure’s guidance states, “Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Organizations operating under the lift and shift methodology of moving an operation to the cloud without redesign or thought are not accounting for their people and processes. Cloud service providers cannot take care of all business continuity and disaster recovery needs. The lift and shift mindset cultivates complacency, which is a dangerous spot to be in.

What Should Business Continuity and Disaster Recovery Plans for the Cloud Include?

Business Continuity and Disaster Recovery Plans define an organization’s processes for protecting and recovering its business in the event of a disaster, such as a hurricane, flood, tornado, power outage, etc. With consideration to cloud computing, Business Continuity and Disaster Recovery Plans should answer:

How will your organization stay running in the event of a disaster?
How does your deployment model impact your level of risk?
How do your people and processes fit into cloud security?
Where will employees continue to carry out their work duties?
How will incident response be communicated throughout your organization?

To create Business Continuity and Disaster Recovery Plans, organizations must still go through these four basic steps:

Conduct a Business Impact Analysis.
Determine a recovery strategy based off the results of the Business Impact Analysis.
Put a documented plan into place.
Test it! Testing BC/DR Plans for the cloud is technologically easier.

About Michael Burke

Michael Burke is an Information Security Specialist with KirkpatrickPrice with over 25 years of experience in the information technology industry. Michael holds a PhD in Information Technology from Capella University. He is a member of the EC-Council, the International Information Systems Security Certification Consortium, and the Project Management Institute. Michael also holds CISSP, CCISO, QSA, and CCSFP certifications.