Reliability vs. redundancy: aren’t they the same thing?

Nearly all businesses are moving data and applications (apps) from their own data centers and systems to cloud based software-as-a-service (SaaS) for a variety of reasons. For many, assumptions made during the move will expose them to increased risks. While SaaS solutions provide reliability, most do not provide the same protection as a business received using a separate off-site backup with a long retention period.

Every business has critical information it is storing on behalf of a client or a regulatory agency, where a loss could prove catastrophic. Imagine your Certified Public Accountant (CPA) calling you on April 14th saying your tax return and all the supporting documentation you provided were gone. Data entrusted to a business by its customers cannot be lost without significant direct short term and indirect long-term impacts.

Key industry terms

Confusion is often caused by assumption of a common understanding. To help minimize misunderstanding of a complicated topic, the following definitions will refer to how the following terms are used throughout the article.

• Redundancy. The inclusion of extra components in a system so it will continue to function in case of a component failure.
• Reliability. Performing consistently well.
• Retention policy. Organizational process that describes how many versions of data will be kept, for how long, and what happens to the data at the end of the period.
• Separation of duties. A concept used in process design where multiple people must both authorize an activity before execution begins.
• Impact scenario. An event which will require an organization to alter from normal operations and day-to-day processes.
• Business continuity plan. Organizational process that provides the steps to continue operations after an impact scenario occurs.

Business continuity planning for different impact scenarios

With the move from on-premise systems to cloud based platforms, the confusion between reliability and redundancy along with business continuity planning assumptions is changing the impact scenarios in which a company can recover from in minimally disruptive ways.

Impact Scenario #1: flood, fire, break-in, or other event destroying a primary system

Most organizations used a tape, compact disc (CD) or other removable media to make regular copies of all of the files on the system to store at an off-site location with a defined retention policy. This prevented loss of data in the event of fire, flood, break-in or other scenario which made the primary system unavailable. Nearly all cloud storage providers plan their data centers in a way to prevent an impact from occurring in those same scenarios. A move to the cloud generally reduces this risk. 

Impact Scenario #2: Latent data corruption through technology failure or criminal tampering

This is a scenario where redundancy does not help. A redundant platform will be able to provide access to the corrupted data. While this scenario contains many nuanced possibilities, all are mitigated through an off-site backup with a retention period longer than the time elapsed before the corruption was detected. Many cloud platforms keep a fixed number of versions (often 3 to 30) for fixed time period (often 30 to 60 days). This means if a bad actor or errant process overwrites a file 31 times in a short period all uncorrupted copies will be lost even if it occurs in a matter of minutes. With an off-site backup system storing the data separately from the primary system, retention periods are always duration-based. This gives you a fixed number of days to detect and restore before complete loss occurs. A move to the cloud often increases this risk.

Impact Scenario #3: Malicious destruction of data through administrative access to a system

Ask yourself, “how would your business handle having all of your email, financial records and/or sales leads deleted from the SaaS service you use?” If you are running on cloud based services without a separate backup service, then your business is at risk of a single compromised individual or account causing potentially unrecoverable damage. When email, customer relationship management (CRM), or general ledger applications ran on in-house servers, an off-site backup application protected you from this impact scenario. Many businesses have misunderstood the reliability of SaaS as a protection from these types of attacks. When an administrator deletes data from a service, it is gone forever, so to protect yourself you need a backup service where a separate individual is the administrator so no one person has the capability to destroy both the production system and the backup. A move to the cloud without a separate backup service significantly increases this risk.

Manage risk as your business adopts cloud-based apps

With the move from on-premise systems to cloud-based platforms, the confusion between reliability and redundancy increases. Business continuity planning assumptions are changing the way companies recover from impact scenarios and minimize the disruption to daily business activities. Protect your business-critical data by combining the reliability of SaaS applications with the redundancy and protection of a backup plan.