What would your organization do if your cloud provider were to go out of business? What happens if your cloud provider suddenly stops offering critical services that your organization requires for its business to function properly? Businesses need to start asking these important questions and develop plans to address these scenarios.
The cloud is a new market that continues to grow, and there are more small players offering their services. According to Gartner, Cloud System Infrastructure Services (IaaS) are expected to grow from $45.8 billion in revenue in 2018 to $72.4 billion in 2020. As the market matures, it’s only natural that some of these organizations will disappear or stop offering certain services. In 2013, Nirvanix stopped offering it cloud services and gave customers only two weeks’ notice to move their data off of their platform.
This problem is not as severe in a conventional IT model. With a traditional data center, you actually own whatever hardware you purchase, so even if the manufacturer goes out of business, you still have the equipment and can keep using it but may have issues with support. You still have an opportunity to plan your migration to a new vendor’s servers or infrastructure.
On the cloud, such assurances typically do not exist. If the organization that provides you with cloud servers or infrastructure devices goes out of business, your servers are gone. Your data could also be lost. For example, if your systems are deeply integrated with your cloud storage provider and that provider shuts down, it would likely be very challenging to migrate your data, even if the provider gave you a grace period.
Reduce your risk: Have a contingency plan
It is critical to perform due diligence when deciding to move forward with a specific cloud provider. The risk of moving forward with a provider should be evaluated. Also, IT departments must ensure that business users are involved in the decision-making process and understand the risk of moving data to the cloud and differences in risk between the various providers.
Contingency plans need to be created or updated to handle possible disaster situations if there were issues with the cloud provider. Scenarios within the plan should include the following: What if the cloud provider goes offline? What if the provider were to immediately go out of business or stop offering cloud service? What services does your cloud provider offer that you need to operate your business, and what would you do if the provider were not able to offer those?
It is important to remember that just because you are using a cloud provider, you cannot forget about business continuity or disaster recovery planning. The more these scenarios are considered within a business continuity plan, the smaller the impact will be if a provider were to have issues offering their services.
When evaluating a cloud provider, make sure you understand their business model. Is it a sustainable model? Are they actually making a profit? Is their long-term plan compatible with your organization’s goals? Are they willing to work with you in business continuity planning if they were to fall on hard times?
Another important question to ask is if your data is readable should the provider go out of business. Many providers use a proprietary file storage platform, which means if users do not have access to certain cloud-based applications, they will not be able to read it.
Answering these questions will help ensure that you don’t partner with the wrong provider.
Researchers from the Stanford Technology Law Review found that most cloud providers will not provide liability if data is lost because of an outage or permanent outage due to going out of business.
It is critical to make sure any contract you sign with a cloud provider has provisions around what happens with your data in the event of bankruptcy, default, service changes, etc. These provisions should include arrangements for transferring the data to another cloud provider or to your data center. If a provider refuses to add a contract provision that protects you in these scenarios, you should consider other providers.
Consider multiple cloud providers
Many larger organizations use two or more cloud providers to reduce their risk. This can benefit an organization significantly should a provider go out of business. Also, for IT staff, this can be beneficial if you encounter issues with one provider because they will be familiar with working with the other provider, which can make a migration more seamless.
Example: If an organization uses Amazon’s cloud services for one set of applications and Microsoft Azure services for other applications and they have issues with one of them and have to move to the other provider, the staff who support it will be familiar with the operations of the platform and the migration will be easier because they have skills in the competing technology.
Organizations that have two or more providers should document the process for migrating their applications, data, etc. from one provider to the other in the event of an interruption, and the process should be tested yearly. It is important to apply the same key recovery metrics that typically apply in a disaster recovery plan for a traditional data center. Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Maximum Tolerable Downtime (MTD) should be part of the plan among the different cloud providers.
Remember that from a business, legal, and compliance perspective, secure and available data is the organization’s responsibility, and it is up to them to make sure their cloud provider can deliver on that.
With more cloud providers in the market, there is a higher chance some will fail. Just because an organization has a high profit margin today, does not mean it will have one in the future, so you must incorporate scenarios that I have outlined in your business continuity and disaster recovery plans.