cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PeterHainz
Newcomer I

Cloud Cross-Region Disaster Recovery (DR) Workflow requested by Regulator

At this year’s AWS re:Invent I learned from a financial institution (FI) that a regulator asked for cross-region DR (so not only availability zones within a region like Dublin). This FI implemented this cross-region DR workflow with AWS. Does anybody in the community received a similar request (cross-region DR with a cloud provider) by a regulator? If yes, which regulator asked for this?

 

Many thanks, Peter

3 Replies
RRoach
Contributor I

Don't know what research was done already but I would recommend looking at the regulatory guidance first, criticality of the system, input from board of directors as to their tolerance, and service offerings (SLA) by your cloud provider. Once you figure out what is needed, then you can get additional input from your technical teams as to the practicality/response/support etc.  

denbesten
Community Champion

Not involved with regulators, but I would agree with them on this one.  There have been highly-visible examples of region failures (AWS, Azure) and contemporary examples (Kentucky, Texas, Galveston) of disasters impacting entire cities which could impact an entire cloud "region".

 

And, it not like the auditor is asking for very much.  All the cloud providers have mechanisms for cross-region failover -- it is just a matter of configuring and documenting.  It's not like they are asking you address a total cloud provider outage (Google).  That would be expensive, time-intensive and very much a roll-your-own effort.

 

FWIW, I consider intra-region to be HA (aka Fault-Tolerance) and cross-region to be DR.  Two very different scenarios; two very different solutions.

Caute_cautim
Community Champion

@denbesten @PeterHainz @RRoach 

 

It not quite as simple as Multi-zones or Multiple regions, one should also consider the type of storage systems applied i.e. whether they are a direct connection and associated with one particular region or in some cases zones as well.  In some circumstances, the organisations may have opted for the cheapest options possible, so an examination of the critical services should be undertaken as well.  Often organisations may have opted for the cheapest options whether they are public cloud or private cloud, and may not have fully considered from a risk management perspective, whether or not they should be using Cloud Object storage rather then direct.  In some cases, Cloud Object storage may be more economical and perhaps provided within a private cloud scenario due to added security services and the fact that the Cloud Provider provides greater support.  

 

Also consider whether the services you currently have are based on bare metal, public or private cloud requirements. 

 

Also I suggest weigh up the Cloud Providers Shared Responsibility Model as well, and identify your own responsibilities vs what they will do for you when you really need them, especially when you find out its your responsibility and theirs is only best efforts.  

 

As @denbesten states AWS went down three times in North America during December 2021 alone, and Azure is also tarnished as well, so perhaps consider a hybrid cloud approach to meet your organisations DR requirements let alone regulatory requirements.

 

A risk management assessment may also be required to consider the the current circumstances too.

 

Regards

 

Caute_Cautim