Multipart article

The Beginner’s Guide to Business Continuity Management in the Cloud

Smartsheet Contributor Andy Marker on Nov 11, 2020 (Last modified on Aug 23, 2021)

Cloud computing provides IT resilience for businesses when disruptions force remote work. Learn how to write a business continuity plan, find a planning checklist, and get expert advice on making a choice, all for cloud services.

In this article, find considerations for evaluating cloud services as part of business continuity planning. Use our step-by-step guide for writing a cloud-focused plan, and learn the questions to ask when choosing a cloud service for recovery and redundancy.


What Are Cloud-Based Services?

Cloud-based services are programs and data that a service provider hosts on servers in a remote location. Users access these resources through the internet or a company intranet. Microsoft 365 is an example of cloud computing.

Mike Semel

Cloud computing is an alternative to using desktop-based programs, akin to on-premise enterprise applications. When discussing the cloud, it doesn’t refer to data floating around in the ether. “There is no cloud,” explains Mike Semel, President and Chief Compliance Officer of Semel Consulting. “Here’s what I remind people: There's a data center someplace that has servers in it where your data ends up or that runs your programs. So think about all the layers between you and the data in that data center, and that you can't control them.”

Advantages of Cloud Computing

Cloud services may include analytics, applications, databases, storage, servers, and networking. Services tend to be available on demand, which means you can easily increase capacity. Though the cloud presents some challenges, it also offers these advantages:

  • Uses load balancing to deliver processing and storage resources where your company needs them 
  • Charges only for services you use and quickly scales up or down 
  • Eliminates costs related to hardware that you must maintain and secure 
  • Reduces your electric bill because you don’t need to power servers and the air conditioning to cool them 
  • Reduces the latency of the fixed company-owned data center through global data center networks 
  • Increases availability because storage is decentralized; if one center fails, another should be available
  • Helps control company expenses, increase efficiency, and reduce vulnerabilities 

Read our article on cloud collaboration best practices to learn more about the benefits of the cloud.

See how Smartsheet can help you be more effective

Watch the demo to see how you can more effectively manage your team, projects, and processes with real-time work management in Smartsheet.

 

Watch a free demo


The Cloud Computing Stack

The cloud computing stack consists of SaaS, PaaS, IaaS, StaaS, and serverless models. Companies buy subscriptions or use a pay-per-use (PPU) model.  

In a subscription model, businesses pay a recurring fee for a program they use often. With a PPU, customers pay a fixed price for single or infrequent use. Increasingly popular, PPU offers flexibility for scaling systems up or down.

Harry Brelsford

Harry Brelsford, CEO of SMB Nation and M365nation, says the cloud service  models overlap in function. For business continuity and daily tasks, he adds that most small businesses will work only with SaaS tools.


Benefits of Cloud Services Models to Business Continuity

Model Business Use Provider Business Continuity Benefit
SaaS (software as a service) Companies or individuals subscribe to services, which they access through the internet. The service provider manages the software, hardware, upgrades, and security patching.

Canva, Concur, Dropbox, Exabeam, G Suite, Jira, Microsoft 365, QuickBooks,

Smartsheet, Zendesk, Zoom

Customers can use multiple devices to access the software anytime, anywhere they have access to the internet.
IaaS (infrastructure as a service) A company rents servers, racks, and virtual machine (VM) storage on a pay-as-you-go basis. The service provider manages the physical hardware and location, and the company installs and manages its programs. Amazon Web Services, DigitalOcean, IBM SmartCloud Enterprise, Microsoft Azure, Rackspace, Skytap Agile Development

Companies can quickly support a system without paying for hardware and maintaining the required data center environment. The model provides high availability in emergencies, and you don’t need  disaster recovery equipment and staff. 

The vendor is responsible for network and hardware security and maintenance.

PaaS (platform as a service) Providers offer a development framework on which companies build web-based software programs. The service provider manages the hardware and the software back end. Apprenda, AWS Elastic Beanstalk, Force.com, Microsoft Azure, Red Hat OpenShift, Salesforce Companies can continue to develop, test, and deploy new products from any employee location.
STaaS (storage as a service) Companies rent data storage space that resides in the cloud. AT&T Synaptic, AWS, Microsoft Azure Small and medium-size companies can use this option for off-site backup.
Serverless The service provider maintains servers and manages space and workloads. AWS Lambda, Google Cloud Platform, Microsoft Azure A form of IaaS, serverless computing allows companies to scale as necessary and pay only for what they use, instead of pre-purchasing resources. They focus solely on the business functions of the application clients. The service provider dynamically adjusts resources as needed.

You can also describe cloud host environments in these ways:

  • Public Cloud: Also called the external cloud, in a public cloud, a service provider owns all hardware and software. Users manage or access software and services over the internet. Public cloud providers offer free, subscription, or PPU fee models.
  • Private Cloud: Also known as the internal cloud, in a private cloud, a company owns the hardware and software. A private cloud may include a company’s on-premise data hardware or equipment housed offsite. The organization sometimes hires a third party to manage the private cloud in a single-tenant arrangement. To ensure security, a private cloud operates behind a firewall, and only authorized users may access it via an intranet or a closed virtual private network (VPN). Businesses concerned with increasing speed and availability, as well as security, and who must comply with strict regulations usually opt for a private cloud implementation.
  • Hybrid: In this model, one company may use any combination of on-premise, private, public, and third-party private infrastructure, depending on data sensitivity. Companies use hybrid systems to ensure compliance and maintain highly sensitive data internally.
  • Dedicated: Akin to IaaS, a single tenant occupies a dedicated public cloud, which offers cost savings and enhanced speed and performance.
  • Shared: Virtual machines partition a single physical server into virtual servers that share memory and computing resources. Shared resources are low maintenance and less expensive. However, they may present security and performance issues.
  • Multicloud: One company uses multiple public clouds and other resources, including on-premise and virtual machines. Multicloud installations reduce dependency on a single provider and provide optimized services for different business functions.

Learn more about how you can use these cloud service models in your business from our guide to cloud integration.


How Cloud-Based Systems Support Business Continuity

The cloud is a key part of business continuity for transaction- and data-focused companies that can’t afford downtime. Cloud services protect continuous availability and offer fast, reliable continuity support.

Bryan Strawser

“When we're talking about cloud computing for business continuity, we're talking about having one of two things,” explains Bryan Strawser, Principal and Chief Executive at BryghtPath Consulting. “Either we have a redundant system that relies upon the cloud, whether that's software-as-a-service or cloud-based applications — so a combination of physical data center assets and cloud-based assets like AWS or Azure. Or you're a company where everything's in the cloud.”

The Good and the Bad in Cloud Computing for Business Continuity


Pros

Cons
Cloud services aren’t onsite, and you don’t have to install and manage it. You are always responsible for understanding backup and security protocols, even for third-party providers.
It’s always on. Data centers are subject to failures and downtime.
It’s safe, with dedicated security experts monitoring the setup 24/7. Many cybersecurity and other professionals don’t trust cloud security.
It provides safe, automatic backups. You still need to understand how your cloud provider backs up your data.
Data centers can provide better physical security than most companies, protecting from break-ins and physical threats like floods. You need to understand the data center’s physical security plan.
Your service provider builds in more resilience and redundancy than you could achieve on your own. With your own hardware, you can create a redundant setup or move assets. The cloud includes layers you can’t control.
You buy only what you need. You might have to invest in more resources and personnel than you currently need

 


Cloud Benefits for Business Continuity

The cloud offers timely and error-free data recovery for business continuity. The cloud offers a secure, seamless alternative when you cannot access your main offices. Home offices, satellite offices, or recovery sites can continue working as normal. 

Traditional recovery solutions often took hours to transfer data from on-premise tape or flash drives or servers to recovery hardware. The on-premise model could stall an entire company if the main servers crash.

SaaS and cloud offerings typically include more redundancy and resiliency against potential outages than an individual company can afford to establish and maintain. Large-scale remote work and continued trade through online shopping was impossible in the early 2000s, before the advent of cloud computing. 

Here is a summary of how cloud computing supports business continuity:

  • Provides regular backups and easy failover (equipment that assumes the work when primary systems fail)
  • Reduces downtime
  • Provides better network and information security management
  • Scales to suit your business needs; for example, keep critical data on-premise and back up the rest to the cloud 
  • Helps reduce impact in disruption of service (DoS) attacks
  • Removes the need to stand up and maintain a costly physical mirror site of your infrastructure
  • Eliminates the need to sync software on two sites
  • Reduces recovery time to as little as a few minutes — potentially 
  • Eliminates the need to travel to a remote site in potentially difficult or dangerous circumstances
Tony Bombacino

"We would not exist and be able to be successful without cloud computing," says Tony Bombacino, Co-founder and President of Real Food Blends. "It is 100 percent critical to our business. Like many small businesses, we use Gmail, Google Docs, and Salesforce. We also use Shopify and WordPress. We could not scale without it or stay in touch without it. 

“We get on with our phones and FaceTime. Earlier today, we had a Microsoft Teams call. Yesterday we had a WebEx call. Now [with the pandemic] we're trying to use technology to take the place of what often happens in person at the beginning of a relationship."


What to Look for in Cloud Services for Business Continuity

For smaller organizations, cloud services for business continuity center on SaaS. Small companies should still evaluate a provider’s end-to-end setup and analyze strengths and weaknesses as they would for their own functions. 

“I don't think most small to mid-sized businesses think about redundancy and high availability of services,” says Strawser. “I think savvier ones are going to be thinking: Does this tool that my business relies upon have that capability or not? From now on [since the pandemic], all of them are going to be looking for that.” 

Businesses in regulated industries need to remember they always bear the onus for doing their part to ensure availability and security. Furthermore, it is easier to build in continuity buffers when you first build and implement an IT or communications environment than in a mature system. If you are starting a business, now is the time to consider business continuity. 

Consider these issues when looking for cloud-computing resources for business continuity:

  • Backups: Does the vendor back up your data or is that your responsibility? How do they back up data?
  • Connectivity:
    Michael Fraser
    Sharing data seamlessly across programs makes work easier. “Organizations don't want to move a few workloads that are on-premise. They want to have it all in the cloud because then they don't have to worry about where their employees work,” says the CEO and Chief Architect of Refactr, Michael Fraser. “But in doing so, they have to think about the impact of how their users are going to connect.”
  • Compatibility: Consider vendor-neutral tools and applications. Look for solutions that are broadly compatible with your hardware and software systems.
  • Cost: Price and preserving cash are paramount concerns for small businesses, especially in a crisis. Can you get a service for free that provides the same quality of output as a paid version?“We don't choose tools with a price premium for features and functions we aren't yet ready to use,” explains Bombacino. “We try to use best-in-breed when it makes sense if they have versions aligned with small-business needs.”
  • Data Extraction: Can you get your data if you change providers? Cloud companies can shut down, too — what happens to your data then? Don’t choose a vendor that either won’t let you take your data or can’t provide a way to extract it. “If the answer is no, and there's no way to get your data out of it whatsoever in any form, then you have to determine if that's okay with you. And for a lot of organizations, that may be fine,” says Fraser.
  • Data Ownership: Some free platforms retain rights to your work. Find out who owns the data you add to a cloud resource.
  • Data Segregation: Find out exactly how a vendor segregates and protects your data. Also ask who has access to it and how they verify users.
  • Distributed Platform: Ensure you can connect your complete platform. For example, users should be able to access internal cloud services only from inside a company network, behind a firewall. In that scenario, you might need to provide a VPN setup to remote workers.
  • Functionality: Does the tool do the job the way you want it?
  • Location: Avoid a recovery data center co-located at or near your original site. If you need to establish a redundant site, set it up 30 to 100 miles from the primary cloud provider location.
  • Remote Access: By their nature, most cloud-based tools permit remote working. You’ll want to ensure the applications are robust and flexible enough to serve a distributed workforce that uses a range of devices, including mobile.
  • Security: “Security is still not top of mind for the florist and the baker,” says Brelsford. “They don't wake up thinking about security, so the platform must be secure. For example, in a collaboration tool, can I have a private conversation with you and know that I'm not being overheard?” At the very least, ask the vendor how they plan to handle a hack or breach.
  • Service-Level Agreement (SLA): Do the vendor’s guarantees of availability and return to service fit your needs? Also, what is the protocol if your contract ends?
  • Support: A cloud services provider may not share your time zone or even reside in the same country. Find out if support is available during your working hours. Ask if there’s access to user forums and a robust online help center.
  • Usability: “Not everybody in a company has the same level of tech savvy, so we choose things that everybody can learn fairly quickly,” explains Bombacino. “It's a giant waste of money to invest in all of this technology if people can't or won't use it.”
  • Vendor Reputation: You could lose all your data if a vendor suddenly goes out of business. Do some research to see the number and quality of patches and upgrades a company provides, as well as its security history. Consider whether the company is old and stable, with a large user base. “For example, nobody ever got fired for buying an IBM product,” notes Brelsford. 
  • Vendor Business Continuity: Your cloud services provider needs a business continuity plan, too. Understand how they will protect your data if they experience a disaster or other crisis. Learn about their backup and restore processes, along with how they test recovery plans.

Cloud Services and SaaS Checklist

Cloud Services and Saas Checklist

This free checklist covers all the questions you should ask when sourcing SaaS tools or cloud services. The checklist includes space to make notes on provider offerings. Print the Word or PDF versions, or share it as a Google Doc so that colleagues can read your findings. 

‌Download Cloud-Services and SaaS Checklist 

Word | PDF | Google Docs | Smartsheet


Business Continuity Planning with Cloud Computing

The cloud offers responsiveness and resilience to business continuity. However, you can’t simply put your data into the cloud and expect to be covered. Whatever problems can befall your physical assets can also happen to cloud setups.

Cloud service providers suffer downtime and outages. Natural disasters can affect power grids to data centers or facilities. Hackers target data. IT people make mistakes. Old servers fail. Data is overwritten, which is possible with SaaS systems transacting large amounts of data daily. 

“The cloud really has changed everything to where you can have an almost instant recovery,” says Semel. “But now you can recover the systems so much faster than you can recover the people who need to run them. For example, if you’re a retail store and your customers can't get to you and somebody isn't there to help them, so what if you can get to your cloud?” Maintaining staffing levels is a particular problem in natural disasters, where staff may choose to leave town or authorities may ask them to evacuate. 

Read our introduction to business continuity planning guide to get a handle on all the issues that could affect your company. When thinking about a plan for the cloud, consider these cloud-specific issues:

  • Loss of Control: When you choose a public or third-party cloud, you're adding layers between you and your data and relinquishing some control. “If I have my own servers, I can install some disaster recovery software, and I can quickly recover to another device, or spin that server up somewhere else,” shares Fraser. “But now, if you abstract away any of the underlying hardware, you no longer have control over the uptime. It becomes vitally important to think about the vendors you're engaging with and their overall business continuity and disaster recovery plan. If they go down, what is the impact on your company?”
  • Integrations Bring Dependencies: When platforms communicate, that means they have dependencies. “Think about using Google accounts as your authentication login and single-sign-on method,” advises Strawser. “If Google breaks, now you can't get into your SaaS application or your cloud-based system. When we start to layer on these integrations, we don't always think about what happens if that integration breaks.”

    From a security standpoint, integrations increase the number of items to track and increase the risk of a data breach or leak. For more ideas on cloud security, see our cloud security essential guide.
  • Critical Functions: It’s vital to understand which SaaS programs you need the most. “You need to gauge different services, depending on their importance to your business,” says Fraser. “If FreshBooks or QuickBooks online goes down, your risk tolerance is probably a bit greater (you can weather the outage more easily) than if your email service goes down. You can always reconcile your books. It's not catastrophic to your company, unlike if business productivity apps that multiple users access daily go down.”
  • Due Diligence: It’s up to you to perform due diligence to understand how providers operate and cover disruptions. Don’t assume all data is always protected and always backed up. As Strawser suggests, “Always be looking for the backup.”

    You should also back up your SaaS systems. “Certain vendors have done a pretty good job at allowing you to back up your data and have it tied to products like Box or Dropbox,” states Fraser. “It gets a little more difficult in the business-line apps where you really have to search for an FAQ. You may have to tell the vendor point-blank, ‘I’d really like to have a backup of my data.’” He says that with the General Data Protection Regulation (GDPR), many platforms now offer a way to export data.
  • Shadow IT and Data: With the focus on maintaining productivity, remote employees may want to download free and paid tools without the IT department’s permission. This so-called shadow IT presents many problems, not least of which is security. Also, some freeware platforms own your data and don’t delete the work when you close an account.

    In addition, learn where your data and documents reside. It’s easy for employees to keep local copies of documents, which they then forget or misplace. Fraser gives the example of managing IT for homeowners associations. He established backup systems for the management company and encouraged board members to create shared backup copies of documents for when they left the board, rather than keeping local copies. “Technically, that's not your personal information,” Fraser explains.
  • The Migration Plan: Consider migration plans for moving data, and negotiate with your service provider for returning any recovered data in-house. “Even if you have a copy of your data, what is the process to get that data into another system or restored into the existing system?” asks Fraser. “Re-importing can be more arduous than you'll want to handle. In some cases, you may have to hire an IT company to help.”
  • Security for Remote Workers:
    Alex Fullick

    “With so many people working from home (WFH), professional hackers have begun increasing their cyberattacks to gain access to company systems,” states business continuity consultant Alex Fullick of Stone Road LLC. “Hackers believe that people are laxer in their home-based security protocols. Thus, organizations need to increase their awareness and protocols, and seek clarity from their IT providers (cloud or not) to ensure providers have proper measures in place.”

    Also, take these additional security steps when everyone is working remotely:
    • Ensure each at-home device uses proper firewalls and antivirus programs. 
    • Enforce VPN and firewall policy. 
    • Enhance monitoring of systems for abnormalities, which can surface breaches.
    • Train staff to watch for phishing scams and to be aware of malware.

To learn more about how to mitigate security and other issues when working with a remote team, read our guide on remote team communication.

  • ISO 22301: Some businesses and government entities require companies to be certified in the International Standards Organization (ISO) 22301 requirement before they conduct business. We discuss this standard in-depth in this ISO 22301 article.

Business Continuity Plan for Cloud Computing

It is crucial to document the steps you will take to protect, preserve, and leverage your SaaS and cloud services in a crisis. Drafting a business continuity plan can help.

Follow these steps to include cloud computing in your business continuity procedures and guidelines: 

  1. Conduct a complete audit of your distributed platform, including all devices, users, software, and hardware. Identify where data resides in your end-to-end system: Who has what documents on their laptops? You can use an automatic audit program or this downloadable network audit template.  
  2. Conduct a risk assessment on your entire setup. 
  3. Include cloud services when completing your business impact analysis (BIA). 
  4. Document any workarounds.
  5. Include key contacts for cloud services in business continuity plans. See our guide to writing business continuity plans to discover what to include in a business continuity plan.
  6. Consider how work will continue if on-premise apps go down but the cloud is still running, and vice versa.
  7. Test the cloud-related aspects of your plan in scenario-based exercises. Don’t assume everything will work. Your exercises should reproduce disruptions to your cloud services and response time delays, as well as help you brainstorm effective solutions.

To help you write the plan more easily, download our free business continuity template for cloud computing. For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article. Also, to prepare your business as a whole for a crisis, be sure to check out our step-by-step guide on how to write a business continuity plan.


Cloud Computing, Business Continuity, and Disaster Recovery

Business continuity helps the entire business persist in a crisis. Disaster recovery is the first step in business continuity and ensures that IT and communications work. Disaster recovery may rely on cloud service models like IaaS and SaaS.

Whether your company is large or small, the first step in writing a disaster recovery plan is to evaluate your business’s IT ecosystem. Learn more about how business continuity and disaster recovery work together in our article on disaster recovery versus business continuity.


Discover How Smartsheet Cloud Services Can Help You Maintain Business Continuity

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

 

 

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

Try Smartsheet for free Get a Free Smartsheet Demo