Use of Software-as-a-Service (SaaS) and Cloud Computing

to support Disaster Recovery

Akshay Anand Venkat Patri
IS 8940 Disaster Recovery & Business Continuity
Fall 2015
December 2, 2015

due to a natural calamity. However, in very small businesses the

data can be stored on the computer but at the same time,
calculated risks have to be taken in order to store the data. Cloud
Computing not only lets the organization store its data but also
enables them to retrieve it on demand and edit the data as needed.

ABSTRACT
Disaster Recovery and Business Continuity are two very vital
aspects for any business. It has always been a topic of argument
that both of these aspects are similar and almost alike. However,
these are two different aspects and have to run parallel to each
other in case the organization is struck by a disaster. SaaS is any
service in which a software is used under a vendor on a pay per
use basis. It has integrated services and there are many companies
that provide these services as per the need of their clients. The
teams and strategies have to be made by the companies
themselves, but a SaaS application may ease up the process of
Disaster Recovery and Business Continuity. These applications
may be integrated with the companys existing Disaster Recovery
and Business Continuity Plan or may be totally outsourced from a
vendor. This paper mainly focusses on SaaS (Software-as-aService) to support Disaster Recovery aspect of a business.

The different cloud computing SaaS models are described by

Satyanarayana [2012] as:

Access through the web: It is defined as the same

definition as described above. A standard web browser
is used to access the data in the cloud. It is a web based
technology that is used to retrieve and use the data
stored in the remote server.

SaaS Vendor Support: The Vendor support is defined as

the situation when the Cloud Vendor itself handles the
data instead of the IT team of the organization.

SaaS Subscription Pricing: The client of the vendor just

what is used by the organization. The client does not
need to pay the full licensing fees to the vendor. It is the
pay-per-use technique.

SaaS Managed Upgrades: It is the model in which any

upgrades that are made to the system, is done by the
vendor per se. In order to introduce new features, these
updates and changes have to be made to the SaaS
applications in order to innovate and evolve with the
ideas.

SaaS Low Customization: Low customization itself

means that very less customization has to be done in the
software. Applications are pretty much kept the same as
it is sold by the vendor.

1. INTRODUCTION
Defining SaaS:
Any software which is hosted by a third party server and on a pay
per use basis is called Software as a Service Application. The
requirements for using such software application is minimal, only
a computer with a stable web connection is enough to suffice the
needs of the organization. This substantially reduces the cost
incurred in actually hosting the software by itself by the
organization. According to Dubey & Wagle [2007], instead of
buying a software license for any purpose of the operation like
Enterprise Resource Planning (ERP) and Customer Relationship
Management (CRM), it is always better to use a third party
available software which are pre-designed as per the needs of the
organization and giving the vendors more flexibility in choosing
the right product for the organization. Since the past two decades,
the traditional vendors who used to sell the software licenses,
have been forced to transform themselves into Software as a
Service model due to the cutting edge technology and competition
that is available in the market.

The existing software and any offline system that is available with
the organization is called On-premise service. Any external
service or solution employed through a third party vendor is
commonly termed as SaaS.

Another term which is often heard in correlation with SaaS is

cloud computing. Cloud Computing has taken the data storage to
the next level. Any organizations data now can be stored or
managed in a distant server instead of using the own systems to
store data. Storing the data on the own system is just physical data
and there is a lot of risk involved in terms of damage and lost
caused to the data due to any negligent activity of an employee or

The major differences between the On-premise System and SaaS

is explained by Abdat Et al. [2007]:

Ownership: The intellectual copy is certainly owned by

the vendor who sells a copy of the software to its client
in case of On-premise model. The vendor is often
referred to as licensor as the vendor just gives a license
to use the product. In case of SaaS, the copy of the
software is still owned by the vendor and the rights are
still reserved with the vendor. But, the software is
rented to the client organization.

Pricing and Licensing Method: It is the most important

aspect by the perspective of any organization as it
involves the cost. For On-Premise model, the customers
need to have a license to use the software and hence
they need to pay for the license. The payment for license
is a onetime payment and usually to update the software
they need to buy the license again. The case is slightly
different in case of SaaS application which makes it a
better option over the On-premise model. The customers
or the client organization need to pay for the
subscription and the payment can be made on a monthly
or a yearly basis. The important aspect is that in Onpremise model, the customer has buy all the available
features in the software, but in SaaS model the customer
just pays for the services they used from the vendor. In
SaaS, a contract has to be signed instead of paying for
the license to use the product or service.

systems may incur extra charge from the vendor. In case

of the SaaS model, the software is already designed in
such a way that it is resilient and compatible with any
kind of operating system. The changes and upgradation
of software systems is very less time consuming and
easy.

Model: In the on-promise system, the software is

distributed to the organization for their installation in
their computers. A license is required to run these
software and is sold collectively for the organization. In
case of small businesses these licenses can be sold
individually for using on each computer. The
installations are solely the responsibility of the
organization provided that it is not contracted with the
vendor. Whereas, in case of SaaS, the software is chosen
online and is installed directly in the data centers of the
organization. It is on a pay per use basis and the vendor
handles everything from installation to the operation. In
some cases, the training of the employees of the
organization is also handled by the vendor (in large
organizations). Even the end user with limited technical
knowledge can use the SaaS applications as the
interface is generally made keeping in mind the end
user. But in case of On-premises model, technical
expertise is a must for someone to use the application.

Marketing and Finance: On-premise software is

considered as an asset to the customer and has a
comparatively larger risk associated in terms of
monetary value for its customers. SaaS software is not
an asset and is more of an operational expense for the
customer because of its pay as you go nature and this is
the reason what makes SaaS a cost effective method
because of its low financial risk.

2. DISASTER RECOVERY
It is one of the major and very vital aspects that has to be planned
while making a contingency plan to be prepared for the disaster or
to be ready with a plan on how to recover from the disaster as
soon as possible so that the normal operations can be resumed. A
disaster is defined as any occurrence of an event that can stop the
normal business operations by a substantial amount of time. This
may be due to nature (Example: a snowstorm affecting a data
center badly) or by man (Example: a hacker who tries to get into
the system of confidential data with an intent of causing harm; or
fire hazards that may destroy the data center.). The organization
stores data that are confidential. These data are just for the official
use of the employees for proper functioning of the organization
and is not meant to be open for public access. A disaster Recovery
plan has to be made and a team with experienced employees with
their roles and responsibilities clearly defined and has to be clear
in their minds.
Disaster Recovery planning has been defined by Rosenberg
[2006] in the following steps:

Warranty: In the case of the On-premise model, there is

a limited warranty for a certain period of time which has
to be renewed once it is expired. And not to mention,
the renewal needs a cost which at par the cost of the
license. But for a SaaS model, all the training,
maintenance and security risks are included in the SaaS
fee.
Migration: The On-premise model may find it difficult
for the software to be compatible with their own
operating systems. The upgradation and changes in the
2

1)

Defining key assets, threats and scenarios: the possible

disasters to which the organization is the most
vulnerable to has to be defined and recognized. Also, it
is important to be privy of what the organization wants
to protect. These are the key assets for which the
planning has to be done. The protection is to be of the
highest priority for the most valued assets and the
priority can further be decreased as we move lower
down the order. The loss and damage has to be
calculated for each risk and vulnerability.

2)

Determining the Recovery Window: After the assets

have been identified, the organization needs to find the
time period for which it can survive after the loss of a
key asset. It all comes down to cost. The cost has to be
determined and the team needs to act accordingly.

3)

Defining Recovery Solutions: It is based upon the first

two steps where the planning has to be done for the
things that have to be done during the Recovery
Window. The planning for moving to another site or to
use the cloud backup has to be done in this step.

4)

Establishing a Disaster Recovery Plan: This is the most

important step. The above considerations are taken into
account and a step by step process for the actions that
have to be taken during any particular disaster has to be
written down. Mainly, these are the key processes and
also define how the communication has to be carried out
during the time of the disaster. Also, the different
logistics have to be considered like moving the
employees to a temporary site and the protection of the
employees are also taken into consideration.

5)

Disaster Recovery Site Planning: The site selection

which has to be used during the time of disaster has to
be done in this step. The most important requirements
have to be kept in mind for an off-site. The requirements
have to be noted down and prioritized and then selection
of site along with the personnel has to be done.

6)

7)

8)

Recovery is a subset of the Business Continuity plan. Many a

times, it Disaster Recovery and Business Continuity are
considered the same, which is not the case and generally a
misconception. Business Continuity is that aspect which has to be
carried out as if the disaster never happened. It is important to
know that Disaster Recovery Planning is done to minimize the
effects of the damage caused by the disaster. Whereas, the
Business Continuity Planning is done to layout the steps that has
to be taken to resume the normal operations of the business when
struck by a disaster.
According to Melton & Trahan [2010], the Business Continuity
Planning has to be done in the following steps:

Accessing Data and Applications: Since the alternative

site is away from the original place there can be certain
differences in the geographical conditions, and the
systems may not be as efficient as the original ones,
hence, the backup recovery from cloud and any other
sources has to be planned for the site. The important
thing is that the operations have to continue in the
smoothest and the closest way as possible as the original
manner.
Documenting the plan in detail: In this step the course
of action is finalized. It is written down along with the
bylaws and then circulated among all the employees to
let them know their responsibilities and roles in the time
of disaster.
Testing the plan: The plan is now written down, but its
efficiency is not yet tested. The testing has to be done in
the most practical way and if possible, mock drills have
to be done to make that the plan is working. The plans
on the paper are generally ideal and have to be changed
after testing. This process of changing and testing has to
be continued several times in order to get a realistic and
working plan during the disaster.

1)

Identify Threats or Risks: This step is common for both

Business Continuity Planning and Disaster Recovery
Planning. The threats that the organization is most
vulnerable to has to be given utmost importance. The
small or unimportant steps have also be taken into
serious consideration.

2)

Conduct a Business Impact Analysis: The business

Impact Analysis has to be done to determine the main
impacts that a disaster would cause to the business. This
information gathered in this analysis is then used to
design and layout the recovery plans in the case of
disaster. The financial effect due to the disaster should
be assessed as it is one of the prime reason why the
analysis is conducted. Then the budgeting has to be
done to find out the cost of executing the recovery plan.

3)

Planning for prevention and mitigation: Even before

planning the strategies, the prevention of any disaster
has to be planned. Prevention is better than cure.
However, an organization cannot sustain completely on
the basis of prevention and hence, the need to Business
Continuity planning become inevitable.

4)

Plan Testing: Once the plan is laid down, it has to be

tested by applying it to the real world scenario. Then the
effective changes have to be made in the plan to be
realistic and be fully prepared to execute it during the
time of disaster.

The business continuity team should be led by the Chief

Information Officer of the Organization, if possible. The project
managers should look after the execution of the plans and the IT
team in the Business Continuity Team should be providing its
technical support. This process is temporary and relies on the
Disaster Recovery team as they execute their individual plans
simultaneously.

After these plans are laid out, a team has to be designed and made
in order to carry out the disaster recovery plans. There are
different people from the different spheres of the organization and
they have their own specific roles and responsibilities. The team
should be led by somebody who holds the authority like the CIO
of the organization who knows the ins and outs of the data in the
organization. The other members include the project manager who
looks after the operations in case of disaster and the core IT
members who would perform the job while carrying out the
disaster recovery plan.

4. SOFTWARE AS A SERVICE AND

DISASTER RECOVERY &
BUSINESS CONTINUITY:

3. BUSINESS CONTINUITY

Since not all the organizations can use or design their own
platforms for Disaster Recovery and Business Continuity, they
outsource a software that is available online for a cost. The cost is
not unaffordable for the companies as it is on a pay per use basis.

Business Continuity is another main aspect of contingency

planning. The planning for Business Continuity has to be done
simultaneously along with that of Disaster Recovery. Disaster
3

There are many companies that provide these services and

immensely contribute and ease up the complex software that
otherwise has to be designed by the employees. These software,
solutions and services are most of the time resilient and can be
molded as per the requirement of the organization. These services
are available on different platforms that are web based and mobile
application based. There are certain apps available in the phone
market than can store the entire Disaster Recovery and Business
Continuity plan of the organization and can be retrieved on the go
by the employees in the case of a disaster. These mobile
applications are however linked to the web based SaaS application
where the data for the app is hosted. Other than that, these apps
can send alerts to the employees in case they have been attacked
or if it senses even a small malfunction in the systems. The
functions of these apps are minimal but are very important.

As mentioned earlier, the backup site for operations during

disaster should not be in the same geographical condition, so that
in case of a natural disaster, both the sites are not affected because
of the same disaster.

5.1 Components of an efficient Disaster

Recovery application:
1.1.1
For Data Backup &
Recovery
The cloud storage is a very important aspect for any SaaS
application to perform. A superior DR application would have a
very strong backup. There are different types of options available
for cloud to store and backup data. They are generally
characterized by the protection and durability that they provide to
the stored data. They are:

There are many products available in the market that provide

these solutions. There are some big names included in them like
Google Cloud Services, Symantec, and Amazon Web Services etc.
The smaller players or startups that provide these services also
seem to be promising contenders. The smaller companies which
provide SaaS services are OpsCentre Solutions, Resilient Systems
etc. The factor that differentiates the big players from the small
players is the trust which the big players have built with their
clients. The small service and solutions providers may end up
running out of business and that can turn out to be disaster in itself
for the organization. The running out of business is often
neglected by the organizations and not taken into consideration. A
Service Level Agreement (SLA) is a written documentation
between the service provider and the organization in which the
service provider promises to provide the required services to its
client. [Zande & Jansen, 2011]

1)

2)

3)

There is a difference between Service and Solution. Solution is

when the vendor actually interferes in the planning methodology
of the organization and customizes the planning process as per the
need of the organization. Service is when the vendor integrates its
services with the existing software and service systems of the
organization or provides a completely new software customized
for the organization by the vendor.

1.1.2

5. DISASTER RECOVERY AS a
SERVICE (DRAAS)

We need to define a few terms that would facilitate the better

understanding of using SaaS and Cloud computing for Disaster
Recovery as a service.

Failover and Failback

Following the traditional Disaster Recovery technique. It is very

important to determine the time of the disaster and execute the
failover plan to activate the operations in the backup site. And
Failback is returning to the normal operations once the disaster
has started to lose its effect on the operations. The planning for the
transfer of any data created in the backup site is done by the
Disaster Recovery Software. To do this, the software must be
equipped with the cutting edge technology of Cloud SQL. Cloud
SQL is the sequence query Language that can quickly replicate the
data and help the organizations to relocate and resume its business
operations. Currently, Cloud SQL is provided by Google Cloud
Services as a part of their Disaster Recovery Solution package. It
is a very effective way and efficient way. It is a very cost efficient
tool which has to be employed depending upon the priority of the
data. [Alhazmi & Malaiya, 2012]

Let us look at the different ways in which cloud computing and

SaaS can be employed for Disaster Recovery. This will be a
review of the market available tools that can be used in different
functions of Disaster Recovery. These days, another term has been
coined a Disaster Recovery as a Service (DRaaS) for the services
that are used to support disaster recovery in an organization.

Standard Storage: It is the storage for data which

has to constantly retrieved or accessed in order to
maintain efficient operation of the business. The
data from the operational data store (ODS) would
be backed up in the standard storage.
DRA Storage: DRA stands for Durable Reduced
Availability. As the name suggests, this kind of
backup is useful for the data whose access is rare
but the storage and protection is of utmost
information. A data mart may store its data in the
DRA storage.
Cloud Storage Nearline: It is the cheapest type of
cloud data backup available in the market. It is
used to store the data that has not to be accessed
frequently and at the same time it is not as critical
as other types of data. This may include the
analysis reports which have been used for
interpretation etc.

Recovery Point Objective (RPO): RPO of a Disaster

Recovery System is the latest backup of the data before
any sort of incident or disaster affected the
organizations data center.
Recovery Time Objective (RTO): RTO is defined as the
minimum time the system would take to come back to
the state of its original operations.

1.1.3
Disaster Recovery Plan
Testing
Let us see the Google Cloud Services options available for
Recovery Plan testing and deployment. There are several useful
4

tools that is provided by Google Cloud Services (Also by Amazon

Web Services under different brand names. But the functions they
provide are one and the same). These tools help in debugging,
testing and deploying the plan.

Google Cloud Logging: This tools main function is to

collect and save the application logs of the applications
which use the Google Cloud Services.

Google Cloud Monitoring: This tool provides a metric

dashboard where the analytics can be done and viewed.
It also provides alerts on the running of applications.
The dashboard gives the access to view all the Google
Cloud Services running at one place on the Dashboard.

Google Cloud Deployment Manager: The cloud

deployment manager works through a dynamic template
which can show the configuration of the services and it
can automatically create and deploy the Google Cloud
Platform Resources.

Remote Connectivity: A proper connectivity has to be

ensured between the On-premise devices to the cloud so
that there is no breakage and connectivity issues in the
upload of data from the device to the cloud and there is
a real time upload to changes in the data.

Carrier Interconnect: This tool by Google enables the

organizations to directly connect to Googles networks.
This is done by the trusted and authorized service
providers which are contacted by /google for this
purpose.

Computer Engine VPN: An IPSec connection is used to

connect the existing network to CEN (Computer Engine
Network) through VPN (Virtual Private Network). This
gives the organization a freedom from the insecurity of
sharing a cloud with another organization.

2)

Security & Isolation:

The exclusivity of a cloud service provider has always
been a matter of concern for many businesses. The
cloud is most of the time shared between organizations
i.e. a vendor might have different clients using the same
cloud. So for an organization to move from its own
cloud to a third party guide would need very strong
commitments from the vendor. Hence, the Service Level
agreements (SLAs) are signed between the vendor and
the clients in order to maintain the commitment level of
the vender. SLAs have it in written about the legal
actions that can be taken against the vendor if in case
anything goes wrong. Hence, the vendors first and
foremost priority also becomes to ensure security of
their clients data. [Golden, 2009]

3)

VM Migrating & Cloning:

VM stands for Virtual Machine. A Virtual Machine does
all the functions of a computer but it is usually in the
cloud. Present cloud platforms do not give access to VM
Migrating and Cloning procedure. If these processes are
facilitated, the moving back to original site can be done
with ease and in a more resilient and flexible manner.
[Bahale & Gupta, 2009]

6. Advantages and Drawbacks of using

SaaS/Cloud Computing for Disaster
Recovery
These are some of the advantages and drawbacks for cloud
computing in Disaster Recovery as given by Abdat Et al. [2010]
1)

Profits: Cloud Computing is definitely very profitable

for both the customer and the vendor. The return on
Investment (ROI) is easy to achieve since the cost
incurred is less as compared to the investment made on
software for an On-premise model. The operation cost
for the vendors are also comparatively less as the
updates and any changes made have just to be made on
their software and a notice after and before the update
has to be sent to the clients so that are prepared for the
changes.

2)

Helps vendors to expand their customer base: It makes

it easier for the vendor to track down and analyze the
types of customers it has also helps to use a proper
CRM channel to reach out the targeted customers in an
efficient way.

3)

Minimizes Software Piracy: Providing a service is an

effective way of killing piracy. The customers who
buy the license are more susceptible to software
piracy compared to the customers who rent them.

The similar tasks as mentioned above are also carried out by

Advanced Threat Protection module by Symantec Corporation. It
is an end user service platform which enables the employees of
the client organization to view the incidents, differentiate between
incidents and disasters, providing the warning for a disaster etc.
Cloud computing already has some inbuilt features for Disaster
Recovery. There are some more characteristics and conditions that
it must satisfy to provide DRaaS. According to Bahale & Gupta
[2014]. They are:
1)

Network Configuration:
The network configuration of an application has to be
reconfigured after the application has been brought to
the original site from the temporary site after the
recovery from the disaster. This ensures Business
Continuity with highest efficiency for a cloud Disaster
Recovery Service. [Wood Et al., 2009]

4) Efficient and Real Time: Any step that has to be taken

recovery evidently emerges as a winner although it has its own

risks involved. The risks will be inevitable as no security system
can guarantee a full security without the fear of any threats. After
all, it is cost efficient and hence making it more resilient and
favorable for adoption.

during the time of disaster is very well laid out and SaaS
enables its implementation by providing services. The
SaaS applications are so much integrated into the
system that often it is not given any credit for being so
versatile. It is often that part that does its job silently
and helping the business during the time of disaster.

8. REFERENCES

The disadvantages of using SaaS or Cloud Computing for Disaster

Recovery are:
1)

2)

3)

[1]

Security and Privacy: Many companies are reluctant to

move to the cloud from their On-premise Systems
because of privacy concerns. Although cloud and SaaS
are most widely used across all the enterprises, there is
always a risk involved with it in the minds of the
customers.

Alhazmi, O. H., & Malaiya, Y. K. (2012, November).

Assessing disaster recovery alternatives: On-site, colocation
or cloud. In Software Reliability Engineering Workshops
(ISSREW), 2012 IEEE 23rd International Symposium on (pp.
19-20). IEEE.

[2] Bahale, M. S. V., & Gupta, S. Virtualizing Disaster Recovery

Management Based On Cloud Computing.

Reliability and Performance: Reliability and

Performance may sometimes become a challenge for the
organization as they are hesitant to move to the cloud. A
new system may require additional new operating
systems that may incur costs.

[3] Dubey, A., & Wagle, D. (2007). Delivering software as a

service. The McKinsey Quarterly, 6(2007), 2007.
[4] Golden, B. (2009). Capex vs. Opex: Most people miss the
point about cloud economics. CIO, March, 13.

Pricing: Pricing may be different for different services

and it may change as the system gets integrated. Also, it
may be different as per the needs of an organization and
it will differ from company to company. This may turn
out to be a drawback as it may take the company into
budgeting problems. A budget higher than the monthly
incurred cost may be used at times which may not create
a much of an impact on the budget as the amount would
be small but it would definitely cause unevenness which
act as a constraint in adoption of these services by the
organization.

[5] Melton, A., & Trahan, J. (2009). Business continuity

planning. Risk Management, 56(10), 46-48.
[6] Rosenberg, N.A., (2006). 10 Steps to Implement a Disaster
Recovery Plan. Quality Technology Solutions, Inc. QTS
White Paper Series (2006).
[7] Satyanarayana, S. (2012). Cloud Computing: SaaS. GESJ:
Computer Science and Telecommunications, 4(36), 2012.

7. CONCLUSIONS

[8] van de Zande, T., & Jansen, S. (2011). Business Continuity

Solutions for SaaS Customers. In Software Business (pp. 1731). Springer Berlin Heidelberg.

Disaster Recovery and Business Continuity have to go parallel to

each other. The traditional methods of Disaster Recovery may be
used but there is always a better way to go around it. When a
disaster is hit, the companies cannot just be forced to shut down,
rather, they have to fight back to stay in the game. This is only
possible when there is a proper planning done for Disaster
recovery processes. With most of the companies moving to the
cloud, it is better to have an in-built and secure planning
mechanism in place which is resilient and can quickly adapt to the
organizations existing systems and mechanisms to win over the
damage caused by the disaster. During the time of the disaster, the
operations have to be moved to a temporary site, this has to be
done in a proper way taking into account the different options
available and the time constraints. An integrated SaaS based
solution or service may help to relocate and move the data back to
the primary site with ease and within no time. SaaS for Disaster

[9] Wood, T., Gerber, A., Ramakrishnan, K. K., Shenoy, P., &
Van der Merwe, J. (2009). The case for enterprise-ready
virtual private clouds. Usenix HotCloud.

[10] Google Cloud Platform. Designing a Disaster Recovery Plan.

https://cloud.google.com/solutions/designing-a-disasterrecovery-plan#why_google_cloud_plaftorm