How Much “Service” Do You Need from Disaster-Recovery-as-a-Service?

All Disaster-Recovery-as-a-Service (DRaaS) providers do the same basic thing: They manage the recovery of data and applications following an outage or cyberattack.

  • The growing frequency of cyberattcks highlights the importance of these services. Cloudflare, for example, mitigated 6.9 million DDoS attacks in Q4 2024, a 16% increase quarter-over-quarter and an 83% rise year-over-year.

But what the word “service” actually means in the context of DRaaS can vary widely because different DRaaS providers offer different approaches to managed disaster recovery. At one end of the spectrum, there are solutions where a third party manages every aspect of disaster recovery planning, testing and execution for customers. At the other, are providers that deliver only the most basic disaster recovery services and expect clients to do much of the heavy lifting themselves.

In many ways, this variability is a good thing. It means that organizations with different needs when it comes to disaster recovery assistance can choose an approach tailored to their requirements and capabilities.

But the diversity of DRaaS solutions also presents a challenge in the respect that a business shopping for a DRaaS provider must carefully evaluable exactly what the provider’s solution does, how it does it and how well the disaster recovery services align with the business’s needs. You’re in for a sore surprise if you sign up for a DRaaS option that requires your IT department to do things it’s not ready to do (like testing disaster recovery plans on its own), for example. At the same time, you may find yourself wasting money if you pay for DRaaS features you don’t actually need because you can handle them in-house.

To help navigate the complexity of the DRaaS market and choose the right type of DRaaS service for your business, here’s a guide to four different “levels” of DRaaS solutions and what to expect from each one. (For the record, my company, 11:11 Systems, offers a range of DRaaS options, so I’m not here to suggest that one type is inherently better than another; instead, my goal is to highlight the easily overlooked differences between DRaaS offerings and the importance of choosing the right type for your business.)

The basics of DRaaS

Disaster-Recovery-as-a-Service (DRaaS) is a type of service that allows organizations to outsource part of their disaster recovery operations to an external provider. The main purpose of DRaaS is to help organizations ensure business continuity in the face of incidents like data center failures or ransomware attacks without having to do all of the disaster recovery operations on their own.

In addition, many DRaaS options include infrastructure that businesses can use as a recovery environment, eliminating the need for them to maintain their own secondary data centers for backup purposes.

While all DRaaS solutions provide some level of managed or outsourced disaster recovery, exactly what they include varies widely. Here are the four main types or levels of DRaaS.

  • Infrastructure-only DRaaS

The least extensive type of DRaaS solutions are those whose main offering is backup infrastructure. The goal of these services is to provide customers with access to a data center that they can use to recover data and workloads following an incident, typically through software tools or APIs that the DRaaS provider supplies to customers. The DRaaS provider may also offer some assistance during recovery operations, but you’re paying mainly for the recovery infrastructure.

This level of DRaaS is great for businesses that possess the in-house expertise necessary to plan, test and carry out disaster recovery operations on their own, and are primarily looking simply to avoid the expense and complexity of having to manage their own recovery infrastructure.

  • Automated-replication DRaaS

Going a step further, some DRaaS solutions include both a recovery environment and automated replication of workloads and data from customers’ primary sites. In this way, the offerings provide an easy way for businesses to restore operations using the backup site because their assets are already in it by default. They don’t need to migrate them and perform recovery on their own.

Customers of these offerings do, however, still need to test the recovery environment to ensure that applications and data actually work as expected within it – which is critical because you don’t want to discover in the wake of an incident that not all of your workloads were being successfully replicated to the recovery environment, for example. In addition, this type of DRaaS places the onus on customers to ensure that they remove malware from the recovery environment; otherwise, if workloads automatically replicate from the primary environment to the recovery environment, malware that originates in the primary environment will also migrate to the recovery environment.

  • Fully managed DRaaS

If you don’t want to be responsible for disaster recovery testing or malware mitigation, you can opt for a fully managed DRaaS offering. Under this approach, the DRaaS provider handles all aspects of disaster recovery for you. They assess your business requirements to formulate a disaster recovery plan and they execute the recovery when necessary using a recovery environment that they maintain.

Importantly, this level of DRaaS also typically includes cyber recovery services that remove malware as part of the recovery operation – so customers get fully managed disaster recovery into a “clean,” malware-free environment.

  • Fully managed DRaaS and fully managed backup

In some cases, businesses may want an external provider to manage not just their disaster recovery operations, but also their backups. This means that the provider is responsible for backing up applications and data, as well as restoring workloads based on the backups.

This type of offering is useful for organizations seeking a hands-off approach to backup and recovery. But it’s also, of course, usually the most expensive. If you’re seeking to save money and have the capacity to manage your backups in-house, you might opt for managed DRaaS alone.

A flexible approach to DRaaS

There is no such thing as a one-size-fits-all approach to DRaaS. Nor is any one type of DRaaS best. There are instead a number of types of DRaaS offerings. Businesses aiming to maximize the value of DRaaS should take the time to assess the various DRaaS plans available to them, then decide which one best complements their internal IT capabilities – while avoiding wasting money on DRaaS features that are unnecessary because an internal IT team can handle them.

By Justin Giardina