Robert Desisto

A member of the Gartner Blog Network

Robert P. Desisto
VP Distinguished Analyst
14 years at Gartner
24 years IT industry

Robert Desisto is a Vice President and Distinguished Analyst in Gartner Research. He is responsible for managing the software as a service (SaaS) research agenda. His research focuses primarily on the use of SaaS as a delivery model for applications. Read Full Bio

Coverage Areas:

Cloud Computing and SaaS: Disaster Waiting to Happen?

by Robert Desisto  |  October 21, 2009  |  3 Comments

At Gartner US Symposium today, I asked an audience of roughly 700 people if they had disaster recovery commitments from their Cloud or SaaS provider. One person raised their hand! Maybe we should focus a little less on exploiting the “phenomenon” and more on inspecting the “nuts and bolts” of a Cloud or Saas provider’s operations such as making sure they provide disaster recovery objectives. External certification in the form of a SAS 70 Type 2 audit is helpful, but by no means sufficient to ensure that customer recovery-time objective (RTO) and recovery-point objective (RPO) service levels can be met. My colleague John Morency authored an important research note (Critical Recovery Questions to Ask SaaS Providers) on this topic and is a must read

3 Comments »

Category: Uncategorized     Tags: ,

3 responses so far ↓

  • 1 Tweets that mention Cloud Computing and SaaS: Disaster Waiting to Happen? -- Topsy.com   October 22, 2009 at 10:25 am

    [...] This post was mentioned on Twitter by vaklove, Gary Meadows and Cloud Computing, The Tech Gang. The Tech Gang said: #Cloud #CloudComputing – Cloud Computing and SaaS: Disaster Waiting to Happen? – By Rob DeSisto (blog) http://ow.ly/vTxV [...]

  • 2 Laef Olson   October 22, 2009 at 3:54 pm

    I couldn’t agree more. Until more cloud providers belly up to the bar and start offering real SLAs, real disaster recovery plans, and real operational transparency, they will never meet the needs of the large enterprise CIO. Given the capabilities of today’s technology, particularly in a purpose built architecture, RPO needs to be seconds, not minutes or hours. RTO is probably dependent on mission criticality and what SLA you purchase. SAS70 is great, but it isn’t an objective & standardized control set. You need to certify DR separately. PCI Service Provider controls are probably more applicable to most large enterprises regardless of whether they need to manage credit card data in the cloud, but the entire issue begs a new standard and certification process to make it easier for cloud providers (just meet one standard) and more transparent for buyers. Who knows? Maybe NIST & GSA will develop something we can all use.

  • 3 Sreekumar J   October 23, 2009 at 1:39 am

    I think this is an unnecessary worry.

    If we consider Small Business Segment, how many of them would be using disaster management systems or ISO standards to use their sales/crm/payroll/accounting applications? They would be running the application in a standalone PC or client-server. All standard SaaS players are hosting their applications in reliable data centers and I think Small business owners are getting extra value add when they move to SaaS