Gartner Blog Network

Cloud Computing and SaaS: Disaster Waiting to Happen?

by Robert Desisto  |  October 21, 2009  |  3 Comments

At Gartner US Symposium today, I asked an audience of roughly 700 people if they had disaster recovery commitments from their Cloud or SaaS provider. One person raised their hand! Maybe we should focus a little less on exploiting the “phenomenon” and more on inspecting the “nuts and bolts” of a Cloud or Saas provider’s operations such as making sure they provide disaster recovery objectives. External certification in the form of a SAS 70 Type 2 audit is helpful, but by no means sufficient to ensure that customer recovery-time objective (RTO) and recovery-point objective (RPO) service levels can be met. My colleague John Morency authored an important research note (Critical Recovery Questions to Ask SaaS Providers) on this topic and is a must read


Tags: cloud-computing  saas  

Robert P. Desisto
VP Distinguished Analyst
14 years at Gartner
24 years IT industry

Robert Desisto is a Vice President and Distinguished Analyst in Gartner Research. He is responsible for managing the software as a service (SaaS) research agenda. His research focuses primarily on the use of SaaS as a delivery model for applications. Read Full Bio

Thoughts on Cloud Computing and SaaS: Disaster Waiting to Happen?

  1. […] This post was mentioned on Twitter by vaklove, Gary Meadows and Cloud Computing, The Tech Gang. The Tech Gang said: #Cloud #CloudComputing – Cloud Computing and SaaS: Disaster Waiting to Happen? – By Rob DeSisto (blog) […]

  2. Laef Olson says:

    I couldn’t agree more. Until more cloud providers belly up to the bar and start offering real SLAs, real disaster recovery plans, and real operational transparency, they will never meet the needs of the large enterprise CIO. Given the capabilities of today’s technology, particularly in a purpose built architecture, RPO needs to be seconds, not minutes or hours. RTO is probably dependent on mission criticality and what SLA you purchase. SAS70 is great, but it isn’t an objective & standardized control set. You need to certify DR separately. PCI Service Provider controls are probably more applicable to most large enterprises regardless of whether they need to manage credit card data in the cloud, but the entire issue begs a new standard and certification process to make it easier for cloud providers (just meet one standard) and more transparent for buyers. Who knows? Maybe NIST & GSA will develop something we can all use.

  3. Sreekumar J says:

    I think this is an unnecessary worry.

    If we consider Small Business Segment, how many of them would be using disaster management systems or ISO standards to use their sales/crm/payroll/accounting applications? They would be running the application in a standalone PC or client-server. All standard SaaS players are hosting their applications in reliable data centers and I think Small business owners are getting extra value add when they move to SaaS

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.