After analysing the differences between BaaS and DRaaS and knowing the key to choose between them (RPO/RTO). We are aware that there are no one-size-fits-all solutions for business continuity plans, as each company has different needs and objectives. Before specifying the continuity plan and knowing the possible BaaS and DRaaS scenarios that can occur, we will analyze how the RPO and RTO values are defined for the applications and services of the company.

Definition of RPO and RTO values:

First of all, these values must be in accordance with compliance with SLAs that guarantee a quality of service to customers. For this it is important to classify the applications and services of the company,what impact can have on the business to lose them and thus determine how to store, protect, restore and recover the data in case of disaster. This is a way to define protocols and actions.

For example:

First, we determine the types of applications that company A has:

  1. Highly essential applications
  2. Essential applications
  3. Non-essential applications

And then, we grant recovery priority levels for the different types of applications:

  • Level 1, highly business-critical applications A with an RTO of less than 10 min.
  • Level 2, essential applications for company A requiring an RPO of 2 hours and an RTO of 1 hour.
  • Level 3, non-core applications for company A requiring RPO of 12h and RTO of 6h.

Once its applications and recovery priority levels have been classified, the company knows what impact it will have on them in the event of an incident and the plan it should establish for each of them.

BaaS and DRaaS scenarios:

Example DRaaS:

Company A has a DRaaS plan for all of its level 1 applications and performs replications of it twice a day. One day, Company A suffers a fire in one of its data centres and cannot access all level 1 applications. Thanks to the RTO, the application is operational within 10 minutes.

Example BaaS:

Company A has several BaaS plans for its level 2 and 3 applications. In one case, an employee of the production department deletes an email with a priority subject by mistake, so, as it is categorised as level 3, he can manage to recover it with an RPO of 12h and RTO of 6h.

On the other hand, the accounting department has lost a table from the customer database, but this is within the level 2 applications, so company A will recover the file with RPO of 2h and RTO of 1h.

This shows that we cannot avoid disasters, but if we follow an organised and pre-tested continuity plan, the impact can be greatly reduced.