Select Page

Disaster Recovery as a Service (DRaaS) or On-Site DR Appliance?

Disaster Recovery-as-a-Service (DRaaS) delivers serverless recovery capabilities while disaster recovery (DR) appliances provide the on-prem secondary site that facilitates quick recovery. Which of the two is the best fit for you?

Both deployment options have their pros and cons. DRaaS offloads backup and DR management to the service provider’s team of experts while a DR appliance gives you the control that several regulatory requirements need.

In this blog post, we’ll take a closer look at DRaaS vs on-site DR appliances to help you find the right fit for your projects and budget.

DRaaS: Business Continuity Without Local/Onsite Appliance

Disaster recovery solutions enable organizations to quickly recover from disasters such as hardware failure, ransomware attack, human error, accidental/malicious deletion, etc.

To deliver shorter recovery time and point objectives (RTPOs), DR appliance(s) require high performance processor(s), memory, high speed storage drives, and network. The hardware specifications increase the upfront costs (CapEx) and the maintenance costs (OpEx) for onsite disaster recovery systems. Not to mention, they require expertise, have a steep learning curve, and it takes time to manage the environment.

Disaster Recovery as a Service (DRaaS) solutions deliver the quick recovery capabilities of an onsite DR appliance but without the hardware, time, and resource commitments.

While susceptible to network, bandwidth limitations, and latency, DRaaS provide an offsite infrastructure that enables backup administrators to recover critical systems with a few clicks. The ability to do is especially useful in the event the primary production environment is unavailable.

Depending on the vendor and the solution, DRaaS are hosted and often fully managed by the service provider. As the service provider takes care of hardware management, software updates, backup and DR orchestration and testing, this frees up resources and allows organizations to focus on core project(s).

When is Disaster Recovery as a Service (DRaaS) the Best Option?

Here’s a brief list of situations when Disaster Recovery as a Service (DRaaS) is the best option:

  • When organizations don’t have the resources for a secondary DR site owing to costs or distributed IT.
  • When organizations want to store data in multiple onsite and/or offsite locations for redundancy, high availability, and data protection.
  • When organizations want to minimize complexity by reducing physical IT systems and cutting down costs on acquisition, management, maintenance, and upgrade.
  • To set up 3-2-1 backup strategy with a copy of the critical backups on a separate offsite DR appliance.
  • When virtual machines need to be protected in the cloud or when local backups are not desired and need to be kept separate from the production environment.
  • When businesses have limited IT resources and budget and purchasing an onsite DR appliance takes resources away from core business activities.

Some Considerations Before Deploying DRaaS

Choosing the right DRaaS is important but it’s not easy considering the saturated market with the high number of service providers. Navigating the complex buzz-word rich marketing of DRaaS service providers is a time-consuming task. To make the journey easier, here’s a brief list of DRaaS considerations that can help you find the right fit for your business.

Data Security for Your Critical Data – Are Your Snapshots/Replicas Protected from Ransomware?

Ransomware attacks target production and backup servers. This is especially true for service providers because a successful ransomware attack leads to a supply chain attack. Without automated ransomware protection measures, such as air-gapping and immutability, the offsite repositories used for DRaaS are vulnerable to ransomware.

This is why it’s important to first focus on how secure the snapshots/replicas will be. If the DRaaS service provider does not offer automated air-gapping, immutability, and snapshots it’s advised to look for one that does because even if your production is protected, and your IT personnel make no mistakes, the recovery data stored offsite can end up encrypted, deleted, and/or stolen.

Initial Data Migration – How will it be done and how long will it take?

Moving terabytes of data to an offsite service provider is costly, time consuming, and complex if not done right. Most organizations cannot spare the bandwidth needed for the initial data migration. This poses a challenge for backup administrators.

One of the best ways to migrate this initial big data is to use a rental appliance, move your snapshots/replicas to the hardware locally, and then ship the hardware to the DRaaS service provider’s data center.

Typically, this is a disruptive process especially for critical virtual machines (VMs). However, with StoneFly’s Live VM migration data transfer devices (DTDs), you can migrate your critical VMs without having to turn them off.

Depending on the vendor, the volume of data, the location of the DRaaS service provider data center, and production compute capabilities, the initial migration can take from a few days to a week.

Critical Workloads – Identify the Applications, Databases, and Workloads You Need to Continue Operations

Take stock of mission-critical workloads, which storage protocols they use, and the storage capacity they need. This information will determine the specifics for the DRaaS solution and it will also help forecast the total cost of ownership (TCO).  

Moreover, it will also guide the service provider to decide which data goes on hot-tier SSD-based storage media versus which goes on cold capacity-tiers using disk-based SAS or SATA or tape arrays. With hot/cold storage tiering, the DRaaS will focus performance capabilities on critical workloads. This will improve recovery speeds and will reduce RTPOs.

It’s important to note that hot/cold storage tiering is most effective when automated. Without automation, the process is time consuming, and prone to errors.  

Data Retention Policies – How long should snapshots/replicas be retained before they’re overwritten/deleted?

Longer data retention spans facilitate compliance allowing backup administrators to archive large volumes of data, in less storage space, for years. While longer retention spans are useful for backups, the purpose of disaster recovery is quick recovery of critical operations with minimum data loss (short RTPOs).

For DRaaS, it’s important to know the number of copies that should be retained, and how far back they need to be: five minutes, an hour, several hours, or a day. The more frequent the snapshot/replication, the more compute, networking, and bandwidth resources it’ll consume, the costlier it’ll get.

The more copies there are, the more opportunities for the backup administrator to recover data. This is especially useful if one, or more, snapshots/replicas are corrupted, encrypted by ransomware, or accidentally/maliciously deleted.

A clear idea of data retention policies simplifies the process of finding the right DRaaS solution.

Secondary On-Prem Site with Disaster Recovery Appliance(s)

On-premises disaster recovery appliances provide a secondary site to restore and run critical operations in the event the production hardware is unavailable. This makes physical DR appliances a good fit for organizations that need to maintain control of confidential customer and employee information as per regulatory requirements.

To deliver shorter the recovery time and point objectives required, the DR appliance requires high compute capabilities in addition to high-speed networking. This increases the per TB cost of the DR appliance especially when compared to backup appliances or tape archives. But there are advantages to having a secondary DR site on-premises.

In the event the production hardware is unavailable, whether for scheduled maintenance or a ransomware attack, business operations can continue without disruption. Secondly, there are no latency issues or egress costs involved.

Moreover, as compared to DRaaS, on-prem DR appliances generally offer faster recovery times and shorter RTPOs as long as the local network speed can handle the I/O traffic when needed. 

When is a Disaster Recovery Appliance the Best Option?

Here’s a brief list of use-cases where disaster recovery appliances are the best fit:

  • When the business needs to set up shorter recovery time and point objectives (less than 15 minutes) for terabytes of data by configuring real-time synchronous replication.
  • For organizations that must comply with strict regulations that require storing data on-site and physically securing the hardware with the DR repositories.
  • To meet cyber-insurance requirements that require organizations to have a secondary air-gapped and immutable appliance for critical backups, snapshots, and replicas.

What to Consider Before Setting Up a Disaster Recovery Appliance

The decision to buy and set up a disaster recovery appliance can be difficult considering the number of vendors in the billion-dollar market. To help you find the right DR appliance, here’s what you need to keep in mind when choosing your vendor:

Data Security of Critical Data Stored on the DR Appliance

Whether it’s DRaaS or an on-prem DR appliance, it’s equally important to make sure that the recovery data is protected from ransomware attacks. If you’re looking into a DR appliance, the first thing to keep in mind is ransomware protection.

Helpful questions to ask:

  • Does the appliance have built-in automated air-gapping?
  • Can backup administrators make critical snapshots/replicas immutable for a certain period of time? (for both file and object data)
  • Is the data encrypted at rest and during transit? (end-to-end encryption)
  • Are snapshots immutable?
  • Is there an anti-ransomware feature that automatically detects and removes malware?
  • Can backup administrators schedule automated threat scans that detect and remove dormant malware (sleeper ransomware)?

Note: StoneFly backup and DR appliances, such as DR365V, DR365, and DR365VIVA, offer all of the above features, and more.  

Data Recovery Options – What Options are There and How Long will Recovery Take?

Just because it’s an on-premise DR appliance doesn’t mean it will offer faster data recovery. The speed of data recovery depends on the compute capabilities and read/write speeds in addition to the recovery features of the backup and DR software.

Features such as direct VM spin up, granular file-level restore, instant multi-VM recovery, instant disk recovery, instant database recovery, and instant NAS recovery are necessary for a reliable disaster recovery appliance.

To make sure that these recovery features can deliver the desired recovery time and point objectives, it’s important that the DR appliance supports high performance processors and high speed flash/SSD storage.

Note: The abovementioned recovery features are offered as built-in capabilities of StoneFly’s Veeam-ready backup and DR appliance (DR365V).

Higher Upfront Costs – Are the ROIs Worth it?

As a general rule of thumb, the cost of acquiring, managing, and maintaining an on-premise DR appliance is considerably higher than that of a disaster recovery-as-a-service solution.

The on-premise disaster recovery setup requires a server, software license(s), incurs maintenance costs, generates heat and consumes power. Additionally, expert IT team needs to regularly invest time to monitor and manage the DR appliance to ensure smooth and quick recovery in the event of a disaster.

Not only is a DR appliance expensive from an upfront cost (CapEx) standpoint but the operational expenses (OpEx) can also be considerably high. This makes it all the more important that the DR appliance has the necessary features which deliver the ROIs as required by the DR plan.

The data security, ransomware protection, and data recovery features mentioned above can set you on the right path to making sure that the ROIs are worth it and the solution is within your required budget.  

StoneFly Disaster Recovery Solutions: Custom-Build Your DR Appliance or Get Fully Managed DRaaS

StoneFly offers both on-premise backup and disaster recovery appliances and fully managed DRaaS. Our customers can custom-build the DR appliance to fit their budget or offload the time-consuming DR management to our team of experts.

On-Prem StoneFly Backup and Disaster Recovery Appliance(s)

  • StoneFly DR365V: 8, 12, 16, 24, 36-bay Veeam-ready fully air-gapped and immutable backup and DR appliances with multi-VM recovery, SnapLock, file lockdown, object lockdown, and optional SAN, NAS, and S3 support. Learn more
  • StoneFly DR365VIVA: 8, 12, 16, 24, 36-bay automated fully air-gapped and immutable nodes compatible with Veeam, Commvault, Veritas, Rubrik and Zerto, with built-in network and power management controller(s). Learn more
  • StoneFly DR365: 8, 12, 16, 24, 36-bay DR site in a box with built-in ransomware detection and removal, air-gapped and immutable storage, and optional SAN, NAS, and S3 support. Learn more

StoneFly Backup and Disaster Recovery as a Service (BDRaaS)

Centralized remote backup and disaster recovery (DR) solution with automated air-gapping, immutable storage, and 1-click direct restore for your mobile workforce, ROBO environments, and employees working from home.

Available with three remote backup and DR management options that include Smart Protect Silver, Gold, and Platinum.


Disaster Recovery as a Service (DRaaS) provides serverless recovery capabilities while an on-prem disaster recovery appliance provides the secondary site you can use to restore critical operations quickly in the event of a disaster. Both DRaaS and an on-site DR appliance have their pros and cons and are fit for a wide range of use-cases and budget.

If you need help finding the right disaster recovery solution, StoneFly offers both turnkey disaster recovery appliances and fully managed DRaaS. Talk to our experts to discuss your projects today.

The Spear Phishing Survival Guide

The Spear Phishing Survival Guide

Spear phishing stands as the favored gateway for ransomware delivery and infiltrating corporate networks. Shockingly, 36% of data breaches in 2022 involved phishing, with 25% utilizing email as the ransomware attack vector. Guarding against cyber threats and...

Understanding Detection and Response: EDR vs MDR vs XDR vs NDR

Understanding Detection and Response: EDR vs MDR vs XDR vs NDR

In a digitally transformed landscape fraught with ever-evolving cyber threats, the acronyms EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), MDR (Managed Detection and Response), and NDR (Network Detection and Response) have become...

Trigona Ransomware: What is it and How to Defend Against it

Trigona Ransomware: What is it and How to Defend Against it

In an ever-evolving digital landscape, the specter of ransomware looms large, and Trigona stands as a significant player in the realm of cyber threats. This blog delves into the multifaceted world of Trigona ransomware, unraveling its origins, unique characteristics,...

Lockbit Ransomware: Inside the Cyberthreat and Defense Strategies

Lockbit Ransomware: Inside the Cyberthreat and Defense Strategies

In the constantly evolving arena of cybersecurity, the digital landscape is fraught with adversaries lurking in the shadows, ready to exploit vulnerabilities and disrupt the operations of organizations. Among these threats, LockBit ransomware has emerged as a...

What Defending Against Ransomware-as-a-Service (RaaS) Entails

What Defending Against Ransomware-as-a-Service (RaaS) Entails

Ransomware has evolved, becoming a thriving business model for cybercriminals. Ransomware-as-a-Service (RaaS) exemplifies this transformation—a lethal alliance between the creators and distributors of ransomware. It’s no longer a threat relegated to tech...

You May Also Like

WordPress PopUp Plugin

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email