Business Continuity & Disaster Recovery

RTO and RPO: The Mathematics of Acceptable Loss

Azure Site Recovery vs Veeam vs Zerto: Choosing the Right DRaaS Engine

• Azure Site Recovery (ASR): The strongest choice if your primary workloads already run in Azure or on Hyper-V. ASR provides continuous replication of Azure VMs and on-premises Hyper-V/VMware machines to an Azure recovery vault. For businesses targeting an RTO of 1 hour or less, ASR achieves this reliably for most workloads. The management overhead is low if your team is already M365/Azure-native. Licensing is consumption-based, typically AED 80–120 per protected instance per month. The limitation: ASR is optimised for full VM failover, not granular application-level recovery.
• Veeam Backup & Replication: The de facto standard for VMware and Hyper-V environments requiring flexible backup policies across hybrid infrastructure. Veeam's strength is granularity — you can restore a single Exchange mailbox item, a specific SQL table, or an entire VM from the same backup chain. Veeam also supports immutable backups to S3-compatible object storage (Wasabi, Backblaze B2, Azure Blob with WORM), which is critical for ransomware resilience. For UAE businesses with on-premises VMware infrastructure and a 4-hour RTO target, Veeam is typically the most cost-effective option, with licensing from AED 900–1,800 per socket per year.
• Zerto: Designed for environments where RPO must be measured in seconds, not minutes. Zerto uses continuous journal-based replication rather than snapshot schedules, meaning you can recover to any point in time within the journal window — down to a specific transaction. This makes Zerto the correct platform for financial services, healthcare, and any business where a 15-minute data loss is commercially unacceptable. The cost reflects this capability: Zerto licensing typically starts at AED 1,500–2,500 per VM per year, making it a targeted tool for critical systems rather than a blanket backup solution.

Backup Testing Methodology: Quarterly Failover Drills

• Monthly restore verification: Each month, an automated job restores a randomly selected VM or application instance to an isolated test network and runs a scripted health check — confirming the OS boots, the application service starts, and the database passes consistency checks. Results are logged to your ITSM platform with a pass/fail record and timestamp.
• Quarterly partial failover drill: Each quarter, we perform a live partial failover of non-production workloads to the recovery environment. Staff in a designated test group authenticate against the recovery site and perform a defined set of business transactions — raising a purchase order, processing a customer record, running a financial report — to confirm the failover environment is genuinely usable and not just technically "online". This drill is conducted during a scheduled maintenance window with no impact to production.
• Annual full failover exercise: Once per year, we coordinate a full business continuity exercise simulating a complete loss of the primary site. All production workloads are failed over to the DR environment for a defined period (typically 2–4 hours outside business hours). The exercise validates actual RTO achievement against the documented target and produces a written test report suitable for submission to insurers, NESA auditors, or board risk committees.

UAE Regulatory and Insurance Compliance: NESA, DFSA, and Cyber Insurers

Ransomware-Specific Recovery Playbook

• Step 1 — Isolate before you recover: The first action on ransomware confirmation is network isolation, not recovery. Spinning up your DR environment while the attacker still has active C2 (command-and-control) access means you will re-infect the recovery site. All affected network segments are isolated, firewall rules are locked to deny outbound except for approved management IPs, and all privileged credentials are rotated before recovery begins.
• Step 2 — Establish a clean recovery point: We work backwards through the backup chain to identify a recovery point that predates the initial compromise, not just the encryption event. Using Veeam's SureBackup or Zerto's journal, we can mount snapshots at different points in time in an isolated test environment and run automated malware scans to confirm the earliest clean state. This process typically adds 2–8 hours to recovery time but prevents recovering a pre-encrypted but already-compromised environment.
• Step 3 — Staged environment rebuild: Recovery begins with identity infrastructure (Active Directory / Entra ID), then DNS, then application servers, then endpoints — in that order. Rebuilding in the wrong sequence creates authentication failures that extend recovery time. Each tier is validated against the health check script before the next tier is brought online.
• Step 4 — Evidence preservation and regulatory notification: UAE businesses subject to UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) must notify the UAE Data Office of personal data breaches within 72 hours of becoming aware of the incident. We preserve forensic disk images of affected systems before wiping and rebuilding, ensuring you have evidence for regulatory notification, insurance claims, and any subsequent law enforcement engagement. DIFC and ADGM firms have parallel notification obligations to the DFSA and FSRA respectively, with shorter timelines for material incidents.
• Step 5 — Post-incident hardening: Recovery is not remediation. Following restoration, we conduct a root-cause analysis to identify the initial access vector — phishing email, unpatched VPN appliance, exposed RDP, compromised third-party credential — and close it before returning the environment to production. We also implement or validate immutable backup policies, review privileged access controls, and produce a written incident report for your board and insurers.