Avoiding Disasters
Avoiding Disasters
According to Gartner Group, 40 percent of companies that experience a significant interruption in operations go out of business within two years. Business Continuity or Disaster Recovery? Two words for the same thing? Or two very distinct strategies? IDM took this, and other related questions to the industry. The responses are enlightening.
Heather M Butchart of storage specialist, Falconstor, responded to our question set.
IDM: 'Business Continuity' or 'Disaster Recovery' - simply different terms for the same business requirement?
HMB: Disaster Recovery is a subset of Business Continuity. BC should be owned by someone senior in the business such as the CFO who has the big picture. Businesses need a BC strategy that reflects all the critical elements of the business not just recovery of IT systems after a disaster. This includes understanding how the business operates, what dependencies there are on and between people, processes, locations, premises, products, transport, communications, resources, logistics, and the list goes on.
Obviously the BC strategy must also cover IT processes, hardware, software, operations, and development. The Disaster Recovery strategy within the BC strategy should address the level of “insurance” a company believes is necessary based on the level of disaster that is being protected against. This may range from protection against hardware failure such as RAID storage systems for the protection of disk failures to protection against natural disasters that may wipe out an entire company location including the data centre. The BC strategy also needs to cover how the business will continue during the various levels of disaster. For example it may be that a company could continue operating for a few days providing there was paper and writing implements available!
IDM: What products does FalconStor feel are within the scope of BC/DR?
HMB: Companies need to identify what their Recovery Point Objectives and Recovery Time Objectives are for each application, process, and operation (including those outside of IT) and what products there are that can help achieve these objectives.
From an IT perspective the obvious thing to clone or protect is the key business asset – data. There are many ways to do this depending on the RPO/RTO for each application and the level of critically of data to the business. Fundamentally data has to be stored somewhere and so the quality of the storage devices relied upon for primary access for data need to meet the SLAs for the various applications. One such criteria may be that the storage device for a particular application should have no single points of failure. Another such criteria might be that the storage device be mirrored to a different storage device such that access to data is not lost in the event that the primary storage device crashes.
Assuming the primary data is lost then there needs to be a mechanism to recover a copy of the data to meet the RPO/RTO objectives. These objectives normally depend on the way the data is copied. For example if the data is backed up to tape on a weekly basis with the tapes stored offsite, then the RTO would be very slow and the RPO would be week-old data as compared to data that is being continuously protected where the RTO and RPO can be almost instantaneous.
The technologies and/or products that are likely to figure in/be considered as part of a BC Strategy would include: Server Technology, Storage (Disk, Tape, Optical etc) Technology, Virtualisation (both Server and Storage), Network, Security, Backup Products, Continuous Data Protection Technology, Snapshot Technology, WAN-based Replication.
IDM: What are the common misconceptions you've become aware of when it comes to BC?
HMB: That BC is all about IT. That the IT department should own BC. That having a “successful” DR “test” where systems could be recovered means that you have a BC strategy.
IDM: Which key-stakeholders would you recommend have input to BC decision making?
HMB: CxO-level.
IDM: What are the main drivers you've been made aware of by companies implementing BC strategies?
HMB: The “fear” factor (9/11, terrorism, natural disasters). Compliance and legal requirements.
IDM: What on earth would stop and organisation implementing one?
HMB: Lack of fear. No compliance or legal requirements. Cannot “afford” insurance.
IDM: Is the 'poor man's approach' (back-up the data to CD and take it home) still evident at the SME level or is this area learning from the enterprise?
HMB: Definitely at the SMB level but with WAN-based DR solutions and hosted DR becoming more affordable and less proprietary the SMEs are looking at more sophisticated capabilities.
IDM: Is the SMB being priced out of the ability to protect itself?
HMB: Quite the opposite. There are hosted data protection offerings that amount to less than A$100 per month. Also, with the advent of iSCSI there are Continuous Data protection appliances that may be deployed for under A$5,000.
Also, there are clever techniques that can be used to fund DR infrastructure such as:
1. Use DR as Test and Dev environment.
- although provisioned to run core / key apps & systems it should have sufficient capacity to be an interesting Test and Dev env.
2. Use the "double four year lease" approach.
- Lease new gear every two years, and keep it for 4 years. This way the 2-4 year old gear lives at the DR site.
3. Virtualisation (eg Xen or similar).
- By using virtualised production machines, it is significantly easier to run the production images up in a DR environment.
Usually, the only penalty is performance.
Often the savings arising from Virtualisation will go some of the way towards funding DR (or visa versa depending on where the budget is).
IDM: Finally, everybody has a BC/DR war story, what's yours?
HMB: I came across one UK retail company a few years ago that had decided not to invest in “insurance” for a data centre disaster as they believed that the business would not survive such a disaster and so it would have been a waste of money! I have also heard from many different sources the story where hardware in the data centre was shut down intermittently because the BC strategy had not factored in the cleaner needing a power socket to run the vacuum cleaner!
The Data Recovery Guru
Next up, we spoke with is one of Australia’s leading data recovery specialists, Adrian Briscoe from OnTrack – a company which deals with the fallout from business disasters.
IDM: 'Business Continuity' or 'Disaster Recovery' - simply different terms for the same business requirement?
AB: Not exactly. Business Continuity is more connected with day-to-day operations - proper maintenance of all systems - while disaster recovery should be thought of as planning for the worst case scenario.
IDM: What products does OnTrack feel are within the scope of BC/DR?
AB: Definitely all facilities and physical systems (computers, servers, etc) - but an important item that often gets left off these lists is the data ON these systems. Good BC/DR plans should include protection and replacement for computers, but also methods for backing up crucial data and making sure it is accessible no mater what situation evolves.
IDM: What are the common misconceptions you've become aware of when it comes to BC?
AB: That BC is only tied to the physical products. Having a building to work in and computers to work on is certainly important - but with no data, not much can be done.
IDM: Which key-stakeholders would you recommend have input to BC decision making?
AB: Certainly the facilities/office manager and the CIO, but also the data center manager. It is crucial that the person directly in charge of email and business systems be involved with protecting the company's most vital asset.
IDM: What are the main drivers you've been made aware of by companies implementing BC strategies?
AB: As a data recovery company, we see data loss due to some form of disaster almost every day. For many companies that contact us, they often had a BC plan but it wasn't comprehensive enough and didn't take the data into account. They are scrambling for solutions and hoping they didn't delay too long in attempting to recover their data. There is another group of companies that have data recovery as a component of their BC/DR plans - since they had an established relationship with us, they are already on their way to restoring continuity. It is a small detail that can make a huge difference when disaster strikes.
IDM: What on earth would stop and organisation implementing one?
AB: Cost, time, resources - but these are poor excuses as every company should have some form of BC/DR plan, no matter how basic.
IDM: Is the 'poor man's approach' (back-up the data to CD and take it home) still evident at the SME level or is this area learning from the enterprise?
AB: It is still evident and can be very effective if done properly (do back-ups regularly, test them periodically to verify they work/correct info is backed up, store them in an offsite location). SME's can learn from the bigger enterprises that have a comprehensive BC/DR plan that incorporates data recovery in some fashion.
IDM: Is the SMB being priced out of the ability to protect itself?
AB: So called "perfect" backups are too expensive for most SMBs, which is why data recovery is such an important component of every plan. A pre-existing relationship with a recovery provider doesn't cost anything but can save a lot of money by streamlining the recovery process if it becomes necessary.
IDM: What, in your mind, are the key stages that have to be included in any BC/DR implementation?
AB: Although I can't comment on the best strategies for protection of physical assets - in terms of data, the key strategies are:
1. Backup your data(following the 3-step process outlined above)
2. Have a pre-existing relationship with a professional data recovery provider. That way, if you do experience a disaster that compromises your data (and backups aren't working for some reason), your company does have an option to get back to business in the shortest time possible. Downtime due to data loss can be crippling to a business so it is imperative that downtime is kept to a minimum.
IDM: Finally, everybody has a BC/DR war story, what's yours?
AB: I am always keen to advise the 'don't do this at home' approach as you have only one shot at data recovery - if a SMB / home office tries to do their own recovery then things can go badly wrong.
The Back-Up Specialist
We then turned our attentions to tape and disk archiving leader, Quantum. Country Manager for Australia and New Zealand, Craig Tamlin responded.
IDM: 'Business Continuity' or 'Disaster Recovery' - simply different terms for the same business requirement?
CT: Business Continuity is generally broader than the interesting but challenging I.T. project known as Disaster Recovery planning. A true Business Continuity solution involves all aspects of the business to ensure that risks to its operation are mitigated. The most prominent such business continuity risk in our recent past was Y2K. At that time, businesses had no idea what the possible extents could have been should basic community infrastructure not be available. This could include water, roads, telephone, staff ability to come to work, and access to the CBD, in addition to obvious items like power failure. Business Continuity includes many manual procedures and strategic business plans, contingencies and decisions that need to be made should significant risk to the continuance of the business arise. Disaster Recovery is certainly a key part of any Business Continuity program. It generally refers to the IT aspects of recovering systems, applications and data in the event of a event which takes out a computer installation.
IDM: What products does Quantum feel are within the scope of BC/DR?
CT: Quantum's core and most noted technology for Disaster Recovery is the tape cartridge. For years, the low-cost and portability of tape has allowed copies of data to be moved off site affordably to allow for the recovery of the applications and data to new or replacement infrastructure. Of specific note to DR, today's tape technology has come a long way since a few years ago. For example, an SDLT cartridge is designed to withstand a drop from 2m onto a hard floor. LTO is designed to withstand a 1m drop. [Although, we don't recommend you try this at home.] Other tape technologies are not so robust, but there are the lion's share of enterprise backup solutions based on DLT or LTO. This makes it the perfect medium to be included in this aspect of many organisations' DR plans.
IDM: What are the common misconceptions you've become aware of when it comes to BC?
CT: That DR and BC are the same thing.
IDM: Which key-stakeholders would you recommend have input to BC decision making?
CT: A full Business Continuity program will include: CEO, The Board, CFO, and CIO or IT Manager as key stakeholders.
IDM: What are the main drivers you've been made aware of by companies implementing BC strategies?
CT: The key focus of any BC plan is retaining the operational viability of the business.
IDM: What on earth would stop and organisation implementing one?
CT: Generally the main reason organisations do not go to the effort to build a complete Business Continuity plan is the effort involved. This is true especially when considering the slim potential for risk as perceived by some boards, when compared to the expense (tangible and intangible) involved.
IDM: Is the 'poor man's approach' (back-up the data to CD and take it home) still evident at the SME level or is this area learning from the enterprise?
CT: To a point this is true, but many clients are finding that CDs (or DVDs) don't have the longevity required for some longer-term storage. Tape, which has a much longer shelf life, lower $/GB, and far greater capacity than these entry-level solutions, is a far better fit. Most often, an offsite copy should be taken no less frequently than weekly (generally Monday morning after the weekend full backup).
Going forward, we will see emerging new technologies around data de-duplication through service providers and telcos offering affordable electronic offsite capabilities.
IDM: Is the SMB being priced out of the ability to protect itself?
CT: Generally not, assuming SMBs design a solution of scale appropriate for their business and risk.
IDM: What, in your mind, are the key stages that have to be included in any BC/DR implementation
CT: The most important aspect is understanding the cost of outage, and building a plan according to the impact of the risk.
IDM: Finally, everybody has a BC/DR war story, what's yours?
CT: I don't think you can publish this, but I was involved with helping a "big four" bank prepare for Y2K. The amount of detail and preparation that went into the potentials and contingencies was a true education.
The Data Centre
We then spoke with David Blumanis, Data Centre Advisor, APC Asia Pacific.
IDM: 'Business Continuity' or 'Disaster Recovery' - simply different terms for the same business requirement?
DB: No they are different. Business continuity plans focus on both people processes as well as infrastructure. Business continuity plans are driven by broader business needs rather than just the organisation’s IT needs.
Disaster recovery relates primarily to infrastructure recovery and is IT driven. Disaster recovery plans often just focus on infrastructure considerations and do not extend to broader business recovery considerations.
IDM: What products does APC feel are within the scope of BC/DR?
DB: Anything from locks on rack doors to UPS devices to remote data centres.
IDM: What are the common misconceptions you've become aware of when it comes to BC?
DB: Many organisations consider the risk of a disaster impacting their business to be extremely low. This lack of awareness is in part perpetuated by the fact that a lot of disasters are never reported to the media and discussed publicly.
Many Australian organisations also have misconceptions regarding the extent to which their business continuity plan (BCP) extends across their business. Often organisations find the continuity of some critical business processes are not considered under their BCPs.
Most companies don’t know what’s important to their business. They don’t understand the impact one process or component can have on the business if it is not available.
IDM: Which key stakeholders would you recommend have input to BC decision making?
The Risk Management Steering Team should provide guidance in the development of the BCP and play the key role in BC decision making. The Core Functional Management Team should be responsible for implementing the plan. The Corporate Risk Manager that reports into the Risk Management Steering Team oversees the practice.
IDM: What are the main drivers you've been made aware of by companies implementing BC strategies?
Many organisations decide to implement BC strategies after they have just experienced a disaster themselves.
Other organisations implement BCPs in order to become compliant with corporate or industry licensing requirements.
Becoming listed on the stock exchange is also a major driver for many organisations to implement a BCP.
IDM: What on earth would stop an organisation implementing one?
DB: A company’s vision can often prevent organisations from implementing BC strategies. For example if they are undergoing a merger or acquisition they probably wouldn’t look to invest in BC right away.
Cost constraints and a director’s lack of experience with disaster recovery will also prevent companies from implementing BC strategies.
IDM: Is the 'poor man's approach' (back-up the data to CD and take it home) still evident at the SME level or is this area learning from the enterprise?
DB: Yes, it is still exactly the same. Implementing business continuity strategies is a costly exercise and SMEs usually don’t have the money to pull together a plan. When they do their back ups, they don’t usually test them due to lack of experience and/or time - they don’t do due diligence.
SMEs often don’t understand the level of risk their organisation faces and the impact systems downtime can have on their business. Often they don’t stop to thing about it until they get to a size where they need to think about compliance.
I
IDM: Is the SMB being priced out of the ability to protect itself?
DB: Yes. SMBs are more focused on investing their money in winning new business and marketing the business than in implementing BC strategies.
IDM: What, in your mind, are the key stages that have to be included in any BC/DR implementation?
DB: 1. Executive realisation for the need
2. Appoint an executive or risk manager responsible for the development of a plan of implementation.
3. Set up a Steering Team and reporting mechanisms
4. Develop business case on extent of business continuity and the cost involved
5. Communicate the business case to the organisation
6. Implement the plan
7. Test regularly
IDM: Finally, everybody has a BC/DR war story, what's yours?
DB: I was working as Data Centre Manager for an organisation in Sydney. There was a severe hailstorm that destroyed company’s entire warehouse and made Swiss cheese out of its head office. Water entered the facility which then led to a fire breaking out in the data centre.
Because the fire occurred straight after a natural disaster, it took the fire brigade over one hour to arrive. We went through 35 extinguishers trying to control the fire. The data centre burnt down.
Luckily we had a disaster recovery site which allowed us to resume critical business processes and apps within one and a half days. We made $200,000 a day in orders. If we didn’t have a disaster recovery site the organisation’s critical IT systems could have been down for a week and a half.
The Offline Option
Finally, we spoke with Joel Norton of relative newcomers to our region. Joel represents 3Par – which offers online storage solutions.
IDM: 'Business Continuity' or 'Disaster Recovery' - simply different terms for the same business requirement?
JN: From a storage standpoint DR and data availability and easy, quick automated access to such are key components of assuring overall business continuity.
IDM: How do 3PAR's offerings fit within the scope of BC/DR?
JN: 3PAR's Utility Storage Server The 3PAR physical, technical and operational architecture does away with need for multi-tiered SAN infrastructure and facilitates both IP and FC point-to-point connectivity.
IDM: What are the common misconceptions you've become aware of when it comes to BC?
JN: The primary misconceptions are that DR/BC processes and infrastructure are expensive [duplicate sites and volumes of replicated data requirements]and that it is complex to implement a complete DR solution both procedurally and practically. Another is that DR/BC requires a great deal of planning, capital investment and service charges, and does not facilitate the flexibility often required to meet my changing business as it has been structured around a particular business model/operational requirement.
IDM: Which key-stakeholders would you recommend have input to BC decision making?
JN: In recent years, the importance of BC and, therefore DR has reached the top of every organisation. CIOs, CFOs and CEOs are now aware and concerned about whether their Enterprise is prepared for a disaster. This is true no matter how large the organisation.
IDM: What are the main drivers you've been made aware of by companies implementing BC strategies?
JN: Complexity, cost and scalability are the primary issues.
IDM: What on earth would stop and organisation implementing one?
JN:The same generic issues of complexity, cost and scalability. Traditionally, implementing an effective operational/testable DR strategy was just not possible for other than the largest organisations.
IDM: Is the 'poor man's approach' (back-up the data to CD and take it home) still evident at the SME level or is this area learning from the Enterprise?
JN: I think it is not so much that they are “learning” from the Enterprise. They just haven’t had a practical way to address the requirement. This, combined with the increasing awareness of the cost associated with not having a solution, are what are changing the thinking. Data protection and backup are fairly well structured at tier 1, tier 2 and SME level, but it is the data recovery and business continuity that presents the key issues.
IDM: Is the SMB being priced out of the ability to protect itself?
JN: Until now, the framework for an effective and operational DR/BC strategy has meant that - yes - SME's have struggled to put an effective DR/BC plan into place. Backups, and restoring from backups has been the primary approach to handling a DR scenario, and today the timing of such is not conducive to operating a business in today's dynamic and global marketplace.
IDM: What, in your mind, are the key stages that have to be included in any BC/DR implementation?
JN: Experience has shown that any successful DR/BC strategy and implementation has to be a top-down initiative involving key stakeholders within an organisation, and that a minimum recovery point has to be determined that will enable an effective level of business operation/delivery, and such may not necessarily be an all singing all dancing immediate back to where we were recovery requirement - as this has layers of complexity and cost that are generally not viable so often cause DR/BC projects to generally die, or languish, on the vine. Also, the best DR/BC approach may not necessarily be achievable with an organisations incumbent infrastructure and technologies or existing procedures, so organisations need to look at how best to deliver an effective DR/BC capability on a number of levels - as an initial strategy for DR/BC. Once this strategy is in place, the implementation process generally follows tried and tested frameworks for deployment which can be along the lines of - assess risks and DR situations/scenarios, determine requirements and objectives, assess capability to meet these and then prioritise, determine the project approach - incorporating people, timeframes and operational/procedural deliverables, plug the gaps in the competency to deliver - and consider technologies that will deliver on the objectives, determine and secure the budget, initiate a project responsibility and stakeholder communications strategy - and deploy.
IDM: Finally, everybody has a BC/DR war story, what's yours?
7686
JN: I could certainly provide such, but not with 3PAR.
Related Article: