At the heart of every organization are volumes of irreplaceable data that is updated each second of every day. This data must be secured, protected and brought back online instantaneously in the event of a natural or man-made disaster. Below are the "Top Ten" list of recommendations to ensure that businesses and large organizations have implemented thorough procedures to ensure IT business continuity in the event of any type of system outage. The Top 10 are:
1. Identify all business critical data and systems within the company
2. Perform a business impact analysis to revenue and cost implications of a
disaster recovery plan.
3. Define retention periods for all data.
4. Establish data recovery service level agreements (recovery time objectives,
recovery point objectives).
5. Develop a business continuity/disaster recovery IT plan for various types
of system failures (natural disasters, human error, etc.).
6. Identify, educate and train the appropriate IT personnel on your organization's
business continuity/disaster recovery plan.
7. Backup your data on a regular basis to a secondary source.
8. Replicate and/or store a copy of critical data at an offsite location.
9. Test your data protection and recovery procedures on a regular basis.
10. Review and update your business continuity plan annually.
#1. Identify all business critical data and systems within the company
Corporate data is important and a very critical asset to every organization;
however, all data is not created equal and as such should not receive the same
service level across the board. Critical data sets need to be assigned to high-performance
storage, be protected in real-time and be recovered almost instantaneously,
while other data sets might not need that same kind of care. Companies need
to be able to separate their mission critical data from their non-mission critical
data. Such a categorization not only saves costs in hardware and software but
more importantly, helps companies understand their recovery priority in the
event of a disaster.
The most valuable data sets are the ones which have the largest revenue/cost
impact to the business either as a result of data loss or as a result of an
extended outage of the application during recovery.
#2: Perform a business impact analysis to revenue and cost implications of
a disaster recovery plan.
Cost implications of a disaster recovery plan can be significant depending upon
the relative requirements of the business. While data continues to grow 50+%
annually, it's estimated that 90% of corporate data is rarely accessed or modified.
To better manage limited resources, it makes sense that businesses perform a
usage analysis of their various data and applications which also help optimize
revenue and cost balances.
At a high level, the value of data and its impact to a business can usually
be determined by two main factors:
Type of data: Application the data belongs to - e.g. Order entry data, trading data, Exchange email, Word documents, Power-Point presentations, MP3 media files, etc.
Currency of data: How current is the data - for instance the last hour's worth of data in the order entry system vs. yesterday's email, last week's presentation, last month's spreadsheet, or last year's annual report.
Clearly, the most valuable data set is associated with the most critical business application along with the most recent data. Investment in a DR plan needs to be directly proportional to the business impact of that data.
#3: Define retention periods for all data.
Besides the revenue impact on the business, regulatory compliance and corporate
governance rules drive other requirements which mandate businesses to define
stringent data retention policies. Many such policies impose requirements around
capturing every type of data created, storing it in a way that enables on-demand
and granular restoration, and destroying data after the retention period expires.
Protection of critical data should not be overwritten, but rather continuously
appended so that the integrity of the data is always maintained irrespective
of the operations performed on the data.
Needless to say, the finer the granularity of data capture and the longer the
data retention history, the larger the resultant data could become. As such,
business should choose the most resource efficient solution to protect, retain,
and recovery business data. Defining these retention requirements not only will
help in being compliant but also contain costs.
#4: Establish data recovery service level agreements (recovery time objectives,
recovery point objectives).
Since data is valued differently, it's important to define the appropriate service
levels that can be applied to application data based on the above discussed
requirements. Establi-shing different service level agreements (SLA's) will
help in "tiering" or categorizing the data as well as in monitoring
and measuring the actual delivery results against expectations. Here are some
of the more important parameters to understand and establish:
Recovery Time Objective - the time needed to recover from a failure
Recovery Point Objective - the point of last data capture before a failure
Recovery Time Granu-larity - the frequency of the data capture
Retention History - the length of time protected data is kept
#5: Develop a business continuity/disaster recovery IT plan for various types
of system failures (natural disasters, human error, etc.).
Due to budget tradeoffs and piecemeal vendor tools, businesses often have to
choose what data to protect or what failures to be prepared for. In reality,
the right technology solution is one that can scale to protect all types of
data and failures whether local or remote.
However, recovering from a failure it is not about technology alone. Rather,
it is the entire continuity plan and processes that identify who, what, when,
where and how the business will be resumed. Such a plan needs to be well documented
and comprehensive since there is no room for ambiguity during the chaos of a
disaster. The plan needs to identify all resources including specific people
involved, exact actions and processes they need to follow, and the precise tools
and locations involved for a successful business recovery when an interruption
takes place.
#6: Identify, educate and train the appropriate IT personnel on your organization's
business continuity/disaster recovery plan.
Ongoing training of IT personnel on the above defined processes is equally important.
Disaster recovery software continues to automate multitudes of IT tasks but
can get complex if built upon layers of tools that require integration. Compre-hensive
software that simplifies DR administration can alleviate that complexity, along
with training to encompass familiarity with both the processes and the software
which needs to happen on an ongoing basis.
#7: Backup your data on a regular basis to a secondary source.
The first and the basic step in any kind of data protection or disaster recovery
planning is the process of backing up your data to secondary storage. This helps
companies protect from any kind of local or potentially remote failure. Traditionally,
these backups have been performed incrementally on an hourly/nightly basis to
tape medium with full backups being done nightly or weekly. Shrinking backup
windows and costly tape operations have challenged these traditional methods.
With current disk based technologies and recovery management software, companies
can not only eliminate back windows by protecting data continuously, but also
dramatically improve application availability with an on-demand recovery approach.
#8: Replicate and/or store a copy of critical data at an offsite location.
With the world becoming more volatile both environmentally and politically,
it's no longer enough to backup your data locally. Local backups do not protect
you from a site-wide failure as a result of a natural or man-made disaster.
It is very important that a copy of data be stored at a secondary location for
disaster recovery purposes. Traditionally, this has been done by vaulting volumes
of dormant tapes offsite for security purposes. Existing replication technologies
enable enterprises to duplicate their data to their DR site but replication
alone is not enough. A replication solution that can maintain data history at
a secondary site is required to recover from replicating data corruption.
#9: Test your data protection and recovery procedures on a regular basis.
Similar to a fire-drill, its important to test your DR plan on a regular basis
to make sure everything is in place as planned and to iron-out any kinks. A
successful data protection and DR strategy is only as good as the success or
failure of the actual recovery. A failure in any single operational step of
recovery can deem your entire DR plan useless and any investment in it futile.
As a result more and more businesses are focusing their efforts around the efficiency
of recovery vs. data protection.
#10: Review and update your business continuity plan annually.
Businesses and priorities continuously evolve because of today's fast changing
environment. Changes in an organization can come from both organic (internal)
and inorganic (external) developments. This can change the dynamics of information
being protected and status quo processes and tools are likely insufficient.
Annual review will help determine alignment with business requirements, continued
compliance with regulations and most importantly, a fool-proof disaster recovery
plan, which will let you well sleep at night.
Marty Ward is vice president of products and marketing at Asempra Technologies.
http://www.asempra.com