Managing DR

Companies can reduce the impact of disasters by planning in advance and setting up a contingency plan that covers all aspects ranging from prevention to recovery. By Manjari Juneja

In the current economic scenario downsizing and cost containment have become business fundamentals. This invariably increases the dependence on business automation and outsourcing, resulting in greater vulnerability. It is one of the pressing concerns facing IT managers today forcing them to seek better ways to protect their information assets and prepare for quick recovery in case of a disaster. It is therefore, critical for customers to adopt an appropriate architecture with scalable data protection mechanisms.

Earlier, companies sought 100% uptime for their business operations and they invested time, money and effort into solutions that could help them avoid potential disasters. IT-centric companies found that they could avoid harm through the use of redundant data lines and computing infrastructure. This led to a shift of focus from disaster recovery to business continuity or resumption. However, both natural and man-made disasters can still hit an organization at any time with little or no warning. While prevention is indeed better than the cure, companies are well advised to consider developing and maintaining a sound Disaster Recovery Plan (DRP) to mitigate risks and achieve shorter turnaround times. Standards and industry best practices today look at the DRP as IT-centric and as a part of the overarching Business Continuity Plan (BCP) that companies need in order to prepare for a disaster. A good BCP always gives top priority to the safety of people while also including the critical business processes of the company.

Chandrasekhar Balasubramanian, Country Manager - Infrastructure Risk Management Services, IBM India/South Asia, said, “Disasters present ongoing challenges to which business and IT managers must respond since mismanagement can be a costly affair. Organizations have begun to realize the costly, far-reaching impact of lacking key capabilities that can be readily deployed when an emergency arises. This could affect their infrastructure, employees, customers and daily operations. A heightened level of contact to events that are disruptive and catastrophic in recent times coupled with being heavily dependent on government and businesses have made disaster recovery, crisis management and virtual backup an imperative.”

An effective IT DR plan must cover the people, processes and technology required to recover IT applications. Lakshman Narayanaswamy, Co-founder and VP Products, Sanovi Technologies, said, “Disaster recovery readiness touches upon several facets of a organization and has a life cycle. The stages of the DR Lifecycle are planning; solution design and provisioning; monitoring & validation; recovery; concluding with testing & reporting. Typically a DR plan fits into a larger business continuity plan for the organization.”

He touched upon the concepts of recovery point objective (RPO) and recovery time objective (RTO). “Newer technologies and data protection methods have reduced cost and made DR solutions with close to a zero RTO viable,” said Narayanaswamy.

Aman Munglani, Principal Research Analyst, Gartner, said, “Large enterprises, BFSI and lots of manufacturing companies have woken to the fact of disaster recovery but many companies are still unconcerned about it as they think that they cannot be hit by any kind of disaster. Also, many companies do have disaster management in place but despite that they don’t focus on testing. DR is a waste until unless it is tested time and again.”

Ajay Soni, Vice President - IMS, Patni, commented, “Disasters vary and there is no silver bullet to eliminate them. However, companies can minimize the impact of a disaster by implementing business continuity management processes. The process should include analyzing disaster scenarios, understanding business impact, creating a BCP/DR document, performing detailed risk assessment, strategizing risk mitigation and control techniques, implementing control and tools, revisiting and testing /retesting scenarios and maintaining BCP/DR on a regular basis.”

With security threats on the rise, a defense plan would also be beneficial if you can include aspects such as intrusion detection and vulnerability management amongst other hygiene measures that one usually adopts such as firewall, anti-virus, content filtering etc.

Managing disaster

Businesses face the prospect of managing an ever increasing amount of data that threatens to undermine existing storage management solutions. As the critical data changes occur throughout the day, data protection is no longer about simply copying changed files to tape. The focus is shifting from backup to recovery and it’s all about how soon you can recover data and get your business operational. Organizations face demanding business recovery objectives and increased government, industry and legal regulations for the protection, retention, recoverability and authentication of data.

A comprehensive and methodical approach empowers organizations to make informed decisions. A systematic approach would provide thorough insight into the various anticipated risks and their possible business impact. Organizations will be able to better evaluate the pros and cons of adopting any particular solution to manage business continuity.

Seema Ambastha, Director-Technology, VMware, said, “Disaster recovery is no longer a luxury but a necessity, it now forms the backbone of every business especially businesses that have to do with IT. A foolproof method that companies can invest in to cover themselves from any disaster is virtualization. This technology has the power to reduce the risks of IT system outages and data loss for companies. It increases application availability and dramatically shortens the RTO and significantly improves a company’s business continuity preparedness.”

Akila Krishnakumar, COO and Country Head (India), SunGard, said, “Companies need to focus on educating employees. It is critical that every employee understands the importance of confidentiality, integrity and availability (CIA) with regard to IT systems and assets. Secondly, IT infrastructure can be designed to ensure the highest level of CIA through proper planning and the efficient usage of tools to safeguard, protect and recover information assets. No matter how advanced the IT infrastructure is, education and training of employees in effective usage of the available systems is the key to successful disaster management.”

Technologically speaking there are many ways to manage disaster. Based on the criticality of applications or data, you can put together the right DR solution. DR has to be viewed not just as data, applications and servers but it must also include infrastructure aspects such as power, AC, connectivity etc. Some options in disaster management include data backup, replication onto nearline storage, having a DR site in a different location that is geographically distant from the primary location etc.

Planning approach

Every business has unique needs thanks to its clientele, locations, applications, etc. What others can withstand, your business may not be able to and vice versa. Your disaster recovery plan should be customized to meet the requirements of your business and the value that you place on your data. Performing a business impact analysis and risk assessment can help identify the real needs of the business and direct the creation of a DR plan. Information on these is readily available in addition to resources for assisting with or performing the actual analysis.

Sanjeev Hirlekar, Sr. Security Consultant, Tech Mahindra, said, “BC/DR requirements differ from organization to organization. Even within the same organization not all applications that automate business processes demand the same continuity options and recovery timelines. There cannot be a one-size-fits-all solution. It is imperative to start with in-house expertise while developing BC/DR plans. The planning approach begins by creating a BC/DR organization or team that functions under the guidance of a steering committee consisting of the company’s senior management. The steering committee provides management oversight, necessary resources and grants accountability to the BC/DR exercise. The BC/DR team should bring together experienced managers from critical functions. Specialist help pertaining to prevalent regulations, standards, industry best practices, technologies and industry domain experience can be sourced externally. Drawing on the combined expertise of functional heads in the company and external experts, not only ensures that BC/DR plans are aligned to the organization’s business needs but are also complying with regulatory requirements.”

To begin with, it is important to identify a company’s critical information assets and the respective owners or users of each such asset. Secondly, you have to identify the threats and scenarios that could lead to information security violations. Lastly, companies need to identify the vulnerabilities and their severity levels in exposing the organization to risk. Once these three steps are followed, DR becomes a simple, tactical process that is implemented on a proactive basis.

Sriram S., CEO, iValue InfoSolutions Pvt. Ltd., said, “DR planning should begin with business impact for each of the applications with respect to RPO/RTO. Based on this you can classify each application for different types of DR solution sets to optimize costing. Then appropriate DR solutions along with redundancy with regard to power, AC, connectivity, etc. can be designed. The IT aspects of DR planning include critical applications, RTO, RPO, bandwidth requirement, seismically different locations for the primary and DR site, the size of the data sets to be replicated etc.”

DR planning is a business issue with the bottom-line being that a company has to survive a catastrophe and be in a position to restore its normal business operations. For any organization, the first step in contingency planning involves being aware of the IT environment in which it operates. In addition to defining the broad requirements of the recovery plan this process also involves carrying out a vulnerability check. The next step is to identify the most critical business assets and develop cover for its safety and quick recovery while understanding the data protection procedures that are required. The primary objective of a DR plan should be to enable organizations to minimize the impact and the duration of a serious disruption, allow successful co-ordination of recovery tasks while keeping the recovery plan relatively simple.

P.K. Gupta, Director and Chief Architect, BRS Practice -APJ, EMC, said, “As part of a company’s DR strategy it must assess the existing backup and recovery environment. It’s important to align data protection with data criticality. Creating a reference architecture as well as quantifying and measuring outcomes are an important part of the planning process. Once the plan is in place, the organization must be prepared to do a phased implementation and transition of the suggested mechanisms. Adopting new technologies such as cloud computing and virtualization now forms an integral part of DR planning for any organization.”

Maintaining business continuity

A complete BC plan should account for your employees first and foremost with an evacuation plan that ensures everyone’s safety. Other resources to cover include relocation, temporary offices, telecommunications, remote access, customer and business activities, disaster recovery of systems and data, and all other necessities to return to business as usual, even in the event that an entire location is inaccessible.

Creating a business continuity plan can take upwards of six to nine months during which time the appropriate disaster recovery solutions should be implemented to provide adequate protection for your data in order to prevent major business interruptions.

DR is a subset of BC that addresses issues beyond IT such as natural calamities, acts of terror, fire hazards, epidemics affecting large percentage of employees etc. Operations spread across multiple geographies with good systems and practices coupled with detailed alternate planning for each calamity can help reduce the risk associated with business continuity. Many organization without a BC/DR plan go out of business when faced with such calamities without having a chance to rebuild which should be borne in mind by the leadership in every business when it comes to DR/BC planning and investment.

Sandeep Menon, Country Head, Novell India, said, “To begin with, planning in advance in order to negate or minimize delays in business delivery, is of paramount importance. BCP should encompass the outcome which is to minimize loss of data and shrink downtime to the extent that is possible. Giving priority to vital activities and data will help construct a robust plan. One must also identify proper BCP software and tools for the same. Virtualization from Novell increases business continuity and high availability by migrating disparate workloads onto virtual machines without interruption.”

DR in the data center

As per Symantec’s 2009 State of the Data Center report, roughly one third of the respondents said that their plan was either undocumented or needed work. Often there are important areas that get left out of the plan (for e.g. virtual servers, remote offices and cloud computing). Data centers are becoming more complex and therefore harder to manage. Over 50% of enterprises planned to implement significant changes to their data centers in 2010 with server virtualization, storage resource management, continuous data protection, backup & recovery and security being the initiatives that they were planning to take up.

Vineet Sood, Head, Channels and Alliances, Symantec, said, “Enterprises should implement a holistic data protection solution across virtual environments, remote offices, desktops, laptops, servers, applications and databases that can quickly recover data and systems in the event of a disaster. Data center managers should also consolidate information on to a single management tool that manages both physical and virtual environments in order to reduce the number of tools required. Automated solutions that minimize human involvement and address weaknesses in DR plans will help reduce downtime.”

There are a number of methods available to protect information; most environments use a mix of techniques. For non-critical applications, basic tape or disk-based backups might be sufficient, whereas for more important applications, online disk-based backups with various levels of recoverability can be implemented. The exact protection methodology will depend on the application’s RPO/RTO requirements.

Remote data replication technologies

Remote protection involves replicating data between physical sites as close as the building next door or as far as another city, state, country, or continent. Businesses have various reasons to perform remote data replication. These include the need to service a geography or region from a secondary site or to quickly recover from a disaster to provide business continuity.

Virtualization is one of the best ways to ensure data is on a centralized server and is configured for recovery mode on to another virtual environment. Other methods include clustering the application and database servers in an active-active configuration; disk mirroring on a remote database server; remote backups; and centralized version control at a remote data center.

Satyaki Maitra, Director, SI Business, NetApp India, said, “Data replication technology is gaining popularity in every aspect of the IT application infrastructure. It often works in combination with data-deduplication, virtual servers or the cloud to carry out its DR role. Data deduplication is one of the strongest trends that we can see in this space. It is an important technology used to control data proliferation and is particularly useful for virtualized environments in which each VM contains the operating system, patches, software applications and other data. All of those copies can now be reduced to a single instance, reducing storage-capacity needs by up to 90%. NetApp deduplication is a fundamental component of the Data ONTAP operating system and is the first that can be used broadly across many applications including primary data, backup data, and archived data.”

The RTO and RPO in BCP are major decision factors in choosing the right data replication technology. For e.g., if the organization chooses point-in-time data replication then there are products from EMC, Hitachi and IBM that possess these capabilities either through specialized hardware and software or a combination of both.

There are three methods for remote replication: host-based, array-based and fabric-based. The least expensive method is that of host-based replication that uses software running on a server or dedicated computer and passes information across the WAN.

Inking the SLA

An ideal disaster recovery management (DRM) provider should understand both the business and data protection requirements and offer a full range of integrated backup, recovery and archiving services.

When signing the SLA for disaster recovery management a few salient points need to be kept in mind. The SLA should describe the services that comprise the disaster recovery services provided by the vendor and the commitments reciprocal to the customer. Largely, SLAs embody all the services being offered and their descriptions; but in the event of special services such as DR, the same should be defined by the vendor. Response and resolution time frames, especially during a disaster need to be agreed upon as does the duration of the agreement.

Recovering data that has not been copied Maitra commented, “There are various methods to recover data which has not been successfully copied to the DR site. A popular method is to implement consistent snapshots of data at the production site at a much shorter interval than the required RPO. This gives application administrators the ability to roll back to a previous point-in-time (locally) to recover from a data corruption or data deletion issue. However, this method would fail in the case of a complete site failure where primary storage has become inaccessible. For such scenarios, a near-site (typically within 100 km of the production site) with zero RPO is recommended. The creation of such a site depends on the criticality of data and available connectivity between sites. The final method for many organizations still remains to restore from offsite tapes if they exist. This method is used for scenarios which involve extended link outages or when the failure of an application does not warrant the need to resume operations from a DR site.”

There are companies that specialize in recovering data from hard drives damaged by fire, flood, corruption, etc. Such recovery services are typically quite expensive and they may not be able to recover all the data from a drive. To avoid such situations, it is vital that companies assign workloads to appropriate protection tiers, with matching RPO and RTO times, to ensure that all data from all servers is protected with the frequency and priority that is required.

manjari.juneja@expressindia.com