About Do-It-Yourself
Disaster Recovery
Disaster recovery and business
continuity have always been important functions in the world of IT. Over time, however, processes that were once performed manually (perhaps on paper) have given way to the digital age. In fact, entire organizations are built around their IT capabilities. As a result of the ever-increasing importance that IT plays in business operations, disaster recovery and business continuity capabilities have gone from being viewed as “important” to being considered “mission critical.” It is inevitable that hardware will eventually fail (studies have shown annual failure rates range from 15% to 20%), and without proper data protection, certain types of hardware failures can have catastrophic consequences for the business.
The renewed emphasis on disaster recovery has led to increased spending on data protection and business continuity solutions, even in a chronically depressed economy. Even so, organizations are discovering all too often that their data protection and business continuity investment fails to deliver the level of protection that is really required. A recent study
by Forrester Research1 indicated that
59% of organizations surveyed found their disaster recovery initiatives were only somewhat successful, with some recovery objectives not being met.
This should be especially worrisome to IT professionals since a major data loss event could impact their job and the organization as a whole. According to some studies, up to 70%
of organizations that suffer a complete data loss go out of business within a year. Of course, even smaller data loss incidents can have a devastating impact, especially in regulated industries such as healthcare. HIPAA, for example, requires covered entities to protect patient health information and to have a business continuity plan. The Department of Health and Human Services has the authority to impose fines up to $50,000 per violation with an annual maximum of $1.5 million2.
It seems fair to say that most
organizations probably recognize the fact that data loss has consequences and that data protection is important. Why, then, do so many organizations fall short on their data protection goals, even after dedicating a large portion of their IT budgets to disaster recovery and business continuity? Ultimately, the reasons for data protection shortcomings are widely varied, but the reasons often involve factors such as lack of expertise or succumbing to vendor hype and
investing in a backup and recovery solution that fails to fully address the organization’s requirements.
1 The Risks Of ”Do It Yourself” Disaster Recovery, Forrester Research, 2013 2 HIPAA Violations and Enforcement, American Medical Association
Introduction
In the not too distant past, data protection involved performing nightly backups to tape and then shipping that tape offsite for safekeeping. Today, this tried and true approach that has worked for decades is completely inadequate. The very nature of IT has changed dramatically over the last few years and this change has rendered traditional backups obsolete. Factors that have led to this obsolescence include:
• Server virtualization, which has made it possible to rapidly deploy virtual servers and to make major changes to the IT infrastructure. Legacy backups are simply not dynamic enough to keep pace with such rapid change.
• A shift in IT to a 24/7 operation
for many organizations, thereby making a dedicated backup window extremely impractical.
• An increase in mobile users who often work from places other than the office. This mobility has evolved into the expectation that a user will be able to log in any time and from anywhere. As such, backups cannot be performed in a way that causes them to be disruptive to user productivity.
• Traditional backups were designed to protect the data, so that files could be restored; this is no longer adequate as applications and full systems are required to access such data.
According to a study by the Aberdeen
Group3, an hour of downtime costs
small companies (with fewer than 100 employees) about $6,900, while the cost to a large organization with more than 1,000 employees is estimated at a staggering $1,130,000.
Although these figures might initially seem inflated, it is important to understand that there are a number of different costs that come into play as a result of downtime, such as:
• Reputation and brand damage • Lost productivity due to downtime
or system performance • Lost revenue due to system
availability problems
• Forensics to determine root causes • Technical support to restore
systems
• Compliance and regulatory failure costs.
The Aberdeen Group’s figures clearly illustrate why it is so important for an organization to be able to recover from a disaster as quickly as possible. Having local and remote backups strikes a balance between rapid recovery (using a local backup) and protection against a site-level disaster such as a fire (by using a remote backup). Even so, rapid recoverability
is not the only thing that matters; ensuring continuity of business is also important.
The Status Quo is No Longer Good Enough
Disaster Recovery and Business Continuity are Two
Different Things
IT professionals often talk about data protection, disaster recovery, and business continuity without making a great deal of distinction between the various technologies. While the various technologies are related in the essence that you can’t guarantee business continuity unless you have adequately protected your data, the problem with treating data protection and business continuity as one and the same is that having the ability to recover from a
disaster does not guarantee business continuity.
Think about the previous example in which an organization has a local backup and a cloud-based copy of the backup. Assuming that the backup process was properly implemented, the organization should be well protected against data loss. Even so, protection against loss is different from business continuity. If something were to happen to the organization’s primary data then the backup administrator would have to perform a restoration. Depending on how much data has to be restored, the organization could be without critical resources for minutes, hours, or even days.
The argument has been made that such a recovery ensures business continuity because operations are able to eventually return to normal. However, every minute that an organization is offline costs the organization a significant amount of money. As such, true business continuity means being able to stay online in spite of a failure.
DIY Business Continuity
Although the technology exists to allow organizations to remain online even after a major failure has occurred, putting such a solution in place can be a tall order to say the least. It’s common for an organization to put together a DIY solution as a natural byproduct of the IT department’s evolution. Perhaps the organization started out with local backup software and then began adding other products as a way of
backing up virtual machines or writing backups to the cloud. Similarly, an organization may realize that its existing backup solution is inadequate and begins using additional products as a way to make up for the backup solution’s shortcomings. Organizations that adopt a combination of products for their data protection solution often work under the assumption that no better solution exists or that it is less expensive to incorporate their existing solution into the backup process rather than perform a “rip and replace.”
Ultimately, however, it may prove to be less expensive to use a single
comprehensive solution than to try to piece something together. Piecemeal solutions commonly require administrators to manage three to four different pieces of software. This increases administrative costs and also increases the chances of something going wrong.
?
DISASTER RECOVERY
BUSINESS CONTINUITY
One especially popular myth is that the best way to protect your critical resources is to back them up to the cloud. In spite of all the hype from cloud vendors, however, cloud backups typically are not the best option (at least not by themselves).
In order to truly protect data, organizations must have a minimum of three copies of the data - the original data, a local backup, and an offsite backup that typically resides in the cloud or in a remote datacenter.
Unfortunately, some cloud backup vendors try to convince customers that the organization is completely protected as long as a copy of their data resides in the cloud, omitting the fact that restore operations are bandwidth intensive. In some instances, a restore operation from the cloud a major data loss could take days - or even weeks - to complete.
Additionally, many cloud-only vendors do not offer protection for applications or systems, meaning only the files are available in the cloud. If you actually need to continue operations, you will not be able to do so without a cloud-based server failover or virtualization.
One of the most important considerations behind any IT solution is cost. Setting up your own hot site for disaster recovery and business continuity purposes can be surprisingly expensive. In addition to the hardware and software costs, there are other costs that are easy to overlook, including:
• Hardware maintenance • Extra staff hours • Datacenter space • Power costs
• Generators and battery backups • WAN bandwidth
So while it might seem less expensive to cobble together a DIY solution that is based around a variety of different data protection and disaster recovery products, doing so can actually be more expensive in the long run than it would be to simply adopt a consolidated solution.
Not surprisingly, there are a number of myths related to DIY disaster recovery. These myths may stem from vendor hype or from staff inexperience. Whatever the source of the myths, taking them at face value can leave the organization vulnerable to outages or data loss.
THE MYTHS OF DIY DISASTER RECOVERY
MYTH 2: DIY Disaster Recovery is a Cost Effective Option
MYTH 1: Backing Up to the Cloud is the Best Solution
Another myth is that when disaster strikes, the IT staff will inherently know how to recover from the disaster. After all, they are the ones who put the disaster recovery solution into place. But a Forrester Research study shows that the reality is quite
different as organizations that decide on DIY often face three challenges:
• Lack of focus on DR relative to other IT projects
• Lack of funding to keep DR infrastructure up to date • Lack of DR skills in-house
Companies typically underestimate the effort required to keep multiple backup and disaster recovery products working in sync, and the time required to ensure recovery operations are successful and DR testing is done properly.
MYTH 3: Our IT Staff Has the Expertise to Deal With Disaster Recovery
All too often organizations initially place a great deal of emphasis on disaster recovery, only to have interest wane as everyone becomes overly comfortable with the disaster recovery and business continuity solution that has been put in place. Worse yet, IT managers may inadvertently send a message to the IT staff that disaster recovery is a low priority when they reduce the disaster recovery budget.
Similarly, IT staff resources are often reassigned to other projects and data protection and business continuity become almost an afterthought. As TechTarget points out: “when a person’s primary role is in conflict with their disaster recovery role, the primary role usually wins to the detriment of the disaster recovery plan.”4
Similarly, Forrester Research cited the lack of focus on disaster recovery relative to other IT projects as being one of the top challenges related to in-house disaster recovery. In the
study5 24% of respondents listed lack
of focus on disaster recovery related to other IT projects as the number one challenge with their in house disaster recovery initiatives.
The reason why a loss of focus is such a big problem is because the only way to maintain disaster preparedness is through ongoing testing. Otherwise, there is no way to know for sure that the protective systems that have been put in place will do their job when the time comes.
Rather disturbingly, a study by
DR Benchmark6 reveals that 23%
of those surveyed never test their disaster recovery plans. Of those that do test their DR plans, 65% do not even pass their own tests. This same study concludes that three out of four companies are at risk due to their failure to adequately prepare for disaster recovery.
MYTH 4: Our Organization Places a High Priority on Disaster Recovery
4 Outsourcing disaster recovery services vs. in-house disaster recovery, Jacob Gsoedl, TechTarget 5 The Risks Of ”Do It Yourself” Disaster Recovery, Forrester Research, 2013
It is easy to assume that the disaster recovery solution that an organization puts into place today will do its job for the foreseeable future. While such an assumption might have once held true, IT is evolving at a rapid pace and today’s backup solutions may not be able to keep pace with the evolution of the organization’s IT operations.
Suppose, for example, that an organization built a business continuity and disaster recovery solution around their current server virtualization infrastructure. What happens if the organization decides to switch to another virtual operating system? Will the disaster recovery software created in-house or via a combination of third-party products be able to handle the new environment? What if the company decides to adopt a private cloud model? The required reconfiguration
of the virtualization infrastructure could potentially cause problems with the solution that is already in place. The fact is that with the fast pace of IT changes including new hardware configurations, new networking topologies, new operating systems and virtualization options, making sure your disaster recovery solution is able to handle the new environment takes a lot of time and effort. With IT departments overloaded and budgets shrinking, internal IT staff has little
time to worry about upgrading a DR architecture. Disaster Recovery vendors, on the other hand, place such upgrades at the core of their operations and are typically better able to keep pace with the new advances in IT to ensure their solutions remain compatible.
MYTH 6: Our Current Solution is Future-proof
The argument that “our business is unique” is heard very often and sometimes drives organizations to resort to a piecemeal solution involving a mixture of software and hardware products, as well as cloud services. Although such
solutions can work, deploying the various components requires careful choreography, and it’s not uncommon for one component to interfere with another. Using multiple disaster recovery products can also increase the risk that some resources are not
protected due to gaps between the coverage provided by the various products.
Given these risks, IT administrators would be wise to choose a
comprehensive, integrated solution
over a cobbled together piecemeal solution comprised of software products that were never designed to work together.
One especially popular way that organizations are working toward seamless business continuity is through virtual machine replication. The idea is that if an organization is able to replicate virtual machines or other IT resources to the cloud or to a remote datacenter, then they can shift IT operations to the remote facility in the event that the primary datacenter suffers an outage.
Although the basic concept of replicating IT resources is solid, the devil is in the details. Replicating virtual machines to the cloud, and providing instantaneous failover capabilities looks like a simple process on paper, but it can be surprisingly difficult to implement. One of the first challenges that must
be overcome if an organization is to replicate their virtual machines for the cloud is finding a cloud service provider with a compatible infrastructure. Infrastructure-as-a-Service clouds are not created equally. For instance, if the on-premise virtual machines are running on VMware, you probably aren’t going to be able to replicate those virtual machines to Windows Azure. Similarly, if your virtual machines are running on Hyper-V, don’t expect to be able to replicate them to Amazon’s cloud.
Another big challenge with using replication for business continuity is the scale and the dynamic nature of the virtual datacenter. Replicating a virtual machine is relatively easy, but what happens if you need to
replicate 100,000 virtual machines? Similarly, what happens if someone in your organization creates a brand new virtual machine? Will that virtual machine be automatically replicated, or is setting up replication of that virtual machine a manual process? As with any IT project, the cost of replicating virtual machines must also be considered. It is no secret that building a secondary datacenter can be extremely expensive. Disaster
Recovery Journal7 estimates that
floor space alone costs $4 to $5 per square foot per month. As such, cloud based replication is often marketed as being an inexpensive alternative.
Although cloud-based replication might initially prove to be an
inexpensive DIY solution, many cloud service providers charge customers based on the number of virtual machines that they create and the amount of hardware resources that they consume. If a provider uses this pricing model, then it means that the cost of virtual machine replication will increase over time as the organization accumulates a greater number of virtual machines and more data. Being that the IT department is always under pressure to cut costs wherever possible, it is conceivable that IT managers could eventually be forced to pick and choose which virtual machines should be replicated in an effort to control costs.
MYTH 7: Business Continuity Can Be Best Achieved Through Virtual Machine Replication
Reduction in up to 60% of total cost of ownership
Ability to fully test DR plans on a monthly basis as
opposed to annually
How do you take the best premises of a DIY solution like lower TCO, control over the DR solution, ability to fully test DR plans without additional costs, and future-proofing the solution? There are companies conquering the disaster recovery and business continuity space with novel approaches that are only possible today due to the advances of cloud computing and by taking a fresh approach to an old problem. Gartner calls this new wave “Recovery-as-a-Service” and Forrester Research calls it “Disaster Recovery-as-a-Service.” It is a hybrid approach that combines local protection with cloud-based recovery.
The advantages of Recovery-as-a-Service are numerous, including lower total cost of ownership, the ability to failover or virtualize individual servers or the entire IT infrastructure in the cloud, and faster recovery speeds. Additionally, the compatibility with multiple operating systems, hardware configurations, and virtual servers makes this a valid proposition against the typical DIY.
At Axcient, we have seen companies reap the following benefits when switching from a DIY DR approach to Recovery-as-a-Service platform:
Faster recovery times (RTO)
Lower administrative time and overhead for
maintaining the solution
Easier to achieve buy-in from senior management and
support for disaster recovery
Scalability and ability to support the changing needs
of the IT organization
While companies decide to approach a “Do-It-Yourself” Disaster Recovery solution to lower costs, take control of the technology, and have faster recovery speeds, the reality is quite different. The myths about DIY DR solutions show that companies that embrace this philosophy will face quite the opposite. In fact, research shows that those companies that switched from a DIY DR approach to a vendor-managed process or replaced their patchwork of products with an unified solution did so to leverage:
• Lower total cost of ownership • Single interface with the ability
to perform failover/failback and testing operations
• Assistance from the DR provider in transitioning and maintaining DR processes
It is clear that the initial attractiveness of do-it-yourself disaster recovery does not live up to expectations.
Although the DIY approach to disaster recovery and business continuity might seem attractive at first, piecemeal solutions based on a collection of “best of breed” solutions tend to be problematic, as well as difficult to administer. While integrated disaster recovery solutions - especially Recovery-as-a-Service alternatives - might seem more expensive than a piecemeal solution, it typically proves to be more cost effective in the long run because of reduced administrative costs, and because a consolidated
solution allows the administrator to avoid the problems that are so inherent in trying to force dissimilar products to work together.
800-715-2339 www.axcient.com
The Axcient Solution
Axcient’s Recovery-as-a-Service cloud eliminates data loss, keeps applications up and running, and makes sure that IT infrastructures never go down. Axcient replaces legacy backup, business continuity, disaster recovery and archiving products, with a single integrated platform that mirrors an entire business in the cloud, making it simple to restore data, failover applications, and virtualize servers or an entire office with a click. Thousands of businesses trust Axcient to keep their applications running and employees productive.
Learn more at www.axcient.com. axcient.com/facebook linkedin.com/company/axcient @Axcient IT Infrastructure and Full Of ce Virtualization Physical Server
