Simon Johnson, data recovery practice lead at GlassHouse Technologies (UK), discusses the key disaster recovery planning (DR planning) options for small and medium size enterprises (SMEs), and whether it's best to provide disaster recovery in-house or via a service provider. You can listen to the podcast as an MP3 or read the...
Download for later:
Disaster recovery planning for an SME company
• Internet Explorer: Right Click > Save Target As
• Firefox: Right Click > Save Link As
SearchStorage.co.UK: What are the key disaster recovery options for SMEs?
Johnson: There are a number of key disaster recovery options for SMEs that go beyond the traditional nightly backups and shipping tapes off-site to a third-party holding or secondary site.
These start off with full management and delivery of disaster recovery in-house. We see this typically with a secondary site linked by an IP or Fibre Channel (FC) communications network and backups running cross-site or some sort of replication occurring.
The second option is to rent or lease data centre space from a hosting provider but to retain the management of that infrastructure internally; these are referred to as collocation sites. In this option IT still owns and manages the IT infrastructure but leases the data centre space against the commercial model agreed. Many hosting providers are starting to offer ancillary services around this which begin to approach the services offered by full service providers.
The third option is full service provision. Here, the organisation rents data centre space but in this case it's a facilitated environment where the hosting provider has contractual management terms and service-level agreements [SLAs] in place. These can be offered as cold, warm or hot standby sites. Cold is where the infrastructure is not in place but will be according to a specified time metric. Warm is where the infrastructure is in place and is ready to have the most recent data loaded onto it. Hot standby is where you're running an active-active application or set of data and you can switch over and run production services from there very quickly. These run right through to full managed disaster recovery planning services from third-party vendors.
Finally, we're seeing a trend in the market toward software-as-a-service (SaaS) and cloud services around disaster recovery and this is where service providers are offering the full management -- and optionally ownership of infrastructure -- with disaster recovery delivered as a service on a utility model. If you're familiar with cloud from a storage or software perspective, this is the extension of those services into disaster recovery planning where you agree to your SLAs and you pay for it against those metrics.
SearchStorage.co.UK: What are the challenges for SMEs of developing in-house disaster recovery provisioning?
Johnson: A key benefit is that the knowledge of your systems is held in-house. The people that understand that data and the criticality of it are your operations staff, and they're best skilled to rebuild it as they know the systems and the people that use them and how they use them. You retain as part of that the disaster recovery skills to maintain and control the organisation effectively internally. You don't have any dependency to manage internally on third parties. As part of this, you have control over costs and you can maintain data integrity.
Going in-house you don't have third parties accessing data which could be highly sensitive. There may also be connotations from a public relations or legal perspective from a third party potentially having access to data hosted in their data centres.
There's potential when managing disaster recovery in-house to have great flexibility. You can change the service level you have around a specific application according to its criticality. As businesses grow and change, the flex and criticality of applications moves with that; managing internally means you can change application service levels as your business grows. Disaster recovery planning services evolves as your organisation evolves, and during disaster recovery testing you'll learn a huge amount about your applications, data and infrastructure, and this is knowledge which will benefit business-as-usual (BAU) activities.
The challenges mirror the benefits. Maintaining the skillsets needed is a huge challenge. Disaster recovery is a fairly specific set of skills. It's different from BAU activities and it's a huge challenge for staff to retain those skills if they're only testing or using them once every quarter, six months or annually depending on your testing cycle.
The cost of maintaining disaster recovery infrastructure and a disaster recovery site can be significant for what is ultimately an insurance policy you hope you won't have to use. Testing disaster recovery is hugely complex if you're managing in-house. Where do you test it, how do you test it? You need to isolate the environment and have your skilled staff around to test the disaster recovery service and recoverability. So that's intensive in terms of both time and expense. And you'll be taking those staff away from BAU activities so you'll need to backfill those.
There's a huge challenge internally to understand business impact analysis and the criticality and interdependency around your applications. Finally, you need to know what disaster recovery challenge you're protecting yourself against: is it flood, quarantine zones, malicious corruption? There are lots of disaster recovery scenarios to protect against, and to manage them internally you need to be very clear what they are so you can manage provision against those.
SearchStorage.co.UK: What are the benefits and challenges for SMEs of using service providers for disaster recovery?
Johnson: A major attraction of outsourcing any kind of service is cost reduction. Service providers and software-as-a-service can offer great flexibility around capacity and provisioning, so if you're not in a position where you can capacity plan or forecast, you have flexibility around the models provided to keep costs at a minimum and pay on a per-use model. Building disaster recovery provision has historically been a very expensive proposition with significant investments in capital equipment required. While technologies like virtualisation have cut upfront costs and complexity around disaster recovery, the outsourced model can also take advantage of these to further lower costs.
There are benefits where the capital outlay that was required to provide disaster recovery infrastructure can now be moved to an operational budget, so you can move your budgets around, which is highly beneficial to some organisations.
You reduce internal disaster recovery skills requirements and the need to maintain those skills, and you can leverage third-party expertise from service provider models, people who work with disaster recovery environments and can bring that expertise as and when you need it. You can remove the downside of capacity planning by moving to a utility model so you're not tied into accurately forecasting, but that model, if correctly negotiated, can flex as your business demands it.
The challenge of moving to a service provider is understanding what you need from a disaster recovery scenario and how much you want to pay for it. To do that you need to know what it's costing you now to deliver disaster recovery, if indeed you are delivering disaster recovery at all, and what service levels your applications need to match. You need to have a good understanding of business impact analysis and interdependency groups so that when you go and have a conversation with the service provider you know what you're asking for: what RPOs and RTOs are there? What disaster recovery scenarios are you protecting against? There's no point using a service provider who may be affected by the same disaster recovery scenarios you're protecting against. The service provider needs to have a good understanding of how your business model operates.
What type of outsourcing agreement are you trying to negotiate? Do you want total third-party support or are you trying to maintain expertise internally also? What locations interest you and what services do you expect the vendor to provide? Also, what are the risks of outsourcing disaster recovery provision and possible access to your data? Do you have legal compliance issues that may bring complications?
These are all challenges in understanding the nature of the disaster recovery service you need to have and how much you want to pay for it to ascertain whether outsourcing of these services is feasible or not. From that you need to understand which vendors are actually qualified and can deliver the capability they say they can.
SMEs can take advantage of disaster recovery as a service; however, they need to be very clear of their requirements and internal delivery costs before evaluating third-party offerings. Get that planning right and you could have a highly beneficial outsourced disaster recovery service. Get it wrong and you'll find yourself tied into a contract and overpaying for a misaligned service that you can't necessarily get out of immediately.