DISASTER RECOVERY

Disaster recovery is the process, policies and procedures of restoring operations critical
to the resumption of business, including regaining access to data (records, hardware,
software, etc.), communications (incoming, outgoing, toll-free, fax, etc.), workspace, and
other business processes after a natural or human-induced disaster.

To increase the opportunity for a successful recovery of valuable records, a well-

established and thoroughly tested disaster recovery plan must be developed. This task
requires the cooperation of a well-organized committee led by an experienced
chairperson. [1]

A disaster recovery plan (DRP) should also include plans for coping with the unexpected
or sudden loss of communications and/or key personnel, although these are not covered
in this article, the focus of which is data protection. Disaster recovery planning is part of
a larger process known as business continuity planning (BCP).

Introduction
As the disaster recovery market continues to undergo significant structural changes, the
shift presents opportunities for companies that specialize in business continuity planning
and offsite data protection.

With the rise of information technology and the reliance on business-critical information
the importance of protecting irreplaceable data has become a business priority in recent
years. This is especially evident in information technology, with most companies relying
on their computer systems as critical infrastructure in their business. As a result, most
companies are aware that they need to backup their digital information to limit data loss
and to aid data recovery.

Most large companies spend between 2% and 4% of their IT budget on disaster recovery
planning; this is intended to avoid larger losses. Of companies that had a major loss of
computerized data, 43% never reopen, 51% close within two years, and only 6% will
survive long-term.[2]

[edit] Disaster Recovery Strategies

Prior to selecting a Disaster Recovery strategy, the Disaster Recovery planner should
refer to their organization's business continuity plan which should indicate the key
metrics of Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for
various business processes (such as the process to run payroll, generate an order, etc).
The metrics specified for the business processes must then be mapped to the underlying
IT systems and infrastructure that support those processes.

Pag. 1/5
Once the RTO and RPO metrics have been mapped to IT infrastructure, the DR planner
can determine the most suitable recovery strategy for each system. An important note
here however is that the business ultimately sets the IT budget and therefore the RTO and
RPO metrics need to fit with the available budget. While most business unit heads would
like zero data loss and zero time loss, the cost associated with that level of protection may
make the desired high availability solutions impractical.

The following is a list of the most common strategies for data protection.

• Backups made to tape and sent off-site at regular intervals (preferably daily)
• Backups made to disk on-site and automatically copied to off-site disk, or made
directly to off-site disk
• Replication of data to an off-site location, which overcomes the need to restore
the data (only the systems then need to be restored or synced). This generally
makes use of Storage Area Network (SAN) technology
• High availability systems which keep both the data and system replicated off-site,
enabling continuous access to systems and data

In many cases, an organization may elect to use an outsourced disaster recovery provider
to provide a stand-by site and systems rather than using their own remote facilities.

In addition to preparing for the need to recover systems, organizations must also
implement precautionary measures with an objective of preventing a disaster situation in
the first place. These may include some of the following:

• Local mirrors of systems and/or data and use of disk protection technology such
as RAID
• Surge Protectors — to minimize the effect of power surges on delicate electronic
equipment
• Uninterruptible Power Supply (UPS) and/or Backup Generator to keep systems
going in the event of a power failure
• Fire Preventions — more alarms, accessible fire extinguishers
• Anti-virus software and other security measures

Affording Disaster Recovery 

By Drew Robb

March 24, 2005: Disaster recovery solutions don't come cheap but, with a 
little planning and foresight, DR doesn't have to be an all or nothing 
proposition.

Pag. 2/5
How would you like to have your data center situated in a basement one floor below
six hot tubs, each containing 1,000 gallons of water? And to make matters worse,
you don't have any fail-over site in the event of a disaster?

That is the situation facing Jeffrey Pelot, CTO at Denver Health and Medical Center.

"An actual failure at our main site served to highlight the problems inherent in having
no disaster recovery infrastructure," said Pelot.

The hospital is now planning to add a nearby disaster recovery (DR) facility so that it
can duplicate its various configurations at another completely separate campus
location.

It will utilize snapshot, remote IP copy and replication technologies to accomplish

this. But all that takes money and the hospital doesn't have enough in the 2005
budget to cover it.

"We've had to push our DR spending plans into 2006," said Pelot.

Finding a Way

So how do you afford expensive DR projects in the face of tight budgets and a dozen
other vital projects vying for priority? One way to cut costs is by prioritization of the
data that needs to be fully protected.

Chip Nickolett, a DR specialist from Comprehensive Solutions, a DR consultancy,

suggests evaluating systems, data, infrastructure and business operations in terms
of categories of DR protection based on specific business requirements.

For example, Tier 1 might be "recover within 24 hours", Tier 2 might be "recover
within 72 hours", and Tier 3 might be "recover within 10 business days."

"It's all a question of how much data can be lost from the point of the disaster going
backwards," said Nickolett.

Take the case of The Members Group, an Iowa-based company that provides card
processing and mortgage services for credit unions. The company is implementing an
IP SAN by StoneFly Networks for its DR set up.

It has a primary site in Des Moines, Iowa and replicates its data to another site in
Minneapolis. As it didn't have the money to build its own redundant data center, it
kept costs down by renting space for its hardware at a network services provider.

According to Jeff Russell, Members Group CIO, this proved to be the make/break
point of being able to implement its DR technology.

"Having our systems hosted remotely saves us about one third of the total costs of
implementing a DR solution," said Russell. "Renting made the project possible."

Pag. 3/5
But even then, the company can't yet afford to hook up all of its 60 servers to the IP
SAN. Therefore, it has prioritized its applications so that only 25 servers need be
hooked into the StoneFly DR system.

"From a business standpoint, we decided that those servers that aren't required to
run critical business applications would not be on the IP SAN," said Russell. "We also
went through the business requirements of our applications to determine which ones
have to be protected in real time, which need to be up within four hours, and others
we can afford to have down for as long as eight hours."

Slow Adoption

While the events of September 11and the 2003 New York City blackout have
prompted some firms to invest more heavily in DR, the overall numbers are
surprisingly unimpressive.

It would appear that the harsh realities of the current economic climate have largely
curtailed the anticipated rise in spending.

"We see DR spending going down slightly, but spending in high-availability is going
up," said Roberta Witty, an analyst with Gartner.

According to Gartner, DR spending did accelerate in 2002, especially in the

mainframe arena. In the past two years, though, mainframe DR budgeting has been
slashed, canceling out the up-tick in high availability spending for the Windows,
Linux and UNIX platforms.

But, Michael Croy, director of business continuity solutions at Chicago-based IT

consultancy and infrastructure firm Forsythe Technology, said that trend seems to be
turning around and purse strings are loosening on certain platforms.

"I have seen a three-to-five percent increase in DR technology spending," said Croy.

Witty believes that part of the weakness in spending is that DR being regarded as
purely IT function. Actually, the subject belongs to senior management and falls
under the broader category of business continuity. Yet IT tends to either hold onto
the function or is saddled with it.

"It is vital to have senior management sponsorship for DR planning," said Witty.

Without top management involvement, the budgetary realities of DR are often

greatly under-estimated.

The IT folks at Deutsche Borse AG, the German exchange for stocks and derivatives,
for example, only focused on the thousands of technical details of their OpenVMS-
based cluster over two sites situated five kilometers apart.

What came after was a rude awakening -- the financial side of the DR equation
required just as much planning and detail as the technical side.

Pag. 4/5
"As well as the technical details, you have to plan the financial things in the same
depth," said Michael Gruth, head of systems and network management at Deutsche.
"There is no getting around the fact that whatever you do, it is going to be
expensive."

Insurance Policy

Part of the problem may be that DR spending is still viewed as an expense.

When it has to queue up beside other technology projects, it is likely to lose out to
higher ROI or mission-critical deployments. But with requirements like Sarbanes-
Oxley (SOX) and HIPAA (Heath Insurance Portability and Accountability Act) now
being enforced, it is becoming a requirement for companies to be able to protect
data and guarantee its accuracy and integrity.

And that can give DR PO's more leverage in the enterprise, particularly in public
companies.

Interestingly, the legislative attention on privacy and records has raised the profile of
the subject so much that it is quite common for a company's DR practices to be
placed under the microscope by a potential customer during a due diligence review.

The Members Group IT department, for example, found itself under increasing
scrutiny from management and customers with regard to DR.

"When we analyzed our business requirements closely, we found our old DR practices
to be inadequate," said Russell. "We realized the risk to the business and had senior
management buy-in from the early stages."

When placed in this context the focus on doing things right often outweighs a budget
target.

"We suggest to our clients that they view the cost of DR planning as insurance," said
Nickolett. "In most cases the cost of being prepared for a disaster is less than the
cost of being unprepared for a disaster."

Pag. 5/5