DR - Business Continuity Strategies

A P R I L 2 0 1 1 VO LU M E 7
Enterprise CIODecisions
Guiding technology decision makers in the enterprise
INSIDE An Explosion of BC and DR Hospital Cures its BC/DR Woes Cloud DR and BC Can Save Your Business Mobile Device DR: The Next Frontier Piggyback DR onto Virtualization When You're Not Quite Ready for DR The Weakest Link
ENTERPRISE CIO DECISIONS APRIL 2011
Business Continuity and Disaster Recovery Strategies

CIOs are finding that effective BC and DR plans hinge on an understanding of emerging technologies and confidence in their supply chains.
E 1
EDITORS LETTER
Avoid a Recipe for Disaster

HOME
THERE SEEMS TO
EDITORS LETTER
UP FRONT
CLOUD DR AND BC CAN SAVE YOUR BUSINESS
MOBILE DEVICE DR: THE NEXT FRONTIER
PIGGYBACK DR ONTO VIRTUALIZATION
WHEN YOURE NOT QUITE READY FOR DR
THE WEAKEST LINK
be no end to risks and contingencies that need to be accounted for in disaster recovery (DR) and business continuity (BC) planning. The good news is that the options available to DR and BC planners continue to grow, as we explore in this edition of Enterprise CIO Decisions Ezine. For instance, European executives are looking for ways to plan for DR and BC in their supply chainsnormally areas that wouldnt be considered top priority but should in fact be top of mind if getting products and services to market without disruption is your goal. Other complexities are emerging as IT executives consider the terabytes of data, corporate secrets and access points into networks that exist on iPhones, iPads, BlackBerrys and Android devicesmany of which are being brought into the enterprise as personal devices. Are these devices supposed to be treated as company property? The cloud has become an essential place to turn for DR and BC options, but not everyone is sold. Its all about quality, not about lowcost services anymore, said Lalitendu Panda, global CIO of D&M Hold-
ings Inc. Interruption of service is an issue. You have no control over what else is running on the cloud that could degrade performance. But savvy IT managers are looking at the cloud and virtualization anyway as a necessary next step in DR and BC planning. DR is a cost like insurance, said Greg Schulz, founder and senior advisor to The Server and StorageIO Group. Typically, you get nothing back. With BC, you can actually use it to leverage that ability for load balancing and better infrastructure resource management. Whatever your needs or technology of choice, DR and BC planning needs to become part of the fabric of running the business. Even security needs to be part of contingency planning. Worms and other threats are getting smarter every day, and they are getting closer and closer to vital systems that, if corrupted, would indeed become a disaster for many companies. I
SCOT PETERSEN
Editorial Director CIO/IT Strategy Media spetersen@techtarget .com
server rooms that require GPs NaviGatioN.
soLveD.
We get that virtualization can drive a better ROI. Highly certified by Microsoft, VMware, HP and others, we can evaluate, design and implement the right solution for you.
Well get you out of this mess at CDW.com/virtualization
2011 CDW LLC. CDW, CDWG and PeOPLe WHO Get It are trademarks of CDW LLC.
1
UF
NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS
HOME
UpFront
News, views and reviews for senior technology managers
ON THE J OB
EDITORS LETTER
UP FRONT
an explosion of bc and dr
an explosives maker founded in 1833, blasted through a virtualization project this past year to find a new idea for its business continuity and disaster recovery planningmaking its Cleveland headquarters the hot site for its three remote data centers. Unlike the way they reacted to an initiative to upgrade to T1 lines four years earlier, Austin Powders computer users didnt see the benefits of virtualizationbut Chris Benco, network administrator, sure did. We started playing with virtualization because it was an emerging technology, he said. In hindsight, it saved us money and we gained flexibility. Adventurous virtualized architectures like Austin Powders are inAUSTIN POWDER CO.,
THE WEAKEST LINK
creasing in popularity, according to experts. The concept of virtualization absolutely affects business continuity and disaster recovery planning, producing a fundamental change in the architecture of IT, said Dick Csaplar, senior research analyst for virtualization and storage at Aberdeen Group Inc., a research firm in Boston. The ease with which virtual servers can be imaged and replicated to servers at remote locations provides an additional level of security, he wrote in a report about offsite storage. With disaster recovery (DR), the mind-set has been to rebuild and restore using shared storage in a virtualized environment. This way, the IT staff can proactively fail over. During hurricane season on the Carolina coast, for example, a workload could be moved swiftly to a host hundreds of miles away. DR is a cost like insurance, said
1
UF
HOME
EDITORS LETTER
UP FRONT
Greg Schulz, founder and senior advisor to The Server and StorageIO Group, an IT consultancy in Stillwater, Minn. Typically, you get nothing back. With BC, you can actually use it to leverage that ability for load balancing and better infrastructure resource management. Austin Powder chose Melville, N.Y.-based FalconStor Software Inc.s Network Storage Server (NSS) as its primary storage area network solution. The company runs two FalconStor NSS appliances in its Hyper-V environment for better local availability and to eliminate a single point of failure, Benco said. The shared storage helps a lot in a virtualized environment, he added, making it easier to clone servers and move workloads on the fly among the hosts for maintenance or disaster recovery. The NSS virtual appliances enable remote data replication by taking snapshots of the database and replicating only changes to lessen demand for bandwidth. The danger with using snapshots, according to
Aberdeens Csaplar, is that you may lose some data between the time of a crash and the last picture taken. You could develop a problem 10 minutes before the end of a two-hour
DR is a cost like insurance. Typically, you get nothing back.GREG SCHULZ

snapshot cycle, for example, and lose that one hour and 50 minutes. Chi Corp., a FalconStor channel partner headquartered in Cleveland, helped integrate the NSS appliances and Symantec Corp.s Backup Exec to provide backup and disaster recovery for all business-critical applications, including Sybase Inc. and Microsoft SQL Server databases and email. Austin Powders business continuity and disaster recovery planning also includes a traditional disaster recovery partnership with SunGard Data Systems Inc. for an AS/400 server. LAURA SMITH
THE WEAKEST LINK
BY T H E N U M B E R S
82
the most significant network disruptions in U.S. businesses that could be reduced or avoided by implementing the measures in any comprehensive disaster recovery and business continuity plan. Its also the percentage of businesses that said, prior to the disruption, that they had confidence in their IT resources in the event of a disruption.
THE PERCENTAGE OF
SOURCE: CDW LLC SURVEY OF 200 MANAGERS AT MEDIUM-SIZED AND LARGE BUSINESSES, SEPTEMBER 2010.
1
UF
ONE ON ONE
hospital cures its bc/dr woes

NAME: Jeff Bell
HOME
TITLE: Chief operating officer TIME IN THIS ROLE: Two years
EDITORS LETTER
UP FRONT
Sisters of Mercy Health System HEADQUARTERS: St. Louis EMPLOYEES: More than 36,000
COMPANY:
THE WEAKEST LINK
Mercy Health System in St. Louis is among the 3% of U.S. health care organizations that have an integrated electronic health record (EHR) system for real-time, paperless access to patient information. The 11 largest hospitals in Mercys network of 28 hospitals across Arkansas, Kansas, Missouri and Oklahoma are already using the EHR system, and the others are coming on fast. To achieve this single record of truth, Mercy consolidated seven major data centers and a dozen minor ones down to three, then built a new $60 million data center in Washington, Mo. The new data centers fully duplicated architecture with backups for power, cooling and network connectivityenables IT to maintain and update systems without bringing the whole building down, according to Jeff Bell, Mercys chief operating officer. The facility can operate up to 72 hours in the case of an electrical power outage;
SISTERS OF
JEFF BELL
network bandwidth and processing power can be added as needs arise. During the 18-month project, Mercys IT department consolidated the three remaining older data centers into one in Sunset Hills, Mo., which now serves as a backup site for Washington, in case of an epic physical disaster. (The data center in Washington is built to withstand an F2 tornado.)
Was backup and business continuity a main driver in your decision to build a new data center? The project was a huge enabler for our BC/DR [business continuity/ disaster recovery] strategy. Efficiency and a single data center with high-availability attributes are needed in the electronic medical records
1
UF
HOME
EDITORS LETTER
UP FRONT
world. When the record is electronic, dependence on the computer systems goes up many folds. The chart is the legal record that all the caregivers work off of. In the past, computer systems in the background did workflow management like routing orders, but [this workflow didnt contain] the medical record. Now that computers contain the record, they have to be up all the time. Thats why we built a new data center.
servers, a tremendous accomplishment. We have some servers with as many as 70 different virtual instances. But the whole attraction to the cloud is you buy as you go. We have software to tell us how much each of the [internal] cus-
What new technology and architecture did you deploy in the new data center? The main attributes are a lot of redundancies. We have two generators instead of one; two utility feeds from the power generation plant; all of the chillers, backup UPStwo of everything. If you look at the mechanical cross section, its a mirror image. Anything we have to maintain at [the older] Sunset Hills facilityrepair the chiller, for examplewe take the building down. In Washington, we just take down half the building.
Our strategy is to be the cloud. We have virtualized 95% of Windows servers But the whole attraction to the cloud is you buy as you go.
tomers is using. Some servers are idle, except for nightly batch work, which leaves the rest of the resource available for other apps. Its really neat to watch. We meter it with software and can charge back, though were not doing that at this point. As we potentially take on external customers and chargeback, then it will be a hybrid cloud.
THE WEAKEST LINK
Are you using any public cloud services or community clouds? Private cloud? We have considered the public cloud, but its not our strategy. Our strategy is to be the cloud. We have virtualized 95% of Windows
How important were green initiatives in designing the new data center? Sisters of Mercy has a strong consideration toward stewardship of the planet, but theres also a very strong business reason [for going
HOME
EDITORS LETTER
UP FRONT
green]. Using high-efficiency chillers and the European power distribution standard saved us a great deal. Theres one fewer set of transformers between the power company and the load. Every time you run electricity through a transformer, you lose efficiency. You can save 5%, which is a lot when youre spending millions a year. For every kilowatt on the floor, most organizations spend another kilowatt to cool the building, for a ratio of 1:1. Our ratio is :1. Weve raised the temperature of our chilled water loop to avoid hot spots. In years past, it was almost frigid in thereyou had to put on a coat because hotter areas of servers demanded more cooling. In-row coolers are extremely efficient at keeping everything the same temperature. They dont cool things down so much as neutralize hot air. We gained a lot of efficiency there as well: pick up 5% here and
10% there, [for an] overall 50% reduction in electricity. We used UPSes from American Power Conversion Corp. by Schneider Electric,
For every kilowatt on the floor, most organizations spend another kilowatt to cool the building, for a ratio of 1:1. Our ratio is :1.
and worked closely with them on the fundamental design. The data center was designed to be compliant with Leadership in Energy and Environmental Design, the standard for green-building design. All of the 255 tons of steel used, for example, came from recycled sources.
LAURA SMITH
ON THE AGENDA
DR AND BC TOP OF MIND FOR IT LEADERS

THE WEAKEST LINK
survey last year of 2,803 IT decision makers, improving their business continuity and disaster recovery is the No. 1 priority for small and medium-sized businesses and the No. 2 priority for enterprises during the next 12 months. Six percent of IT operating and capital budgets goes toward business continuity and disaster recovery, and only 11% of the enterprises said their budget in these areas would decrease this year.
ACCORDING TO A
SOURCE: GLOBAL IT BUDGETS, PRIORITIES, AND EMERGING TECHNOLOGY TRACKING SURVEY Q2 2010, FORRESTER INC.
Cloud DR and BC can

HOME EDITORS LETTER
UP FRONT
save
your business
For example, disaster recovery and business continuity planning is a lot easier now than it was just a few years ago. In the old days (you know, a few years ago), if you wanted a cold, warm or hot site, you had to build it yourself. And justifying such an investment was always a challenge. I found it difficult, even with a generous board of directors, to convince people to spend money on something we hoped we would never have to use. But now, with cloud-based solutions, we can leverage the work of others as well as the existing infrastructure to reduce implementation time and costs. This, combined with effective planning and analysis, makes disasENTERPRISE CIO DECISIONS APRIL 2011
Cloud-based solutions, combined with effective planning and risk analysis, can take much of the pain out of disaster recovery and business continuity planning. BY NIEL NICKOLAISEN
THE WEAKEST LINK
seems things cant get any worse, they get better. An architect at a very large technology provider recently told me that the cloud was making it easier for vendors to bypass the CIO. In doing so, a salesperson can pitch the vice president of marketing on buying his cloud-based solutions andmaybe the best part for the vendornot have to involve IT in the selection, implementation or support processes. For this and other reasons, we might think that the cloud makes things worse. But from my perspective, the availability of cloud-based solutions can also make things much better.
JUST WHEN IT
10
HOME
EDITORS LETTER
UP FRONT
THE WEAKEST LINK
ter recovery (DR) and business continuity (BC) significantly easier. Let me explain my approach. DR and BC begin with a risk analysis. The risks run the gamut from natural to man-made disasters. Potential natural disasters vary by location but include events such as storms, earthquakes, fires and floods. The man-made disasters range from disgruntled employees (typically any member of my staff) to accidents (somebody crashes into the electrical utility transformer down the street, knocking out electrical service) to bone-headedness (the system administrator pushes the wrong button and shuts off the data center cooling and then walks away, not realizing what he just did). Next, I like to define the likelihood and impact of the disasters. For instance, how likely is a forest fire at my data center? Since my data center sits closer to a desert than a forest, not very likely. How likely is a power outage? Given the potential for heavy winter storms in my area, my plans typically anticipate power outages. After assessing the risks, I then define plans for mitigating the risks. How to deal with my power outage risk? Backup power. How to deal with bone-headedness? Error-proof my data center and IT processes. How to deal with potential natural disasters? For me, that mitigation now resides in the cloud.
My cloud-based DR and BC plans include one more critical step: systems stratification. One of my favorite practices is to segregate systems into A, B and C categories. Category A systems are those that, if they are down for a few minutes or a few hours, put the business at risk. Category B systems can be down for a few hours or days until the business is at risk. Category C systems can be down for a long time before anyone outside IT notices. This stratification is the foundation for service-level agreements, as well as for DR and BC. I worry about cold, warm or hot sites for A systems. I invest in redundancy for A systems. My risk assessment is focused on risks to my A systems. For example, if I am operating a customer call center and the phone system goes down, I cant process orders. So, the phone system is categorized as an A system, but not the entire phone system, just the phones that support customer calls. Just a few years ago, I would have to worry about how to create an offsite backup call center. With the availability of cloud phone services, my life got a whole lot easier. Well, its easier as long as I remember which systemsnamely those in Category Arequire this level of attention. I
Niel Nickolaisen is CIO and vice president of strategic planning at Headwaters Inc. in South Jordan, Utah. Write to him at nnick@headwaters.com or editor@searchcio.com.
11
HOME
EDITORS LETTER
UP FRONT
Mobile DeviceDR: The next frontier

Lulled by mobile devices synced back to centralized servers, CIOs havent given much thought to IT disaster recovery plans for mobile computing. That needs to change. BY LINDA TUCCI
AFTER YEARS OF
THE WEAKEST LINK
managing mobile devices that are synced to centralized servers and governed by company policy, many CIOs dont worry much about IT disaster recovery and business continuity plans for mobile devices. Those days are overor will be soon. The proliferation and everincreasing diversity of workplace mobile devicescompany-issued and employee-ownedwill push CIOs to reconsider their disaster recovery (DR) and business continuity (BC) plans, experts say. Reducing the risks associated with workplace mobility will also drive
technology purchases, from mobile device management (MDM) tools to desktop virtualization. Executives are dragging documents through iTunes and onto their iPads. They are editing them with something like Quickoffice or Documents To Go, or Apples Keynote and Pages products. The documents are being modified and shared, and the data stores completely cacheforwarded out there into the field; nobody is thinking about how to get them back, said Bill French, a Denver-based IT consultant and software developer. So, the cart is definitely in front of the horse on this one for most organizations.
12
HOME
EDITORS LETTER
UP FRONT
THE WEAKEST LINK
Mobility in the workplace is a top concern for CIOs, with good reason. An average 44% of employees carry a company-owned mobile device, according to The Nemertes Research Group Inc.s latest Benchmark, an annual study of more than 200 organizations spanning 18 vertical industries. That number is projected to rise to 70% by 2012. Moreover, at 11% of the organizations studied, employees rely 100% on smart devices for communications and thats just the companyissued devices. Add to this new reality the growing trend of allowing employees to use their own smart devices, and suddenly mobility is not only a Tier 1 service for IT departments, but also wildly out of IT departments control. Now you have the risk of corporate data leaking out into the personal side of the device. And if you do implement backup and recovery for the smartphone, what do you do when it is a personal device? said Ted Ritter, senior research analyst at The Nemertes Research Group Inc. in Mokena, Ill. The employee certainly doesnt want you to back up their personal data to the corporate server. Companies that have dealt effectively with this conundrum work with their lawyers to craft an acceptable-use policy for employees to sign; thats a legal process that can take as long as a year, Ritter said. Such policies typically state
that if a company needs to wipe the device clean or confiscate it for reasons of e-discovery or an employee action, it has the right to do so, even with employee-owned devices, he said. But these policies dont fly in Europe, where personal data privacy laws are stronger.
DR IN THE AGE OF MOBILITY
So far, however, mobile devices are not really factoring into a CIOs DR and BC strategy, experts say. We dont have any real data on mobile devices and disaster recovery, because it is an area that no one is paying attention to, Ritter said. We are not seeing people thinking it through to the step where they recognize that these devices are becoming walking computers. A disaster recovery plan for mobile devices is not on most CIOs radars, French said. I dont think too much about mobile devices and DR, because CIOs are not worrying about it, he said. The same goes for players in the fast-growing MDM market. The intersection of DR and mobile hasnt yet been a big topic I have heard from enterprise customers, although I think it is right around the corner, said Bob Tinker, president and CEO of Mountain View, Calif.-based MobileIron Inc. The mobile industry tends to focus on the device rather than on the management and security of the
13
applications on the smartphone, Tinker said. The key thing for CIOs is that its not about the deviceits about the data.
HOME
TOP-DOWN MOBILE MANAGEMENT A RELIC
EDITORS LETTER
UP FRONT
THE WEAKEST LINK
The lack of awareness is understandable. When company-issued laptops, BlackBerrys and yesterdays cell phones represented the bulk of mobile devices in use at companies, CIOs could confidently say that DR and BC for their mobile arsenals was no big dealprovided, of course, that they had solid plans. Research In Motion Ltd. offered decent DR with its BlackBerry Enterprise Server. With other so-called ruggedized devices (a Windows phone, for instance), the data typically was synced to some centralized server. When a cell phone got lost or stolen, it didnt matter much, except for the pain of re-keying in phone contacts. Not so long ago, when the issue of DR and mobile devices came up, the conversation was assumed to be about how organizations could take advantage of employee cell phones and the handful of executive not-sosmartphones to instruct and inform personnel in the event of a disaster. The advent of the iPad and other mobile devices that can not only access data but also be used to generate and store data means that DR plans now have to consider them as endpoints.
Consider the caseload of Atlantabased MDM vendor AirWatch LLC, which supports the spectrum of mobile platforms, from the Apple iOS to Symbian. In January alone, the company worked on three cases involving business executives losing personal iPads that held sensitive corporate data and lacked the security software to wipe it clean. One iPad, left behind by a CEO in a backseat pocket on an airplane, contained notes on a top-secret acquisition. This is not a classic example of disaster recovery, where a catastrophe brings down a data center. But let me tell you: This is a disaster that has to be dealt with, said AirWatch Chairman Alan Dabbiere.
MOBILITY DRIVING DESKTOP VIRTUALIZATION
One of the ways companies are dealing with DR and BC for mobile devices is by investing heavily in desktop virtualization, Nemertes Researchs Ritter said. You can still get to the desktop and even edit a Word doc on the device but, technically, all of that is going on in the data center. The device is only a remote client. Another approach is focusing on secure containers, products offered by such MDM vendors as AirWatch, Good Technology Inc. and BoxTone Inc. that address the security issues posed by errant iPads. This is not disaster recovery in
14
HOME
EDITORS LETTER
UP FRONT
THE WEAKEST LINK
the way we usually talk about it, but security. Security is the biggest risk factor in deciding which mobile devices to allow onto the corporate network, Ritter said. Rather than focusing on trying to back up mobile devices, what we have seen organizations do is restrict the amount of data that can be downloaded as much as possible, Ritter said. So, if the device supports Microsofts ActiveSync, for example, the employee can access email but will be blocked from SharePoint and other servers holding corporate data, he said. That is pretty much the approach taken by Malvern, Pa.-based investment firm The Vanguard Group Inc., said Abha Kumar, its principal for IT. Employees are given the option of using a company-issued BlackBerry or the smartphone of their choice. Nothing is stored on the personal device, Kumar said. We provide a pipe [using software from Good Technology] into our email and calendar at this point, so the device is secure from that point of view, she said. There might be something on the cache that holds data, but as soon as we find that a person has lost the device, we can zap the application. With their company-provided BlackBerry, Vanguard crew members (as they are called) can access their work email, calendars and some business applications, such as
Vanguards Siebel customer relationship management application and the company intranet. If a crew member submits an expense report, I can approve it on my BlackBerry, Kumar said. Being a regulated business where security is paramount, client data is off-limits to mobile devices. Vanguard client service reps, who routinely deal with client information, do not have BlackBerrys because Vanguard does not want client information to go outside its four walls. So, even as we talk about new technologies and being more flexible and being more mobile, the thing we protect above all is client information, Kumar said. Brownlee Thomas, a principal analyst at Cambridge, Mass.-based Forrester Research Inc., agrees that most companies do not have a formal mobility policy, never mind a disaster recovery plan for mobile devices. They have lots of policies because mobile, fortunately or unfortunately, is not a centralized provisioning at most companies. It is either provisioned at the division level or through corporate procurement, the same people buying and dispensing your staplers, Thomas said. The CIO doesnt necessarily have a lot of control. I
Linda Tucci is senior news writer for SearchCIO.com. Write to her at ltucci@techtarget.com.
15
HOME
EDITORS LETTER
UP FRONT
Piggyback DR onto Virtualization

Virtualization is not a cure-all for disaster recovery, but it does simplify DR planning and procedures and can save money, to boot. BY CHRISTINA TORODE
RARELY DOES A
THE WEAKEST LINK
disaster recovery plan appear high on the list of priority IT budget items, and sometimes it doesnt make it onto the list at all. More often, IT executives piggyback disaster recovery (DR) planning onto a data center consolidation project or, as Irving, Texas-based Christus Health did, a desktop virtualization project. Server and desktop virtualization projects are under way at Christus Health to meet business goals that range from more flexible access to data and less power consumption to electronic health care regulations and disaster recovery planning. We were hit by hurricanes that caused major outages in our organization. Now were building a client
computing model that allows a physician at a hospital that went down to pick up a satellite phone, or whatever is at hand, and get immediate access back to our infrastructure, said Todd Bruni, director of client computing services and configuration management at Christus Health, a health care company with 30,000 employees and 40 hospitals and affiliated facilities. If a hospital loses power, employees or physicians remain tethered to the companys primary or backup DR facility because Brunis team has been steadily virtualizing all client devices using virtualization technologies from Citrix Systems Inc. The first phase of the project was
16
HOME
EDITORS LETTER
UP FRONT
THE WEAKEST LINK
the introduction of Citrix-based server-based computing to host applications in the data center. The second phase was moving about 10% of the application portfolio (which covered approximately 50% of employees data needs) off desktops and into the data centerusing thin clients as the front end and Terminal Services on the back end. The stage under way now is the buildout of a virtual desktop infrastructure (VDI) for more complicated clinical scenarios, such as access to medical records and back-end financial systems. These are solutions that were not well built or intended for a serverbased computing model or Terminal Services, so we needed VDI, Bruni said. Virtualization by no means replaces a full-fledged disaster recovery planChristus Healths data is replicated in hot, hot scenarios between its primary and secondary disaster recovery facilitiesbut virtualization simplifies real-time replication and data portability. Virtualization is making it possible for our client services to be portable in case of a disaster, Bruni said. All you need is an agent on any client device, and some type of Internet access. A core business app running on a virtual server infrastructure allows for portability and replication that we wouldnt have had with dedicated physical systems, Bruni said.
COSTS AND BENEFITS OF VDI
A VDI is costly, however, as Chelo Picardal, chief technology officer for the city of Bellevue, Wash., found when she started investigating desktop virtualization for 1,500 employees in 13 departments. Server virtualization was an easy sell because youre replacing the cost of buying physical servers anyway, she said. With virtual desktops, you still have to buy PCs for people, but now you also have to buy the virtualization software and invest in an infrastructure that will hold all the data that used to be on the desktops. Where is that funding going to come from? Picardal does not see desktop virtualization as benefiting the citys DR strategy but views it instead as an efficiency play for the IT department. You can give remote workers access to their data, but we are looking at it more as an efficiency gain in terms of maintenance. Ask her about the DR benefits of server virtualization, on the other hand, and Picardal has a checklist readily available:
I
Workloads are easily portable from the primary to the secondary DR site, and users experience no downtime. Virtualization eliminates the need to buy double the hardware to replicate physical servers between the two facilities. This reduces
17
costs as well as drift and hardware compatibility problems among the primary and secondary facilities. That, in turn, reduces downtime.
I HOME
EDITORS LETTER
Applications that need to be highly available remain that way when a failover to an alternate site occurs.
UP FRONT
THE WEAKEST LINK
When you think about high availability, the VM [virtual machine] becomes the point that fails over, said Chris Wolf, an analyst at Stamford, Conn.-based research firm Gartner Inc. Thats a really big deal because, traditionally, enterprise IT could cluster only a small percentage of apps for high availability because that type of architecture had to be written into the apps. Whereas, with virtualization, any application can be made highly available and resilient to hardware failure. Above all, however, Picardal can guarantee her performance servicelevel agreements (SLAs). For a long time, there were a lot of things we couldnt promise that the customer really wanted. The best we could do is get them back up maybe in a halfhour in a disaster scenario. Now, with server virtualization, unless the entire [data center] facility goes down, the customers dont even notice it. With the citys VMware Inc. server virtualization technology tied to its storage area network, which has
deduplication, you can get really close to or exceed what the customer needs, Picardal said. Let the customer drive your DR needs, and youll find that virtualization really allows you to meet those needs fairly easily. The citys public-facing applications, which have a high-availability SLA, can be backed up and returned to service with minimal downtime as a result of virtualization. That was the case when one of the citys websites was defaced, Picardal said.
DR TESTING MADE EASY
Testing a DR plan is perhaps one of the most painful tasks an enterprise IT department faces. The process is so complicated and demoralizing that some workers have been reduced to just reading the DR plans documentation and checking a box stating they are prepared for a disaster, Wolf said. Ive seen companies just quit testing disaster recovery because it was bad for morale. They would run into so many problems trying to recover data, application and hardware in the DR facility because the hardware wasnt an exact match; and it would often take the IT staff days to get through the DR exercise, Wolf said. Virtual machines, however, remove the necessity that hardwarefrom devices to the firmware on thembe an exact match
18
HOME
EDITORS LETTER
UP FRONT
between the production and DR facilities. Its so easy to validate that an application is going to come on-line in a VM, and test that regularly, Wolf said. Thats generally not an option with physical hardware. Because DR testing is simple to do in a virtual environment, many enterprises arent testing just Tier 1 applications but are now moving down the line of business applications to test their ability to bounce back from a disaster, Wolf said. Because VM environments are easy to isolate, you can do recovery testing to your hearts content without having any impact on the production environment, said Nelson Ruest, principal at consultancy Resolutions Enterprises Ltd. in Victoria, British Columbia. Recovery testing is as simple as changing a [network interface card] that is assigned to a VM.
THE NOT-SO-SIMPLE PART
THE WEAKEST LINK
With server or client virtualization, overall systems maintenance and recovery are simplified. Workloads, whether theyre on a server or client, are isolated from the underlying hardware and can be moved from one system to another, from one facility to another. In addition, most virtualization technology has DR capabilities built in to automate and
prioritize the system recovery process. This could free up IT from performing a few steps in DR, but many of the procedures needed to back up and maintain systems remain. With server virtualization, we gain high availability at a lower cost, but we still have to patch, monitor and troubleshootthat doesnt go away, Picardal said. In addition, if you do choose to deploy virtual desktops, dont think it will be as easy as your server virtualization project. With server virtualization, you worry about CPU cycles, memory, disk, network connectivitythe same things you did before, Christus Healths Bruni said. In the client [virtualization] space, you have to worry about screen shots, latency on circuits and whether that causes Flash video not to perform appropriately. There are a lot of things that [now] run on a desktop that never used to run in a data center. The tradeoff? Peace of mind, Bruni said. The core benefit [of virtualization] back to the business is knowing that they have multiple ways of accessing data, services or applications [because] the core infrastructure is designed to ensure that core services remain available. I
Christina Torode is news director for SearchCIO. com. Write to her at ctorode@techtarget.com.
19
WHEN YOU'RE NOT QUITE READY FOR DR
HOME
EDITORS LETTER
UP FRONT
ready
When youre not quite
DR
for
Enterprises ponder the possibilities for DR in the cloud.

BY LAURA SMITH
THE WEAKEST LINK
seem to be a natural next step for disaster recovery solutions, but many large enterprises are not turning to it yet for fullfledged DRdespite its many enticements. For one, many enterprises already have multiple data centers in place that can be used as primary data centers and backup DR facilities. Security, performance and control of cloud-based DR also raise concerns. Its all about quality, not about low-cost services anymore, said Lalitendu Panda, global CIO of D&M Holdings Inc., based in Japan. Interruption of service is an issue. We have had a couple of situations. Its not like having your own [infrastrucTHE CLOUD WOULD
ture] that you can modify. You have no control over what else is running on the cloud that could degrade performance. Still, the ease of use of cloud storage is proving to be a draw for some enterprises. When this cloud concept came up, we were prepared, said Dan Zinn, CIO of the 15th Judicial Circuit of the Florida State Attorneys Office. Zinns IT department had been deduplicating data to minimize the amount that needed to be backed up, as well as encrypting data on tapes for a weekly rotation. With the cloud solution provided by CommVault Systems Inc. and Iron Mountain Inc., scheduling a backup and
20
HOME
clicking a button freed up the system administrators time, and gave me a solution so I didnt have to worry about [the tapes], Zinn said. The heaviest users of cloud storage for IT disaster recovery are small and midmarket businesses
EDITORS LETTER
UP FRONT
[With the cloud solution], scheduling a backup and clicking a button freed up the admins time and gave me a solution so I didnt have to worry about [the tapes].
DAN ZINN, CIO, 15th Judicial Circuit of the Florida State Attorneys Office
to learn whether they used cloud storage and, if so, what benefits were realized in DR performance. The study found that organizations that had moved at least part of their storage to the cloud recovered four times faster than those with no formal cloud storage program. In addition, users of cloud storage met their recovery time objectives (RTOs) more often than those who kept data in-house. The study also found that:
I
Companies using cloud storage had, on average, 2.5 downtime events in the past 12 months, which were resolved in about two hours. With average RTOs of 12 hours, the longest downtime event took 5.3 hours to recover from the outage. Businesses with no cloud storage strategy reported an average of 3.5 downtime events a year and took an average of eight hours to recover from the outage. With average RTOs of 13 hours, the longest downtime event among this group of companies was 13.7 hours.
THE WEAKEST LINK
with annual revenues between $50 million and $1 billion, according to Dick Csaplar, senior research analyst for virtualization and storage at research firm Aberdeen Group Inc. in Boston. Enterprises with more than $1 billion in annual revenue typically have data centers in multiple geographic sites and have less of a need to use the cloud for DR, he said. In October, Aberdeen studied 100 organizations with formal DR plans
Respondents to the Aberdeen survey said a DR strategy was their No. 1 driver for using cloud services, with those deemed best in class in terms of their DR cloud strategies taking the following measures:
I
55% deployed a secure connection to the cloud.
21
40% utilize server failover to the cloud. 22% do continuous data replication to the cloud. 10% use multiple cloud providers.
HOME
EDITORS LETTER
TIERED STORAGE AND IT GOVERNANCE

UP FRONT
THE WEAKEST LINK
Cloud storage does not work well for data warehousing in a situation in which one database is accessed by several different applications, according to Andrew Reichman, a senior analyst at Forrester Research Inc. in Cambridge, Mass. Cloud DR also presents governance issues. The problem is never with CommVault or Iron Mountain. Its always, Where is my data? said Zinn, noting that its tough to keep track of the amount of data rising by the hour. At the Sisters of Mercy Health System in St. Louis, storage demands for clinical studies are astounding. Fifteen years ago, the first milestone was a terabyte of storage, total. Now were doing that each week, said Jeff Bell, chief operating officer at Mercy, a network of 28 hospitals across four states. Analysts at Gartner Inc. project an 800% increase in the output of data during the next five years. Eighty percent of that will be unstructured data, which generally goes
untouched after 90 days, according to Ray Paquet, managing vice president at the Stamford, Conn.-based firm. Storage is growing greatly, said Bell, who implemented a tiered storage strategy on an internal cloud: Older data gets placed on older disks, while data that repeats gets compressed. Dedupe is big, so we dont have to back up everything, Bell said. The idea is to store as few times as possible, put it on the correct tier of storage and make sure its available.
Fifteen years ago, the first milestone was a terabyte of storage, total. Now were doing that each week.
JEFF BELL, COO, Sisters of Mercy Health System
Done right, cloud storage promises to free up IT staff members from complex and onerous storage management tasks, but CIOs should push for service-level agreements that are as good asif not better thanones they could offer internally, Reichman said. I
Laura Smith is features writer for SearchCIO.com. Write to her at lsmith@techtarget.com.
22
THE WEAKEST LINK
HOME
EDITORS LETTER
UP FRONT
weakest link
IN A LEAN
The
European and U.K. executives are targeting threats that could weaken the supply chain. Business continuity and risk management practices can help. BY PAUL F. KIRVAN
THE WEAKEST LINK
but hypercompetitive business environment, organizations are relying more on relationships with business partners to successfully execute their core strategies. While these relationships can dramatically improve an organizations capacity and business structure, they can also decrease control over critical activities. In Europe, and the U.K. in particular, supply chain risk management has become a hot issue. During the past decade, various sourcing strategies have focused on ways to reduce costs through offshoring, outsourcing noncore processes, consolidating suppliers and optimizing logistics. But gaining such
advantages also brings certain disadvantages, according to Lyndon Bird, international technical director of the U.K.-based Business Continuity Institute. The tradeoff is that organizations everywhere are introducing significant but often unseen vulnerabilities and dependencies into their business. As such, the need to protect the supply chain through the use of business continuity and risk management techniques has experienced rapid growth in the U.K. in particular, Bird said. While understanding this web of risk is complex, an organization that takes the time to map and analyze its supply chain can gain more con-
23
THE WEAKEST LINK
HOME
EDITORS LETTER
UP FRONT
trol and insights. It also puts the organization in a position to anticipate and ward off possible threats. For instance, if all sites within a segment rely on a single business partner to provide one of the key raw materials, then that partner poses a high risk. By creating a detailed supply chain map, organizations can better recognize such vulnerabilities and put controls and mitigation strategies in place, helping firms to work around possible supplier outages. Understanding supply chains in more precise detail can help organizations stay up and running even when the outage lies outside the firms reach. A normal supply chain map might look like the one in Figure 1. Suppliers of raw or semifinished materials deliver them to a business that
processes them into finished products in preparation for delivery by distributors to consumers. Under normal circumstances, if all members of the supply chain perform as expected, finished products will be delivered to consumers in a time frame acceptable to them. Supply chains for medium and large firms can be very complex and interconnected. Dependencies on multiple suppliers, coupled with just-in-time production strategies and other manufacturing processes, mean that the businesses really depend on uninterrupted supply chain operation for success and profitability. This can place a lot of strain on supply chains. Given the significance of supply chains in most business models, what happens if something interrupts or damages them?
Figure 1: Normal Supply Chain

Supplier 3 Supplier 1 Customer
Distributor 1
THE WEAKEST LINK
Supplier 4 Supplier 5 Supplier 2 Supplier 6 Business Distributor 2 Customer Customer
24
THE WEAKEST LINK
SUPPLY CHAIN RISKS
HOME
EDITORS LETTER
UP FRONT
Supply chain risk appeared in the headlines of U.K.-based news sources during the 2010 eruption of the Icelandic Eyjafjallajkull volcano. According to David Honour, editor of Continuity Central in West Yorkshire, England, the event caused serious travel disruptions and had a major impact on many companies supply chains. Car manufacturers, for example, were some of the hardest hit. Both Nissan and BMW had to reduce production because of shortages of critical parts, he said. Reinforcing Birds point, Susan Young, a risk management professional in London, noted that the greater global reach of companies and markets during the past few years has resulted in widening the geographical spread and complexity of supply chains and their increased
interdependencies have increased the potential for disruptions. Figure 2 depicts a situation whereby a supplier is taken out of the supply chain. Depending on the nature of the supplier and its role in the supply chain, the impact to overall business operations may be known immediately, or it may take hours or even days to see a real impact on productivity and profits.
INTRODUCING BC INTO THE SUPPLY CHAIN
If risks to the supply chain are a consideration, business continuity management techniques can be introduced as part of the risk identification, mitigation and recovery processes. Peter Barnes, managing director of London-based 2C Consulting Ltd., advises, First and fore-
Figure 2: Disrupted Supply Chain

Supplier 3 Supplier 1 Customer
Distributor 1
THE WEAKEST LINK
25
THE WEAKEST LINK
HOME
EDITORS LETTER
UP FRONT
most, recognize that the loss of a step in your supply chain could potentially damage your ability to achieve critical goals. He reminds us of a very important message: Protecting your supply chain is your responsibility, not something you can hand over to a supply chain partner. Barnes also notes that reliance on service-level agreements and contract wording is not enough. Supply chain continuity requires genuine partnership and cooperation in identifying the risks and ensuring that all components of the chain are satisfactorily addressed, he said. Figure 3 depicts how a disrupted supply chain can be reconfigured to restore some level of functionality. As Supplier 1 is no longer in the chain, Suppliers 3 and 4 now pro-
vide products and services directly to the business. To make this reconfiguration work successfully, the business needs to carefully analyze its supply chain for risks and then identify opportunities to maintain continuity of the chain. BCIs Bird contends that business continuity actively helps organizations identify and understand the risks associated with supply chains. This allows decisions to be made with full knowledge of the consequences and actions needed to mitigate disruptions.
IGNORING BC LEAVES RISK
Assuming your organization depends on its supply chain, what are the risks of ignoring business continuity as part of how you protect the supply chain? According to
Figure 3: Recovered Supply Chain

Supplier 3 Customer
Distributor 1
THE WEAKEST LINK
26
THE WEAKEST LINK
HOME
EDITORS LETTER
UP FRONT
Young, inconvenience at best, business failure at worst. An overreliance on a few suppliers can be potentially disastrous, she said. Be sure to review your suppliers business continuity arrangements as part of any initial due diligence and/or periodic review. Research conducted by the Business Continuity Institute in 2009 and 2010 showed that mediareported supply chain disruptions are just the tip of the iceberg. More than 70% of organizations surveyed by the BCI experienced some form of disruption, which led to lost productivity, increased working costs and customer dissatisfaction, BCIs Bird said. To that, 2C Consultings Barnes added, failing to address this issue is like a senior manager switching off all accountability every time he or she steps outside the office. While business continuity initiatives at the office may be adequate, ignorance of the supply chain could
threaten your organizations goals, reputation and livelihood, he said.
RESEARCH ON SUPPLY CHAIN RISKS
The issue of supply chain and business continuity management has been researched extensively in Europe. In fall 2009, the BCI published a research report that found:
I
Approximately 75% of the 201 companies surveyed experienced disruptions in their supply chains during the previous 12 months. The chief causes of disruption were economic recession, H1N1 pandemic flu (swine flu) and IT/telecom disruptions. The impact of the disruption was primarily a loss of productivity, although loss of revenue, customer complaints and delayed product availability were high on the list.
THE WEAKEST LINK
What Is a Supply Chain?

SUPPLY CHAIN MANAGEMENT
encompasses the planning and management of all activities involved in sourcing and procurement, conversion and logistics management. Importantly, it also includes coordination and collaboration with channel partners, which can be suppliers, intermediaries, third-party service providers and customers. In essence, supply chain management integrates supply and demand management within and across companies. I
SOURCE: THE COUNCIL OF SUPPLY CHAIN MANAGEMENT PROFESSIONALS
27
THE WEAKEST LINK
Nearly 74% of businesses are taking a hands-on approach to supply chain risk management, according to Aon Inc.s 2009 Risk in 21st Century Supply Chains survey. Key findings of the survey included:
HOME I EDITORS LETTER
More than half of the firms surveyed launched regular communication and audit policies with suppliers. Compared with Aons previous supply chain survey, companies actively managing risks around contracts to ensure they are covered from the negotiation phase through defining quality controls grew by 15%. There was a 20% increase in the number of companies investigating their suppliers suppliers to assess the overall strength of the supply chain. Although insurance is still a key risk management strategy, 20% fewer companies are using it as the only form of mitigating risks. Only one in 10 firms placed an emphasis on evaluating ethical issues they are being exposed to by their suppliers. Some 55% admit to having no indicators in place to monitor supply chain risk management performance.
In another report released by Marsh & McLennan Cos. in 2010, 13% of respondents had experienced supply chain disruptions in the past two years. The report surveyed 220 risk and business continuity managers across Europe, the Middle East and Africa.
UP FRONT I
STRATEGIES FOR MITIGATING RISK IN THE SUPPLY CHAIN
Assuming you wish to protect your supply chain from unplanned disruptions, consider the following strategies: Proactive Risk Management. Begin your efforts by mapping the entire supply chain and its dependencies. You should also determine threats, risks and vulnerabilities, as well as identify single and multiple points of failure. Next, implement strategies to remove or reduce these issues. Remember that this is a continual process and can be supported by specialized software, from a handful of developers including Oracle Corp. and Microsoft Corp., but also smaller ones such as Epicor Software Corp. and Infor Global Solutions Inc. Business Continuity Management. Leveraging BC management techniques within the supply chain ensures that important suppliers arent at risk from long-term downtime caused by disruptive incidents.
I WHEN YOURE NOT QUITE READY FOR DR
I THE WEAKEST LINK
28
THE WEAKEST LINK
HOME
EDITORS LETTER
One way of doing this is to require critical suppliers to develop business continuity plans and make them available for auditing. For example, a business impact analysis, a key component of a BC management program, can be modified to analyze supply chains and their relationships to the organization. Insurance. It is often thought incorrectlythat supply chain risks can be mitigated with business interruption insurance. Inclusion of force majeure clauses in such insurance policies may address supply chain disruptions. But to avoid coverage issues with business interruption insurance, some organizations buy specialized supply chain insurance policies from insurers including Zurich Financial Services AG and Aon. Simply recognizing threats to the supply chain is not enough. There must be proactive efforts to define how supply chain integrity can be protected and how to mitigate the identified risks. The good news is that business continuity is beginning to play an increasingly strategic role in the protection of supply chain integrity. I
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at editor@searchcio.com.
Enterprise CIO Decisions Ezine is produced by TechTarget CIO/IT Strategy Media, 2011 TechTarget. Jacqueline Biscobing Managing Editor jbiscobing@techtarget.com Rachel Lebeaux Assistant Managing Editor rlebeaux@techtarget.com Scot Petersen Editorial Director spetersen@techtarget.com Linda Koury Director of Online Design lkoury@techtarget.com Christina Torode News Director ctorode@techtarget.com Linda Tucci Senior News Writer ltucci@techtarget.com Laura Smith Features Writer lsmith@techtarget.com Ed Scannell Executive Editor escannell@techtarget.com Ben Cole Associate Editor bjcole@techtarget.com
FOR SALES INQUIRIES, PLEASE CONTACT:
UP FRONT
THE WEAKEST LINK
Theron Shreve Senior Product Manager tshreve@techtarget.com (617) 431-9360
29
RESOURCES FROM OUR SPONSORS
See ad page 3
Disaster Recovery: Plan for the Worst, Expect the Best Guidelines for Successful Business Continuity Planning How to sell business continuity to management in tough times
About CDW: CDW's business model focuses on small- and medium-sized businesses with 97 percent of sales derived from commercial accounts. CDW has built strong relationships within the technology sector and we are a leading direct source for Cisco, HP, IBM, Intel, Microsoft, Sony, Toshiba, and other top name brands. Our success is due to our exceptional coworkers, who are the most important element of CDW's business strategy. To foster our coworkers' success, CDW has designed a rewarding and challenging work place, recognized as one of the best companies to work for in America.

DR - Business Continuity Strategies

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DR - Business Continuity Strategies

Uploaded by

Copyright:

Available Formats

A P R I L 2 0 1 1 VO LU M E 7

Business Continuity and Disaster Recovery Strategies

Avoid a Recipe for Disaster

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK

Editorial Director CIO/IT Strategy Media spetersen@techtarget .com

ENTERPRISE CIO DECISIONS APRIL 2011

server rooms that require GPs NaviGatioN.

NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK

ENTERPRISE CIO DECISIONS APRIL 2011

NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

DR is a cost like insurance. Typically, you get nothing back.GREG SCHULZ

THE WEAKEST LINK

ENTERPRISE CIO DECISIONS APRIL 2011

NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS

hospital cures its bc/dr woes

TITLE: Chief operating officer TIME IN THIS ROLE: Two years

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK

ENTERPRISE CIO DECISIONS APRIL 2011

NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK

ENTERPRISE CIO DECISIONS APRIL 2011

NEWS, VIEWS AND REVIEWS FOR SENIOR TECHNOLOGY MANAGERS

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

DR AND BC TOP OF MIND FOR IT LEADERS

ENTERPRISE CIO DECISIONS APRIL 2011

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

Cloud DR and BC can

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

CLOUD DR AND BC CAN SAVE YOUR BUSINESS

MOBILE DEVICE DR: THE NEXT FRONTIER

PIGGYBACK DR ONTO VIRTUALIZATION

WHEN YOURE NOT QUITE READY FOR DR

THE WEAKEST LINK