BC/DR advice for SMBs

By Dave Simpson

 -- Large enterprises typically have solid disaster-recovery (DR) and business continuity (BC) plans in place (although they generally don't test them frequently enough). However, that is not always the case with small to medium-sized businesses (SMBs), which often don't have adequate budgets for BC/DR.

For this report, we gathered BC/DR advice and tips for SMBs from a range of vendors. One of the most common pieces of advice is simple enough: Test your DR plans.

"SMBs should test and practice their disaster-recovery plans regularly to strengthen their skills, determine more efficient logistics, and work out kinks in the system," says Mike Inkrott, Symantec's senior product manager for Backup Exec. "SMBs should also test the backup itself [i.e., recover data] to ensure that critical data is available. If SMBs neglect to back up their data, their disaster recovery plan is useless. By simply practicing the plan, assessing the critical data that needs to be backed up and testing the backup system, SMBs can be confident that the plan will work should they need to use it during an actual disaster."

"If I had to give one piece of advice to SMBs on BC and DR, it would be to practice what might take place if a disaster were to occur," says Ellen Rome, vice president of sales and marketing at STORServer. "Too often, SMBs wait until the disaster takes place and then find they are not at all prepared with a fully laid-out plan and a practiced approach to data recovery." Rome also advises IT organizations to determine which servers, applications, and storage resources are most critical, and to determine the order in which they need to be recovered.

In a business continuity survey sponsored by Stratus Technologies, only 45% of the respondents with BC plans tested them more than once a year, 35% tested yearly, and 20% never tested their BC plans.

Recommendations on how often companies should test their DR/BC plans vary widely but, generally, vendors and analysts recommend testing at least quarterly.

Low-cost BC/DR

In terms of actual BC/DR implementation, perhaps the best news for SMBs is that they are no longer restricted to the expensive, costly, "vendor lock-in" solutions that characterized BC/DR options in the past. And not surprisingly, hardware-independent vendors stress low-cost alternatives for budget-strapped SMBs.

"DR solutions should be open and flexible, easily fitting into an organization's existing IT infrastructure, and should minimize risk, implementation time, and cost," says Fadi Albatal, director of marketing at FalconStor Software. Albatal advocates hardware independence, virtualization (with an emphasis on heterogeneous array support), and resource consolidation. He also notes that IT organizations are no longer required to have the same types of storage systems at the primary and secondary (DR) sites; users can keep expensive, high-performance systems at their primary site, but deploy less expensive arrays at their remote sites.

Although most IT managers view virtualization primarily as a way to lower costs, it can also be used as a basis for a disaster-recovery program. "If you virtualize your systems and storage, your primary and backup data centers can run disparate hardware, with the virtualization layer hiding the differences," says Barry Phillips, group vice president and general manager in Citrix Systems' advanced solutions group. "Through the use of clustered computing, load balancing, replication, and remote access technologies, your downtime can be brought to zero and your data loss minimized."

FalconStor's Albatal stresses the importance of BC/DR technologies that provide full integration of the physical and virtual environments to enable DR process automation.

"The ability for virtual machines to move between servers in the event of a failure greatly simplifies and lowers the cost of application high availability and business continuance," says Chris McCall, director of product marketing at LeftHand Networks. "Combine this with storage systems that present a single volume in multiple sites, so that when a failure occurs and virtual machines migrate over, they remain connected to their volumes. Applications and storage remain online, with no data loss or manual intervention."

Software-as-a-Service (SaaS) is another cost-saving approach that might appeal to SMBs. "Managed and hosted SaaS solutions are a cost-effective alternative with limited up-front investment and IT management responsibilities," says Frank Jablonski, senior director of product marketing at CA. For in-house BC/DR implementations, Jablonski also advocates evaluating virtualization technology, which can lower costs for recovery management. He also advises a multi-level approach to BC/DR, which saves money by applying the right level of data protection according to its value to the business.

Similarly, remote on-demand data-protection services can help defray BC/DR costs. According to Brian Reagan, director of strategy in IBM's BCRS division, remote services eliminate the need for capital expenditures and can save 20% to 60% versus in-house BC/DR implementations, in part because hosted services are typically based on a "pay-as-you-use" subscription model. In addition, subscribers can more easily define and execute specific time-based data retention policies that match their business requirements.

First steps

Before actually embarking on a BC/DR implementation, SMBs should perform a business risk and business impact analysis, according to Kyle Fitze, director of marketing for SAN products in HP's StorageWorks division. Business impact can be measured in both direct (such as lost revenue) and indirect (e.g., productivity impact) dimensions. The metrics should also be measured in quantitative (revenue, costs) and qualitative (customer satisfaction, brand reputation) dimensions, according to Fitze. With this data in hand, SMBs can decide how much downtime they can tolerate for a given application or system, and how much data loss is acceptable, which in turn will determine the best technologies to use for the BC/DR infrastructure.

During the business impact analysis (BIA) phase, Edgar Jimenez, director of managed services for the EVault data-protection business unit of i365 (a Seagate company), recommends the following actions:

-- Define critical success factors that will support and enable the BIA;
-- Establish application restoration priorities (e.g., critical vs. non-critical apps);
-- Identify tasks required to resume 100% normal operation (aka business resumption); and
-- Define data recovery and backup management procedures.

After identifying risk factors (e.g., natural disasters, system failures, legal/regulatory action) and business impact (e.g., loss of productivity, revenues, or legal liabilities), users should identify the criticality of various applications.

"Conduct a session with all business managers where business applications are charted on a matrix with ‘acceptable data loss' on the Y-axis and ‘acceptable interruption' on the X-axis," suggests Bruce Caswell, director of marketing communications at Xiotech. "Both axes are divided into three layers, labeled ‘minutes,' ‘hours,' and ‘days.' Each application is mapped into the appropriate section of the matrix, with discussion of the consequences involved for each application." Caswell also notes that the current level of protection from existing systems can also be mapped on the matrix to demonstrate existing gaps.

Most vendors agree that assessing the criticality, or business value, of data and applications is a crucial step in organizing a BC/DR strategy. "Profile your applications and rank them in terms of value to the business and assess the impact to your business if there were any downtime," advises Jonathan Buckley, vice president of outbound marketing at Asempra. "And do similar exercises for data: What data is critical, and what data is not?

"We recommend bifurcating your BC/DR technologies depending on your total data requirements and your RPO [recovery point objective] and RTO [recovery time objective] requirements," says Buckley. "The servers holding second- and third-tier data can take hours, or in some instances days, to recover without financial impact."

Most BC/DR implementations today use disk-based technologies to some degree. Steve Whitner, product manager at Quantum, says that SMBs should consider disk-based backup with data de-duplication to minimize costs. However, Whitner notes that, at least for long-term retention of data, tape should also be factored into SMBs' BC/DR equation because of its lower cost per gigabyte, as well as power and cooling advantages.

"Technologies such as backup-to-disk, de-duplication, and replication enable SMBs to tailor their BC and DR strategies to fit their specific requirements," says Andrew Wenger, director of the SME segment at CommVault. "By backing up to disk, SMBs can replicate their data, move it to their main data center at headquarters, and implement a DR plan from there, making it easier to manage on an ongoing basis."

Related articles:
Disaster recovery management comes of age
Online backup services gain traction
Cutting the costs of remote disaster recovery

This article was originally published on December 18, 2008