Security Myths

Rather than add more bandwidth, or invest in expensive, dedicated storage networks, WAN optimization can improve IP network performance sufficient to turn recovery into continuity. To help meet the objectives outlined above, a WAN optimization solution must be able to do three separate tasks for true business continuity: restrict bandwidth to backup applications during the allowed window and allocate it to critical applications in the event of a disaster, overcome latency and bandwidth limitations on the wire, and provide acceleration to roaming or displaced users redirected to alternative data sources.

Regardless of whether the data is being replicated from a massive cabinet, over IP-based storage or off a user’s hard drive for compliance purposes, during the backup window maximum bandwidth should be available to ensure completion. This requires granular bandwidth management that can isolate applications on the network and provide a predictable, policy-based service level. Further, the solution should be able to distinguish between a user initiated file copy and one started by the backup daemon, and apply different bandwidth allocations to each.

Also, the solution must remove latency and protocol inefficiencies that constrain current WAN backups. Caching and compression technology combined with inline protocol optimization of commonly used file transfer protocols form a technology suite that improves the performance characteristics of a WAN, adding bandwidth and reducing the time needed to complete backups and restores. Moreover, it should be able to do this for individual devices and accommodate displaced and roaming users without the need for bulky appliances.

Testing key to business continuity plan success

Without access to critical data in the first 24 hours after a crisis, forty percent of all businesses will fail. Such dire risk can be avoided by performing regular evaluations of your IT recovery process. Testing reveals not only whether the process can technically recover your servers, applications and data, but also the risk of any excess complexity.

A well-developed IT disaster recovery plan will identify all key processes and expose any weaknesses, and the ideal way to uncover these is through testing. Just as the best travel guides flow from real experiences at the destination, so the best disaster recovery plans flow real experiences from actual testing.

New technology makes regular, even daily testing feasible. This automation provides a foundation for ongoing RTO and RPO reporting at a management level, allowing you to better estimate and mitigate risks for the business.

To ensure you reach your objectives, perform a true recovery test on a critical server and capture these crucial observations:

• How long did recovery take?
• What data proved challenging to recover?
• Were all applications and related software returned to the exact state expected?
• Was the recovery process feasible for IT staff operating under stress with reduced tools?
• How would parallel recoveries amplify the challenges?

Learning from these questions on a single test will yield greater insight into your IT disaster recovery posture. Though obviously a sensible practice, human nature often postpones such disciplined testing, since historically it has been cumbersome, time-consuming, or simply impossible without unacceptable disruption.

Cloud as a Backup Solution for a Disaster Plan

A cloud based backup approach for a disaster recovery plan lets you determine the ideal mixture of capital and operational expenditures. For budgeting purposes, recovery capabilities can be tiered to reflect the unique value and restoration requirements of different types of data, and storage processes can easily be tuned to comply with updated business procedures.

It is the selective use of the cloud lets you choose any combination of the following, a mix you can freely adjust as your needs evolve.

Cloud or Software as a Service (SaaS) - Your data is protected in a secure data center and hardware and software is managed for you, including all necessary support and professional services. Protecting your data in the cloud also gives you the inherent benefit of offsite disaster recovery. If your goal is to make life as simple as possible for your IT team but still make sure your data is safe and easily accessible.

On-Premise - You manage all the hardware and software you need under your roof. Pre-configured, all-in-one appliances are available to simplify deployment and maintenance and speed backup and recovery cycles. You can choose to maintain your infrastructure with your own team, outsource this responsibility to a certified local provider, or take advantage of both internal and external resources.

Hybrid - With the increasingly popular cloud-connected model, certain categories of information can be stored in the cloud, while those that need to be instantly available can reside onsite - or a primary backup can reside in one (onsite or in the cloud) with replication to the other. This method offers the greatest flexibility to choose the right blend of capital and operational
expenditures.

Banks are not immune to security outages

Firefox users may have had trouble accessing JPMorgan Chase's website chase.com when the bank experienced problems with an outdated security certificate.

According to a Chase spokesman, the Firefox certificate was updated on the bank's servers in about 45 minutes, resolving the issue.

A year ago, Chase experienced a more severe outage that shut out millions of customers from its online banking site for three days.

That earlier outage stemmed from a failure related to Chase's user authentication database.

Web Security Threats

This outage involved a lapsed security certificate. Website servers present certificates to a customer's browsers to verify identities. This certificate, which has information such as the address of the site, is verified by a third party that is trusted by a user's computer.

A certificate that is outdated or lapsed would appear as having been revoked by the issuing server.

While short-lived, today's outage was still a major issue, according to a market research firm.

"No bank wants its customers to be presented with the message, "you may be communicating with an attacker," an analyst wrote in a blog.

He said if the issue hadn't been resolved quickly, Chase could have ended up paying out reimbursements to customers unable to pay bills on time.

What is the Recovery Time Objective (RTO)

CIOs, CSO's, Disaster Recovery and Business Continuity Managers constantly will work to improve their rescue point objective (RPO) plus recovery time objectives (RTO) as a result of performing fast, non-disruptive backups, and even by performing data recovery. All comprehensive data protection solutions involve many issues and contingencies.

Here are a few of the things that can break with your data and therefore the backup requirements that ought to be addressed:

• Accidental or malicious deletion of critical data - Requirement that provides to be able to quickly and easily bring back individual files and version.
• Data that is wasted or corrupted over time - Requirement to jiggle back individual records to renovate database corruptions. The ability to get better data from any previous point in time, and have it as granular as you can.
• A crashed disk - Requirement to recover a disk volume is special than recovering a individual file, but it should be done just as fast, and with automation to keep operational disruptions to a minimum.
• A server failure - Requirement recover operations when replacing a broken server may well be complicated by the desire to install different drivers over the new system if the hardware seriously isn't an exact match. It helps to give the capability to move the required forms workload to a standby server (with unique hardware) or virtual server while the system is being swapped out or repaired.
• A local or regional disaster - Requirement once you lose an entire work to fire, flood, and / or other disaster, have a pre-existing copy of your you important information in another location that is definitely outside the disaster sector.
• Remote offices and part offices - Requirement to experience a process in place to revive with minimal technical sustain as remote and branch offices often will not have the luxury of acquiring an on-site technical resource that can assist in backups and restores.
• Resource-intensive backup processes - Requirement frequent or continuous backup that is not resource-intensive.
• Security breaches - Obligation to secure data. When ever moving data between websites, it needs to always be protected from potential security measure breaches. A breach of data security, whether actual damage is over or not, can be devastating to all your company's reputation, as dozens of substantial enterprises and government agencies have found a lot.

10 commnadments of disaster recovery and business continuity planning

As requirements for avoiding downtime become increasingly stringent, administrators need tools and platforms that can help them plan, design, and implement disaster recovery strategies that can meet those needs.

• Analyze single points of failure: A single point of failure in a critical component can disrupt well engineered redundancies and resilience in the rest of a system.
• Keep Updated notification trees: A cohesive communication process is required to ensure the disaster recovery business continuity plan will work.
• Be aware of current events: Understand what is happening around the enterprise - know if there is a chance for a weather, sporting or political event that can impact the enterprise's operations.
• Plan for worst-case scenarios: Downtime can have many causes, including operator error, component failure, software failure, and planned downtime as well as building- or city-level disasters. Organizations should be sure that their disaster recovery plans account for even worst-case scenarios.
• Clearly document recovery processes: Documentation is critical to the success of a disaster recovery program. Organizations should write and maintain clear, concise, detailed steps for failover so that secondary staff members can manage a failover should primary staff members be unavailable.
• Centralize information - Have a printed copy available: In a crisis situation, a timely response can be critical. Centralizing disaster recovery information in one place, such as a Microsoft Office SharePoint® system or portal, helps avoid the need to hunt for documentation, which can compound a crisis.
• Create test plans and scripts: Test plans and scripts should be created and followed step-by-step to help ensure accurate testing. These plans and scripts should include integration testing—silo testing alone does not accurately reflect multiple applications going down simultaneously.
• Retest regularly: Organizations should take advantages of opportunities for disaster recovery testing such as new releases, code changes, or upgrades. At a minimum, each application should be retested every year.
• Perform comprehensive recovery and business continuity test: Organizations should practice their master recovery plans, not just application failover. For example, staff members need to know where to report if a disaster occurs, critical conference bridges should be set up in advance, a command center should be identified, and secondary staff resources should be assigned in case the event stretches over multiple days. In environments with many applications, IT staff should be aware of which applications should be recovered first and in what order. The plan should not assume that there will be enough resources to bring everything back up at the same time.
• Defined metrics and create score cards scores: Organizations should maintain scorecards on the disaster recovery compliance of each application, as well as who is testing and when. Maintaining scorecards generally helps increase audit scores.

Backup and retention policy

Typically disaster recovery is designed to match traditional IT boundaries - physical servers, storage arrays, network devices, applications, etc.- and primarily based on over-provisioning of resources. Most servers and data stores are backed up locally to tape, if possible, requiring local IT staff to manage backup software, schedules, tape libraries, and offsite archiving. When failure occurs, multiple, complex processes must be coordinated to separately recover and reconfigure servers and data sets, often in multiple locations. As a result, recovery times are often too long and unpredictable.

Distributed, tape-based backup also suffers from geographic limitations: it can be prohibitively expensive to ship tapes long distances, and the farther they must be shipped, the longer it will take to recover in the event of disaster. This has led many firms to situate recovery sites too close to primary sites, significantly increasing the risk of catastrophic failure due to a major event (power grid failure, hurricane, etc.) affecting a large geographic area.

Disaster Recovery Planning a critical mandate

Business continuity and disaster recovery (BC/DR) planning is a critical mandate for all companies and especially for small and midsized businesses, where the cost pf downtime and/or lost data can be devastating.  It does not take a cataclysmic event to cause major disruption the untimely loss of a critical server or file for even a few hours can be extremely costly in today's highly competitive 24x7 business climate.

If you have implemented virtualization - cloud computing, you already know how this powerful technology can save you money on IT costs via server consolidation. But are you aware that the benefits of virtualization extend beyond IT cost savings, and that virtualization can also keep your business running through many types of planned and unplanned IT outages?

Many regulations require companies to support more stringent availability standards. Several new acts and regulations, directed at specific industries or a broad cross-section of companies, mandate the protection of business data and system availability. Businesses may incur financial or legal penalties for failing to comply with these data or business availability requirements.

Calcuating the cost of downtime

A company experiences downtime for a variety of reasons and varying lengths of time. But the reality is that if your business does not even know the price of a single hour of downtime, you will most likely not commit resources to an adequate backup plan. While it is difficult to conceive of the total cost of an extended disaster or to quantify the intangible costs such as customer and employee satisfaction, it is a relatively simple process to determine the monetary losses one hour of downtime will incur. Once that number is determined it will be easy to calculate longer-term effects.

One analyst firm estimated that yearly downtime costs average 3.6% of annual revenue. For a business making $20 million that would translate into losses of $720,000 - money that would be much better spent growing the company. Of course, that cost is an average, with more lengthy and harmful outrages potentially causing exponentially higher losses.

Not all downtime is created equal: A brief outage in the middle of the night when a company is closed may incur little cost and no impact, while a prolonged total failure during the height of holiday sales can be devastating in both regards. The impact of downtime is felt in a variety of ways, and may be immediate or have long term repercussions.

Over the past several years, it has been estimated the hourly costs of downtime for computer networks at an average of $42,000. A typical company experiencing an average of 87 hours of downtime per year, that is $3.6 million annually. And for companies that rely entirely on technology, such as online brokerages, trading platforms, and e-commerce sites, hourly downtime risks can be $1 million or more, making availability an even greater concern.

Virtualization adds to complexity of disaster and business continuity planning

Cloud computing -- virtualization offers compelling business advantages. It can reduce your capital expenditures, gives greater benefits from resources that are already invested in, and provides more flexibility in applying those resources to the business services that are most critical to the enterprise. However, because virtualization introduces management complexity into an already complex environment, it can also drive up operational expenditures and the complexity of disaster and business continuity planning.

The key to getting the benefits and avoiding the risks is obtaining detailed visibility into all the elements and interdependencies of the cloud - virtual infrastructure. Traditional, manual techniques of mapping IT environments won't work - they are error-prone and cumbersome, and the results are incomplete and quickly out of date.

Recovery time is focus of 57% of Business Continuity Managers

In  a recent survey it was found that 57 percent of IT organizations see reducing recovery time in the event of IT failure and cutting the cost of backup as the two biggest 'pain-points' for backup and disaster recovery. The next most significant difficulties were the ability to roll back to any point in time when recovering workloads and recovery testing.

Virtualization is already in place with the majority of those surveyed, with 86 percent of those questioned having a virtual infrastructure in place within their organizations.

Other findings are:

• Tape backup is the most popular technology involved for recovery of virtual machines, with 60 percent of organizations relying on tape to protect their virtualization implementations. 53 percent of organizations are using disk-to-disk backup products, while proprietary virtualization products are used by 23 percent;
• 17 percent of organizations are only using tape backup for the backup / recovery of their virtual machines;
• The number of respondents that were able to judge their recovery point objectives (RPO) when it came to virtualized environments was much lower than those able to define their recovery time objectives (RTO) - only 45 percent of those surveyed were able to state their satisfaction level around their RPOs.

Cloud as a primary recovery source not there yet

According to a survey market research firm TheInfoPro, a mere 10 percent of large corporations are considering the public cloud as a place to store even their data -- even the lowest-tier info -- for archive purposes. I wasn't surprised to hear of these results.

Don't believe the survey? Look at recent news reports. Last year EMC announced it was shutting down its Atmos Online storage service because it was competing with its own resellers. Cloud storage provider Vaultscape also closed. Additionally, Iron Mountain said it had stopped accepting new customers for its Virtual File Store service and was doing a two-year glide to a complete shutdown. Finally, startup Cirtas Systems announced it was leaving the market to "regroup."

The on-demand storage market will eventually evolve, and acceptance will take years, as we've seen with other emerging technologies in the past. In the meantime, we could look at cloud storage services to be the first real cloud failure. However, we learn from what did not work and plug on. Eventually, the market will be there.

Consolidation and Disaster Planning

While consolidation can certainly bring a number of benefits to organizations, it will take more than just a Friday afternoon to ensure that your consolidation, disaster recovery, and business continuity projects are truly successful. As far too many IT managers will tell you, a poorly planned project will have your executives screaming, users threatening mutiny, and IT in the hot seat to quickly undo all the effort that went into the project in the first place.

• Lay out a change and risk management strategy
• Develop a plan for resiliency
• Test (and improve) branch office performance & local consolidation
• Architect a forward-looking infrastructure & support plan
• Plan a phased roll-out

Create Your Data Protection Strategy

Create Your Data Protection Strategy key considerations:

 Backup/Recovery and Staging Tradeoff – Tailoring your data protection solution to the right mix of staging and backup/recovery approaches is accomplished by defining the RTO and RPO for your various types of data based on the tradeoff between your business needs and cost.

Case for Archiving Your Static Data

• First, archives provide long-term protection of data for compliance purposes.
• Second, they make historical data available for repurposing in new applications.
• Third, archiving can provide performance benefits for your company. These performance benefits are realized in the following ways: Once static data is moved to an archive, it is no longer mixed in with your dynamic data, and therefore does not need to be backed up repeatedly. For most organizations, this means the time and storage required to complete a full backup can be reduced significantly. Plus, separating static data from your dynamic data can also significantly reduce the amount of time required to search for files.

Backup to Disk – Using disk-based data protection techniques to protect your dynamic data and make disaster recovery copies will allow you to gain the most from your investment in data protection. Disk-based data protection enables faster recovery times and helps to dramatically reduce your administrative time and costs.

Real-Time Data Protection technologies provide your business with the maximum RTO and RPO benefits. Best-of-breed real-time data protection solutions will allow you to recover your data back to any point in time, down to the second, and some even work to provide a high-availability solution

Disaster Recovery Business Continuity for Remote Offices

Data residing outside the data center at remote and branch offices (ROBOs) accounts for a significant portion of an enterprise's information store, yet it often either is protected with inefficient backup processes or is not protected at all -- leaving companies at risk on many fronts.

In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.