…. Setup, Security and Service
Backup and recovery are usually as fun as washing the dishes, vacuuming the car or painting a wall. That is also why the processes of back-up and recovery often are forgotten and neglected by companies. However, if you are a business with any digitized data you need to have backup and recovery strategies implemented and you need to follow them.
Why? Imagine that not washing the dishes would result in your house burning down to the ground. Accidents where data get deleted, can result in major catastrophes if you have not made the necessary preparations. Usually you do not really think about backup and recovery before the accident has happened. It is just like backing up on your computer, phone and even camera. If you are not ready with a backup when system failure happens, you panic. Let us try to avoid that for you.
With several hundred interviews conducted with IT Managers in mid-size and large organizations, we have read through extensive amounts of backup and recovery installations, projects and issues. With that in mind we will, together with Rubrik, supply you with 3 key factors that you should consider when assessing your own backup and recovery solutions: Setup, Security and Service.
Setup (Sizing and speed):
You might think that you need a backup environment. That is true. However, it is almost as important to integrate the right kind of environment as to have one. It needs to fit your specific requirements. Too small an environment can be catastrophic, as it will not fit all of your data.
Today backup not only consist of data such as pictures and documents but also apps and various systems. Also, companies are increasingly migrating from on-premise datacenters towards cloud-based environments. Where we have seen a speedy development and general growth in the general IT technology, backup and recovery technology have until recently been far behind. This means that there are still vast amounts of backup-environments that are based on physical tapes.
Hence, companies are struggling to find efficient ways to backup physical and virtual environments. One of the major issues IT-managers address is the sizing and speed to recover. A too big environment will be cost inefficient. It is just like wearing a set of pants that are too tight or too loose, it will cause irritation if they are not the right fit. It is the same with sizing for your backup.
Before we reveal our first advice we want to mention another important factor. When finding your perfect setup you want to consider the speed of your backup. If an accident (or incident) happens and you need to initiate recovery of your critical business systems, imagine the costs that the organization has to endure due to employees not being able to work, customers not being served and orders not being processed. Therefore, recovery speed is crucial to organizations.
Let us break that down a bit:
Unless you have taken cloud platform management into use, your data is most likely backed up on a server, on either the RAM, SSD or HHD. It is fast to access data from the RAM. It takes a bit longer time on the SSD and it is even more time consuming to access data from the HHD. Because of this, RAM is where you usually have “newer” data backed up. If you want your entire backup done on the RAM, it will be a very expensive experience. Instead, you can use the SSD or HHD for data you do not have to access so often.
Usually you store “not current” (usually up to 30 days old) data on the SSD and “old” data, which you do not use frequently, on the HHD. The cost effectiveness of the HHD, still makes them a solid investment for your physical backup solution. This is usually the easiest way to save money on your backup solution. The more data you can get the business to put onto HDD’s, the more money you will save in SSD and RAM.
This said, it is possible to store all of your data on either RAM, SSD or HHD. Usually however, you have different data on the different solutions, depending on how often you need to access it.
Let us run through a few examples.
If you are going to work in your system, you will be bothered if it is slow. Every time you press a button in the system you wait a while. That is not efficient. Normally such a system would not be placed on a HHD solution because you need it to use it right now. However if you have an email from 2014 you need to access or accounting from the same year, you can wait a few more minutes extra.
So, back to our first advice.
Advice no. 1: Analyze and assess your backup and recovery setup before deciding on your solution. It might take some resources to do so but it is a time investment, which will benefit you in the future.
Though security is a part of the setup, it is so important that we have given it, its own individual spot.
The safety of the company’s backup environment is its last line of defence if a security breach should occur. If a security breach occurs and you have not protected your data you might find yourself in a very uncomfortable position. Of course, it depends on the data you have on the backup, but let us imagine that current and former employee’s personal data, passwords and bank information is leaked. A breach of valuable and highly sensitive data like that would be fatal. Both in terms of the fines allocated to EUGDPR legislation and in terms of brand devaluation and loss of goodwill.
Despite this, our analyzes and market insights show that several companies do not protect their backups. They also show that several companies do not know if the data stored is encrypted. It also happens that the backup environment is not included in safety policies or that backup systems are incorporated in disaster recovery plans.
In an increasingly insecure world where both smaller and major organizations get hacked, you need to be proactive.
Therefore, get the security measures right from the start.
When it comes to security we should not only mention hackers, we should also mention natural disasters. Hurricanes, earthquakes and floods can just as well be the reason why your backup gets destroyed. Therefore, a related question regarding security is the location. Do you need the data to be stored at another location, on the cloud or sealed in a separate room, where you are the only person with access? In case of fire it will be valuable to separate your backup and recovery from you physical datacenter. However, if you are primarily cloud-based, it is another story.
With a cloud-based solution, you will not have to worry about natural disasters, as your backup is available through the internet. This means, that your backup is not depending on a physical environment but rather the internet connection in the company. In cooperate environments you often find high-speed internet connections, so the speed of your recovery will be somewhat fast. Also, as cloud-based solutions are virtual and not physical they are cheap to operate. This said, we advise against using cloud for your backup of sensitive data, as you never really know where your data is. Some financial institutes are actually required by law to avoid using cloud solutions.
Large enterprise organizations tend to have a standardized backup and recovery environment placed on multiple sites. This means that they have precisely the same setup at different locations. If anything happens with one of the sites they have another backup placed at another location. Financial institutions must be able to withstand nuclear blasts so for that industry, the second site option is always needed for extra safety.
This said, let’s go to the next advice.
Advice no. 2: Assess your safety protocols and disaster recovery plans and make sure to encrypt your data.
You can never plan when data needs to be recovered. That is why you always need to be prepared. Usually system failures happen at the most inconvenient times. Like during the weekend, when you are on holiday or during the night. If you have several locations and not set up a service agreement it can become an expensive frustration to hire someone in the middle of the night to help you. Also, a service agreement can save you the headache of running multiple datacenter locations.
The work to agree on an Service Level Agreement (SLA) is often related to a certain level of legal complexity. That is why, we focus on the key features that you, as an IT Manager, can emphasize to ensure that your organization has the best possible foundation for an effective collaboration with a service provider. We do also recommend that you implement them if you do not have a service provider:
1) Recovery point objective (RPO) / backup frequency.
RPO measures the maximum period in which recent data can be lost. For instance, if you only back up data on weekly or monthly basis, you could potentially loose a full week or month of work if an incident happens. However, backing up legacy or old data too often will be costly and time consuming. So, define your backup frequency on your different installations and databases. A workstation / PC might need a weekly backup while CRM systems will need a daily backup (if not more often).
2) Define backup & recovery priority
Every single person in the organization tend to believe that his or her data is the most important. The truth is very different. A week-old e-mail tend not to be as important as a freshly signed contract with a new customer. Therefore, you should prioritize your recovery procedures and have fixed definitions on what data to prioritize if an incident happens and you need your backup data.
3) Protect your data
As defined in the section regarding security, it is very important to protect your data. In extend to the factors defined earlier you should know exactly who has access to the data, where is it stored, is the data encrypted on premise and is the data still encrypted when it is being transferred to your own datacenter / cloud? Also, define the ownership of the data.
4) Specify restore times / recovery time objective (RTO)
RTO is the targeted duration of time within your business processes must be restored. The lower the time, the better as business continuity will be faster with short RTO’s. Again, it will be worthwhile to address the RTO in separate stages as you address the priority list.
5) Document the entire journey
It is beneficial to have the company’s backup and recovery journey documented, so knowledge will not be lost in case of change in employees or you simply just forget, because you have not touched the system for the past 5 years.
Advice no. 3: Consider to find an external backup as a service provider (BaaS) or disaster recovery as a service provider DRaaS and define the collaboration clearly to be as safe as possible.
Time well spend
As stated at the beginning of this article, it take some time to figure all of these factors out. Backup and recovery is not just the process of backing up your data. Setup, security and service are factors that need to be considered. Our list of advice can function as a starting point for assessing your own environment and addressing action plans in case of disasters and security breaches.
As a market research agency specialized in the field of IT, finance and insurance, we conduct thousands of qualitative interviews every year. Our market research provides us with valuable insight in industry specific markets. It also allows us to create detailed hands-on data for businesses:
Did you know that 8 of 10 companies can optimize their backup and recovery?!
… but only 4 out of 10 have plans of doing it!
Therefore, we encourage you to make a proper analysis and examination of your business’ requirements, and evaluate your current situation and protocols. It is time well spent!
Lasse Rasmussen is managing partner of the company. Besides his administrative competencies Lasse has worked with creating and utilizing marketing insights in the Nordic markets since 2011.
His MSc EBA within international Marketing & Management from Copenhagen Business School is supplemented by courses in statistics and econometrics from Copenhagen University. Lasse is the company expert in developing questionnaires, work methods and projects for the company’s clients and sponsors.