After Hurricane Katrina, businesses pursued disaster recovery (DR) and business continuation strategies in earnest. The result is many more companies today are better prepared than they were two years ago. However, some of the traditional DR pitfalls remain.

This is because disaster recovery plans operate on the back burner when everything is going well and take center stage when the company is flung headlong into disaster. Most of the time, DR does not gain the ear of C-level executives until a business interruption strikes. The planning and the execution of data recoveries are orchestrated by mid-level personnel in IT and business operations. The bottom line: disaster recovery plans operate like "insurance policies" that only become valuable when a company runs into disaster — although industry regulators, legal experts and others have now placed new demands on sites.

"Some of these regulatory demands are in areas like data retention and archiving, especially with the growing importance of email and data retention in compliance and litigation," said Steve Rodin, president and CEO of Storagepipe Solutions (www.storagepipe.com), an online backup, recovery and data protection firm. The challenge is finding internal IT staff that is qualified in the new areas of data protection that regulators are looking for--whether it is backup/recovery or archiving.

"We still see an IT skills shortage that is very acute in the area of data protection," said Rodin. "Especially in small and medium sized businesses, individuals are arbitrarily assigned the responsibility for DR — but they have no specialized training for it. SMBs are overloaded and they also have smaller staffs. It's easy to see where data protection and disaster recovery can fall to the bottom of the to-do list."

CURRENT CORPORATE READINESS

Rodin says his company gets many calls from SMBs and from large enterprises tasked with backing up, restoring and maintaining the data of many remote offices. By outsourcing to a company specializing in backup, recovery and archiving, these businesses can focus on their day to day activities without worrying about business interruptions if and when they occur.

"Regardless of company size, there are some major areas in data backup, recovery, archiving and protection that are still evolutionary," Rodin said. "For instance, most companies have not taken the approach yet to separating their data into data that is absolutely mission-critical and must be instantaneous--and older data that should be archived--and obsolete data that should be purged. Consequently, we see companies expending more resources and backing up more data than they should."

Rodin says that any corporate storage management strategy should address data archiving as well as backup and recovery. This is because industry regulators are demanding that companies retain their data for longer periods of time--and regulatory and legal requests require that this data is easily accessed.

JUSTIFYING THE ADDITIONAL INVESTMENT IN DATA PROTECTION

Hurricane Katrina made it easier for corporate IT to solve an age-old problem — getting a budget commitment from corporate management to go after traditionally "invisible" projects like disaster recovery. Katrina also made the scenario of C-level executives assessing damages to their businesses and having to talk to stakeholders and the press about what was going to happen, painfully realistic.

Once the DR money is spent, and new DR strategies have been implemented, how does the CIO go back for additional investment in data protection?

The answer rests in the areas of return on investment and risk management, coupled with higher expectations from industry regulators.

"Companies constantly ask us about what they can realistically expect in ROI," said Storagepipe's Rodin. "We tell them that they can start by projecting that they can save 30-50 percent off the top of their existing operational processes for backup, recovery and data protection when they outsource because they're no longer required to purchase, lease and maintain backup software and hardware resources. They also eliminate operational expenses for tape pickup services and other related charges to backup, recovery and storage of data. The IT staff manpower needs for backup, DR and data protection are greatly reduced. IT also has help in mitigating the current knowledge gaps on their staff in data backup, recovery and protection."

Rodin noted that SMBs often look for an affordable turnkey solution for data protection, backup and recovery, which makes outsourcing those functions very attractive. Even large enterprises look for outsourcing assistance in DR and data protection, because they have many satellite offices and facilities that must have localized disaster recovery and data protection plans.

"We often find that enterprises are challenged to maintain current backups for their remote offices and locations," said Rodin. "They ask us to provide online backup and recovery services for these sites, and we respond by providing state-of-the-art services that mesh well with their overall corporate disaster recovery data protection. We give these organizations comprehensive reports of all data backup, recovery and protection activity. Because we cover virtually every piece of hardware and software in the IT environment, from mainframes to end user devices, we can also provide data backup, recovery and protection services to enterprises that include the corporate data center."

New regulatory and risk management pressures now call for advanced data protection that involves the integration of data archiving with online backup. Point-in-time data snapshots are required for compliance. Data archiving and retrieval might have to support a data "shelf life" of more than 30 years.

To address the challenge, many companies are keeping more data offsite. In an online offsite storage strategy, vendor-stored data is controlled with an additional layer of security and most likely a different security protocol from what the client company uses. This adds protection to the data. At the same time, businesses avoid corrupted data--or people internally deleting or manipulating data. Offsite storage vendors also typically encrypt data--while most client organizations do not.

"We work with clients on their audits to ensure absolute compliance — whether we are working with HIPAA, SEC or other regulatory guidelines," said Rodin. "Security is always critical. We use IBM Tivoli software for backup, recovery and data protection, along with our internal expertise and practices to ensure the highest levels of security possible. For our clients, we offer an authentication model built on a challenge and response mechanism that confirms user identification and access privileges. We even have customers who prefer a direct connection strategy for their IP communications that uses T1 or fibre lines that circumvent standard Internet-based traffic. We can use virtual private networks (VPNs) and government grade AES (advanced encryption standard) encryption, depending on the client's needs."

BEST PRACTICES FOR DATA PROTECTION

The demands of regulators, real world threats like Hurricane Katrina, and virtual world threats like Internet breaches and data compromise have alerted most companies to the need for strong data protection and archiving methods that go hand in hand with disaster recovery. Nevertheless, the challenge remains the same: freeing up the necessary people internally to work on these issues — and ensuring that they have the right training to do a job that is relatively new.

Below are four key recommendations for data protection:

Define the data to be archived as well as your real-time backup data. A reputable outsourcer or consultant will have analytic tools that can help you determine which data is needed on a daily basis, and which can be archived. If you do not have a clear idea on what should be archived, check with the consultant or service provider. Frequently, they have experience that they can share to help you sort through data and define a strong archiving strategy that will complement your DR.

Email retention requirements have grown as email has become more important for the compliance, the discovery and the litigation processes. Most companies now have policies that govern email retention, with a majority settling on a retention length of seven years. Make sure that your company has these policies--and that they are thoroughly communicated to general employees as well as to IT.

Regularly test data backup and recovery. These tests will help you quickly identify and plug any holes in your backup and recovery.

If you work with an outsourcer, be sure to clarify your RPOs (recovery point objectives) and RTOs (recovery time objectives) upfront. Most customers prefer a nightly RPO, but others require RPOs several times daily, and still others require realtime, continuous data backups for their businesses. These expectations should be central ingredients in your SLA (service level agreement) with the vendor. "Also, check references," said Storagepipe's Steve Rodin. "Even if an organization has a strong SLA, you need to trust the people whom you are dealing with. The service should meet your needs for data protection, hardware and software support at the vendor site and be of enterprise class--because the outsourcer should be able to grow with you, and to be able to support a diversity of platforms." ENS