Hurricane Sandy, Black Forrest fire, 6.0 earthquake hits Napa Valley – major catastrophes strike large population centers, business are damaged and even destroyed. Even after these major events, many of which make international news, numerous companies have all of their corporate data in the same building, and, in many cases, the same room.
No matter what the business goal or high level requirements, organizations must take action, intelligent action, to protect critical data. While this may seem like common sense, it’s amazing how often companies fail to perform even the most basic protection.
Nearly every business has a policy in place to cover disaster recovery, a catch all phrase to cover the need to restore data should trouble occur. In reality, disaster recovery is piece of a larger concept that includes high availability and business continuity. All of these concepts revolve around two basic ideas: recovery point objective (RPO) and recovery time objective (RTO).
There’s a tradeoff between potential for data loss, duration to recover, and cost. Certain businesses require high availability, the idea of near zero data loss and near zero downtime. Examples include financial industries, healthcare, and most organizations that utilize transactional actions in data processing. In other words, anytime one has a need to trace an action from start to finish there needs to be a way to have near zero data loss and more times than not, no downtime.
Business continuity is a step down on both RPO and RTO from high availability. The idea here is not about instantaneous recovery, it’s about making sure the business can continue to function after catastrophe hits. VMware and similar technologies using redundant infrastructure do a great job of providing business continuity; the key, how this environment is set up and over what distance, if any at all.
Disaster recovery covers both high availability and business continuity. Disaster recovery can also simply include a copy of data that sits on tape or a storage area network. The key here, where does that data reside. Having a copy of the information in the same location as the source data won’t offer protection against nearly every major catastrophe. This “old school mindset” really only protects a business from power outage, data corruption, or system related outages. Does your business implement this simplistic disaster recovery method?
Hurricane Sandy devastated the east coast in 2013 and a number of hospitals were directly impacted. One facility, a client at the time, shut their doors after the storm due to massive damage. I recall their data center was in the basement and water rose to the 5th floor; everything in the data center was destroyed. Without offsite data storage, not only would this hospital be out of business, they would have no way to run down their accounts receivable to obtain payment for services rendered.
While working with a global storage provider that was within a couple miles of the most devastating fire in Colorado history, I found out they have zero data protection outside of their server room. If the building burned down, as did so many others during this catastrophe, this company would’ve gone out of business. Data is key, protecting it is fundamental.
The recent 6.0 earthquake in Napa Valley shows the need for not only private industry to understand and implement realistic and attainable disaster recovery, Government must do the same. When certain disasters strike they can impact our infrastructure including gas, electricity, and transportation. Computer systems run large amounts of critical systems including transportation signals, lighting, and gas and electric power to the populace. Without proper disaster recovery with the necessary RPO and RTO in place, a community can suffer major impact. Government cannot only consider physical infrastructure when preparing for disaster, they have to understand the information technology impact as well.
A major impetus in creating this article revolves around the discrepancy between what a business believes they have in place versus what truly exists. So many organizations, often up to and including board of director requirements, create extensive disaster recovery plans. Unfortunately, oftentimes significant variance exists between what the business says they want, and what’s actually in place. Third party audits are critical to help close this gap. Before that audit can occur though, leadership has to know about and acknowledge the gap. Education is key; know there’s a problem and act!