Backup and Recovery Concerns Mount

By Tom Schmidt

IT personnel are more concerned about backup and recovery issues than they were a year ago.

That's the key finding of two surveys released last September. The surveys, conducted by storage consulting firms Coughlin Associates and Peripheral Concepts Inc., were based on data gathered from more than 1,000 IT sites, representing companies from 10 industries and a wide range of revenues.

Both surveys found that the consequences of business downtime are changing. The co-author of the two surveys attributes this change to "the liability associated with new regulatory mandates, a harsher economic climate, and greater concern about major disasters, among other factors."

The findings show that firms are putting a high value on backup and recovery. For example, 26 percent of respondents said that the cost of downtime at their organization is $10,000 to $100,000 per hour; 15 percent said it's $100,000 to $1 million per hour; and 9 percent said it is greater than $1 million per hour.

In addition, the surveys found that users want to add disk backup capacity to deal with this. A total of 665 respondents reported that their use of SCSI drives would rise by 26 percent in the foreseeable future; their use of ATA drives would increase by 23 percent; and their use of nearline tape solutions for backup would grow by an anticipated 18 percent.

Despite these concerns, however, 17 percent of those surveyed said they still do not have a disaster recovery facility.

The survey findings support research by Gartner Inc., which has observed in recent reports that the shift from time to backup to time to recovery continues to gain momentum, and that the use of replication and newer disk-based backup solutions will escalate.

The push for continuous data protection

Both the surveys and the research reports are being used by numerous observers in the storage industry to bolster their calls for what is seen as the wave of the future: continuous data protection, or CDP. Thanks to innovative replication techniques and the availability of cheaper disk storage, CDP holds the promise that businesses can recover critical data quickly or completely enough to survive a disaster.

Acknowledging that data protection technologies have evolved from simple backups to advanced techniques like mirroring, snapshots, and remote replication, the Storage Networking Industry Association (SNIA) in February 2005 announced the formation of a CDP special interest group. The group hopes to unify the CDP market by developing and promoting standardized terminology to describe the technology, practices, and features of data protection.

Today's regulatory climate

The growing urgency of backup and recovery issues comes as enterprises are increasingly under regulatory pressure -- the governance requirements of Sarbanes-Oxley, the privacy requirements of HIPAA, the homeland defense measures of The USA Patriot Act, the European Data Protection Act, the procedural rules of FDA drug development and testing policies, the new e-commerce laws passed in over 40 countries around the world, not to mention FISMA, GLBA, and NERC.

This regulatory climate requires CIOs to implement policy, process management, monitoring, audit, documentation, and reporting solutions that can ensure accountability, transparency, and compliance. Failure to comply can result in lost business and customer confidence, in addition to financial and legal liability.

No surprise, then, that storage management software sales totaled $5.6 billion in 2004, a 12.3 percent increase that Gartner and others attributed to the increasing demand placed on corporations by federal compliance rules. (Gartner expects the worldwide storage management software market to grow another 12 percent in 2005, reaching $6.3 billion.)

Balancing security and availability

For today's IT department, the challenge is clearer than ever: support the business goals of the enterprise by ensuring the security and accessibility of its information assets. Anything that disrupts this security and accessibility creates downtime, and downtime costs companies money. And when disruptions do occur, IT departments need to get the enterprise restarted and restored to the "moment before" state as rapidly as possible, without risk of repeating the same failure.

Protecting that valuable information in today's threat environment requires a new approach. The ideal approach, of course, would be to keep information as secure as possible, while also making it available to the users who can maximize its value. Both attributes are needed because information that is available but not secure is suspect, while information that is secure but not available is useless.

Establishing and maintaining the balance between security and availability requires enterprises to understand their environment, act to protect it, and control it on an ongoing basis.

• Understand  First, enterprises need to understand the state of their information environment. That means assessing the risk against the latest vulnerabilities, exposures, and threats. Early warning systems provide critical information about the external threat environment. Understanding also means knowing what systems are authorized and connected to the network, which applications are deployed, and what personnel are logged on. In addition, enterprises should know whether patches are up-to-date and whether system and data backup procedures are being performed regularly.
• Act  Once enterprises understand what's happening in their environments, they must protect their information assets while minimizing the risk of disruption. Acting to protect assets involves shielding information from attack, mitigating threats, fixing errors, and recovering from incidents when they happen. Protection technologies such as antivirus, antispam, and intrusion-prevention technologies should block threats automatically and be able to receive updates in real-time. Patch management systems are also key so that organizations can rapidly update software at the discovery of a new vulnerability. And it's important to trigger frequent backups when a threat is on the horizon to ensure that systems can be brought back online quickly, minimizing downtime and loss of information.
• Control  Enterprises must also be able to control their environment. They need to maintain and monitor their infrastructure on an ongoing basis, ensuring that they understand the external threat environment and their internal security posture. In addition, they should have remediation capabilities that automatically distribute software and content updates and patches in response to a threat or vulnerability. It also means having asset management capabilities that help prioritize remediation based on the most critical assets and having selective restore capabilities to allow for timely recovery of critical assets.

Conclusion

How important is it that you ensure the security and availability of your information assets? According to the U.K.'s Department of Trade and Industry, 70% of companies go out of business after a major data loss. That's why it is no exaggeration to say that, in many ways, your information is your business.

No matter how good your network is, data loss and system crashes are inevitable. And no matter what the cause, when business information is not available, every minute of downtime costs money. That's why businesses need to have a backup and disaster recovery plan to get back up and running within minutes, not hours or days. When it comes to business continuity, a comprehensive backup and disaster recovery solution should be an integral part of your backup and disaster recovery plan.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.