Disaster recovery systems are no longer something that only financial institutions are concerned with, says Jerry Vochteloo, principal technical architect at Symantec Asia-Pacific.
While a key driver for financial organisations is compliance with regulations, especially after September 11, businesses in other sectors are beginning to see the benefits of business continuity and disaster recovery solutions, he says.
“More and more businesses are starting to realise that their IT systems are an essential part of their business,” he says. “And that is a change for [organisations in the middle market], which were previously not reliant on IT systems.”
But, as organisations grow, paper-based systems are being replaced with electronic systems, and many organisations now realise that they would be in a lot of trouble if they lost their IT systems, he says.
Disaster recovery means different things to different people, says Vochteloo. In some environments, disaster recovery is just a matter of someone taking a back-up tape home every night.
“But, as you start moving up the chain and your recovery-point objectives and recovery-time objectives start getting smaller and smaller, then you need to start looking at automation, clustering locally, and replication across to a disaster-recovery site, for example,” he says.
The first step in installing a disaster recovery system is to look at your organisation’s business processes and find out what is essential to the business, he says.
“Once [an organisation] has worked out what bits of IT are important to the business it needs to start assigning recovery-point objective (RPO) and recovery-time objective (RTO) values,” he says.
RPO refers to the amount of data an organisation is prepared to lose if there is a disaster. If a company runs a back-up every 24 hours it can roll back to where the IT systems were 24 hours ago if there is a disaster and it would have lost 24 hours of work, says Vochteloo.
RTO is how long it takes an organisation to rebuild what has been lost.
“Do I need to have my email back up and running in one hour, five hours or three weeks?” he says. “Once organisations have worked out what RPOs and RTOs they need, they can start mapping [their applications] to different solutions.”
Three or four years ago, disaster recovery solutions were often stand-by systems, says Vochteloo.
“Unfortunately, it’s quite a big cost [to have machines standing by], especially for smaller organisations,” he says. “What we are seeing more and more is dual-use DR. [which means] that organisations find [additional] uses for their DR solutions.”
For example, a disaster recovery site could be used for testing or data-mining exercises, he says.
“And, when a disaster comes, you basically, turn that site into a proper production site. In this way, the cost of disaster recovery comes down, because it’s part of your [everyday] operational environment.”
In the past, when disaster recovery was common practice only in the finance sector, cost was not an issue, he says. But as its use becomes more mainstream many companies are finding they can’t afford to buy and maintain a system that might never be used.
Smaller businesses need disaster recovery, even if they only have two or three servers, and they are very aware of costs, he says.
One of the most important things about disaster recovery is testing, says Vochteloo. “Because it is absolutely no use building a DR solution that, when you do have a disaster, is missing something.”
In addition, Vochteloo recommends automating as much as possible of the DR plan. The more steps, and the more people involved in the plan, the more risk of failure, he says.
“In reality, disaster recovery is insurance,” he says. “You need to look at: if this thing goes down I’m going to lose X amount of dollars and, therefore, I’m willing to invest a portion of that as insurance.”