<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=217513&amp;fmt=gif">

DSM Enhances IT Infrastructure of Florida Law Firm Hill and Ponton

Download the Case Study

Disaster Recovery & Business Continuity: Protecting Your Organization

Between cyberattacks, power outages, human error, and Mother Nature herself, organizations face the risk of losing data, customers, and the public’s trust every day. Because it’s not so much a question of if a disaster will strike, but when, many have begun to put plans into place to ensure ongoing security, often in the form of disaster recovery (DR) and business continuity (BC).

While many organizations consider DR and BC one and the same—and they do strive to achieve the same goal—they are not interchangeable. It’s very possible to have a DR plan without a BC plan, but not the other way around. So, while these two plans are similar in nature, they are both required for full protection during and after a disaster.

1. Defining Disaster Recovery

Disaster Recovery Solutions: As the term “recovery” suggests, DR involves the actual work of getting an organization’s systems running after a disaster. Its focus is on the restoration of IT functions and accessing backups.

Part of a full DR plan is having a Recovery Time Objective (RTO, as in how much time can pass during a disaster before it affects your Businesses Continuity Plan) and a Recovery Point Objective (RPO, the maximum acceptable amount of data loss an application can undergo before causing measurable harm to the business). We’ll go over those in more depth in Chapter 5.

For a DR solution to work properly the following elements are required for the company to quickly get back on their feet following an incidence:

  • Application front-end (client-side or web design) and back-end (server-side) backup databases
  • Multiple Domain Name System (DNS) servers to redirect traffic to if necessary
  • Dynamic Host Configuration Protocols (DHCP) to maintain IP address assignments
  • Active Directory (AD) to replicate the domain controller to a recovery site
  • Mail service backups in the cloud or within an email continuity portal where email history is accessible and new emails can be directed to.

Additionally, all employees should know their role in the DR plan for it to be functional. DR is a piece of BC but isn’t all of it. A full BC plan needs to be put in place to ensure the business remains operational during and after a disaster.

2. Defining Business Continuity

BC planning takes a lot of preparation to ensure that when a disaster strikes, critical business functions don’t go dark. Each arm of an organization will have different functions that are considered critical, and figuring out what those are is part of the process. 

Typically included in any effective BC plan is ensuring business applications, phones, network connections, servers, and network drives remain active with no downtime. Additional components of Business Continuity Management include:

  • Disaster Recovery
  • Data Backup, maintaining three copies of data (two independent internal storage mediums and one external medium)
  • Emergency power sources, such as Uninterruptible Power Supply (UPS) equipment that provides emergency power to workloads if the main power source fails, and Redundant N+1 Generators that ensure the UPS system is always available by using an additional module to supply power if needed.
  • Hot sites with operational workstations that employees can use to perform their work if the main work site is non-operational

3. Business Continuity Best Practices

Before delving further into Disaster Recovery as a component of Business Continuity, let’s take a look at the bigger picture of BC and best practices for maintaining it.

Perform periodic risk assessments. Risk management needs to be a priority for all organizations. Even if resources are stretched thin, it’s worth it to find the money, time, and manpower or risk considerable damage. Here are some areas that should be evaluated:

  • Compliance
  • System inefficiencies
  • Software upgrades
  • Onsite and cloud workloads
  • Security and recovery protocols
Read more on our story How to Complete an IT Assessment for Your Organization,  which includes information about obtaining a free assessment.

Automate your entire BC plan. Too often, organizations leave certain aspects of their BC plan reliant on manual processes to keep data and applications running, which can jeopardize continuity even for those that have planned for recovery at remote data centers. In the event of a hurricane, for example, IT personnel may not be able to respond because they’re dealing with their situation at home, or may not be able to come in due to a lack of public transportation, blocked roads, or gas shortages, which highlights the importance of automating failover, recovery, and restore steps.

Ensure virtualized infrastructure is fully protected. While virtual servers, storage, and desktops help reduce exposure to service interruption, they’re not immune to it, so putting in place a sound backup strategy for virtual machines is important. This should be an end-to-end business continuity planning (BCP) strategy across the virtual and physical infrastructure. It can also benefit an organization to use application availability tools that seamlessly integrate with leading virtualization software like VMware.

Test, and retest, BC plans. Testing BC plans is almost as important as the plans themselves. Organizations should regularly (once per quarter and following any organizational changes) test their full software stack to ensure that there will be immediate availability of mission-critical applications following an incident. It’s important not to call it a day following the testing of core software components such as the database and operating system; if essential applications don’t reliably failover to backup servers right away, financial losses are inevitable.

Choose a geo-diverse data center. Many organizations like to have their data center near them; they like to know that they can go there and physically see their servers. However, if the location of a data center is too close, a regional problem, such as a storm or an outage, could affect the organization and its data center, bringing operations to a halt. One way organizations can avoid this scenario and keep their data center within arm’s reach is by choosing a third-party provider that has geo-diverse locations; this means that they’ll house your servers locally, but in the event of disaster, they can reroute their client’s data to a location further away, even in a different state, to keep it accessible.

Prioritize BC functions. Deploying a BC solution comes with a price tag that not all organizations are financially equipped for. To avoid overspending, organizations should perform an in-depth analysis of their core business processes to determine which applications must be available immediately, which can be offline for a few hours, and which may be able to wait even a day or two. For example, most organizations will need their customer-facing and compliance-centric applications restored right away, while a marketing automation application that sends emails or a newsletter can probably be restored through secondary storage systems when the team can get to it.

Integrate mobility into the BC plan. Like most organizations, chances are many employees bring their own devices to work, or work remotely. This means that employees, contractors, vendors, and customers will be able to continue to work or do business even if the main facility has lost power; it also means that BC planning must account for these devices and business processes in order to allow them to do so.

4. What is a Disaster Recovery Plan?

An essential part of BC, a DR plan is a living document that details the precautions that must be taken to mitigate the effects of a disaster, while describing the step-by-step approach the organization will take to get back to business quickly in the aftermath of the event. DR applies to the operations of the organization that are dependent on a functioning information technology infrastructure, with the goal of resolving data loss and recovering system functionality so that it can perform, even at a minimal level just temporarily, following an unplanned incident. Think of it as a “roadmap to recovery” that includes details of how an organization can get back on its feet following any of the following:

  • Application failure
  • Communication failure
  • Data center disaster
  • Building and/or campus disaster
  • Citywide, regional, national, and international disaster

As with the full BC plan, the DR plan should prioritize applications to ensure the most mission-critical can be up and running immediately, while less important applications can be restored in time (this will involve the aforementioned RTO and RPO to be covered further in Chapter 5). Other considerations include budget, insurance coverage, resources (both people and physical facilities), technology, data, compliance requirements, and other involved parties, such as suppliers. Gaining management’s buy-in on these recovery strategies is also important, as they need to closely align with the organization's overall goals. 

Another component of the DR plan is identifying the incident response team and what their roles will be, as well as creating a communications plan. This must detail how both internal crisis communication (e.g., updates on the progress of the situation) and external crisis communication (e.g., informing stakeholders, clients, or the public as to the status of the disaster) will be managed.

Disaster Recovery Solutions

Once the DR plan is in place, an organization will often turn to DR solutions. A good DR solution replicates an environment; if there is a major disruption, an automatic failover transfers the management and operation of the infrastructure to a secondary machine and site to keep the applications and organization online. The servers will then run off the disaster recovery site until the primary facility is back online and capable of resuming system functionality. It’s important to note that disaster recovery options come in all shapes and sizes. Synchronous solutions replicate data in near real-time, making it the most comprehensive, but generally most expensive, option. On the other hand, asynchronous solutions have more delayed duplication, which makes it less expensive but also means that some of the most recent data may not be recovered.

It used to be that when it came to DR—based on their budgets—organizations often had to risk everything and do without a DR, or invest hundreds of thousands, or even millions, into off-premise real estate to house servers or tapes backing up their data. Fortunately, today they can opt for Disaster Recovery as a Service (DRaaS). DRaaS is a service offered by a third-party cloud provider that allows organizations to house data within their cloud backup solution without having to maintain their own storage infrastructure; instead, organizations can configure a cloud account to continually back up the most recent instances of servers and simply switch them on if the primary servers at the local sites fail.

Want to know the cost of building your own infrastructure versus moving into a  hosted solution from a cloud provider?

Today, DRaaS has become a key component in many organizations’ BC plans as it enables them to quickly and cost-effectively recover critical business applications in the aftermath of a disaster. It can be especially beneficial for organizations that aren't specialized in information technology that need the experience and expertise of a cloud provider with the staff and resources needed to mitigate disaster.

5. Recovery Time Objective & Recovery Point Objective

A disaster recovery strategy should start at the business level by determining which applications are most important to running the organization. The Recovery Time Objective (RTO) is related to downtime. It states how much downtime an application can experience before there is a measurable business loss. With most organizations estimating that downtime costs between $300,000 and $400,000 per hour, it’s important to strive for a zero RTO, which is the fastest means at which to be back up and running. When considering a third-party cloud provider, it’s important to look at their “nines,” which indicates how much downtime you can expect throughout the year. For example, 99% or “two nines” result in about three days worth of downtime per year, whereas 99.99%, or “four nines,” means lower downtime per year to a much more acceptable 50 minutes. 

The Recovery Point Objective (RPO) is related to data risk.

It refers to the maximum acceptable amount of data loss an application can undergo before causing measurable harm to the business. A zero RPO is also ideal, though less realistic. By prioritizing applications, organizations can work toward zero for critical applications while accepting minor loss for less important operations.

Want to calculate the true cost of downtime for your organization? Try our free  RTO & RPO Downtime Calculator.

To achieve zero or near-zero RTO and RPO, organizations want aggressive recovery speeds that follow a continuous data protection (CDP) model rather than periodic backups. A CDP replicates data every single time a change or transaction is made, so there is always a backup of the most current data at any given time. In addition, should data become infected by a virus or become mishandled due to human error, the organization can always revert back to the last “clean” snapshot of data.

6. Data Backup

Some organizations operate under the falsehood that because they backup their data, they have a DR solution. Unfortunately, backup alone is not enough, and can leave an organization vulnerable in the event of an unplanned incident. 

Backups work by providing quick and easy access to data in case of smaller disruptions like outages, lost equipment, accidental deletion, or hard drive crashes. This solution copies the existing information to a second storage environment. There are, however, a few drawbacks to relying on backup solutions as a failsafe. Most backups are only performed periodically, and with over 2.5 quintillion bytes of data being generated every single day, most organizations processing heavy loads of data are bound to lose a significant amount because they can only restore data up to the previous backup. As a response, cloud-based backup options are becoming more popular as data center providers can offer near real-time data replication at off-site locations. In some cases, these solutions are more cost-effective and reliable for business needs.

In most cases, the best solution involves both backups and DR.

A solid backup plan that keeps data accessible is helpful for minor disruptions, but without a larger, more comprehensive strategy, it can cause all sorts of challenges . For instance, if an organization collects, stores, or transmits information that requires strict CJIS or HIPAA compliance, this data must be immediately accessible in the event of a disaster—which might not be possible with basic backup solutions. For this reason, it’s always best to incorporate basic backup under the umbrella of a larger DR strategy to ensure more comprehensive protection.

7. Benefits of DRaSS

Disaster Recovery as a Service can help organizations without a DR plan, or those struggling with them, to acquire the safety and security they need. Here are ten ways DRaaS makes it possible.

Ease of Implementation. Creating and implementing DR can be complex and time-consuming. Plus, it will occupy the time of an organization's skilled IT team leaving them less time to focus on improvements and other money-generating tasks. DRaaS simplifies the process, and can be seamlessly integrated into an organization’s internal architecture.

Scalability. In the past, organizations relied on their own hardware infrastructure, but costs could hamper growth and failure to support it often led to security gaps. With DRaaS, there’s no need to purchase additional servers or look into additional safety and recovery protocols; instead, the provider allocates additional space needed to expand and secure the environment. Most providers can ramp up quickly—within 24 hours.

Access to Experts. Not all organizations have an army of IT experts ready to tackle recovery in the aftermath of a disaster. With a reputable DRaaS provider, organizations have immediate access highly skilled and certified cloud computing professionals will be ready to answer questions and offer support.

Fast Recovery Speeds. Left to their own devices, organizations can be at the mercy of their own power grid and a potentially ill-prepared IT team. With today’s DRaaS models offering zero or near-zero RTO and RPO, organizations can recover quickly with most or all data retrieved.

High Levels of Security. While DRaaS focuses on recovery, there are also preventative security measures that can be taken by top data centers to ensure server safety, including:

  • Redundant N+1 Generators
  • Redundant uninterrupted power supply (UPS)
  • Computer room air conditioning (CRAC) 
  • Physical security features with dual authentication (HID card, PIN, biometric access)
  • Encryption for data-at-rest and data-in-flight
  • Fire suppression systems
  • 24/7 surveillance with motion cameras and alarmed man-traps
  • Location outside flood and wind-blown debris zones 
  • Hurricane structure rated facilities
  • Geo-diverse locations
Get our Disaster Recovery eBook

DRaaS can also offer checkpoint options for recovery every step of the way. For example, when an attack is recognized, replication hits the pause button—stopping infected data from spreading. Then, organizations need only implement their DRaaS plan to wipe IT systems and reboot them with DR copies to retrieve the most recent, clean copy of data. 

Compliance. The demands of regulatory agencies and standards bodies such as CJIS and HIPAA are continually evolving, making it difficult for some organizations to keep up. With the right DRaaS provider, this becomes a non-issue, as they monitor changes and make adjustments to ensure their clients are always in good standing.

Internet Accessibility. Remote employees are the new reality, but a disaster at the main office can negatively impact connectivity everywhere. However, because DRaaS happens in the cloud, approved personnel can still access their portal anywhere with an internet connection regardless of what is happening at headquarters to ensure business continuity.

Convenience. Disaster planning used to be quite an undertaking; it meant that an organization would have to physically move data to a far-away offsite location that was out of harm’s way, and likely not experiencing the same disaster. This incurred costs to maintain the offsite location as well as data storage. Following a disaster, accessing data resulted in long downtimes, displaced employees, and unhappy customers. With DRaaS, organizations are able to store their most critical data offsite within a secure, cloud-based facility, giving them access despite distance. This allows remote workers to work seamlessly with others, in real time, whether at home, on the road, or overseas.

Better Focus. Organizations with an expert IT team may think DRaaS can be handled internally. While that may be true, that leaves experts focused on disaster recovery planning, which is a full-time job. With DRaaS, organizations gain access to external IT experts so their internal team can focus on critical IT functions that support the big picture—growing the business!

Cost Benefits. There are five ways that DRaaS can have a positive impact on an organization's bottom line:

  • No Capital Costs. DRaaS transforms what could be CapEx into OpEx. Rather than maintaining the ongoing cost of equipment repair and replacement for security purposes, providers take care of hardware and its management, saving organizations from having to make large investments in equipment, real estate to house it, and security.
  • Pay-As-You-Go. As an OpEx, DRaaS follows the pay-as-you-go pricing model; organizations pay only for what they use, much like a utility. This also cuts the costs associated with overpaying for the security of unused capacity. 
  • Economies of Scale. With DRaaS, resources are shared with thousands of other organizations, so costs are spread out across each organization, lowering pay-as-you-go costs. In addition, with all customers operating on the same back-end infrastructure, DRaaS providers have a vested interest in keeping things running smoothly and securely.
  • Lower Utility Costs. Cost will vary depending on the type and the amount of equipment an organization needs maintained, but the potential utility savings are huge when considering that most organizations keep their systems running day and night, 365 days per year; instead, these costs can be offloaded onto the provider.
  • Plough Back Benefits. Using a DRaaS provider doesn’t just save money—it can help make money. A recent Microsoft survey found that 70% of organizations reinvested cloud savings back into their business, helping bring on new talent and drive product innovation to grow the company.

8. Choosing a Cloud Provider

When choosing a cloud provider for business continuity and disaster recovery it's important to note that not all providers are created equal. While many may claim they can help you recover from a service interruption, there’s a big difference between simply offering remote backup storage and providing the essential combination of hardened infrastructure, disaster recovery tools for backup, archiving and restoration of data, multiplatform storage management and proven expertise in failover to geo-diverse locations. A transparent billing structure should also be provided. 

Curious about DSM’s VMware cloud? We’ll give you 72-hours of unlimited access to test its performance at no cost, with no obligation. You’ll even have access to our engineering experts for help. Learn more now.

At DSM, we offer bundled and customized cloud services for CJIS, Government, and Commercial business. No matter which path you choose, our goal is to put you on an operationally and financially safe path and to have you up and running in no time. To learn more about DSM for your cloud journey, visit us online or contact us today.