Disaster Recovery Journal

According to Greek mythology, Procrustus, son of Poseidon, was infamous for offering a restful place to weary travelers on their way to Athens. His service was ghastly for most, due to his unwavering belief that guests should be neither too tall nor too short for the bed he offered. At the Procrustus Inn, if you were too tall or short, he lopped off your legs or stretched you to fit.

If Procrustus were back in action today, perhaps he’d be in the data protection business, offering shelter for corporate data with a one-size-fits-all solution that he so characteristically embraced. His solution would initially appear to be just what the customer needs, but during the implementation, its shortcomings and sacrifices would become apparent. An over-simplified one-size-fits-all solution frequently provides hope at the onset, trepidation during the implementation, yet all too often an unfortunate a dose of reality once disaster strikes.

Take an e-commerce business for example, where online presence is an absolute business necessity. A backup method, such as disk-to-disk, may be sufficient and cost effective for most of the business’s applications without any severe consequences. However, the dangers of this approach will become painfully apparent if a customer-facing e-commerce application goes down during a peak sale day and takes six to eight hours to recover. If this occurs, the business not only delays all sales during this time, but in all likelihood loses most of those sales altogether, as customers go elsewhere rather than wait for the site to come back online. Even more critical, is that the business negatively impacts customer satisfaction, which will hurt future sales.

Furthermore what may be critical for one e-commerce organization may be different for another similar organization, or entirely dissimilar for a hospital (with patient data likely its most important information), or a publishing organization (requiring always available financial data). Rather than looking for a one-size-fits-all approach, each organization must realize that data protection is a complex science that requires it to:

•   Manage conflicting objectives (data preservation, data availability, and budget)

•   Address potential threats (logical corruption, physical damage, and natural disasters)

•   Respond to significant changes (data growth, increasing regulation, and escalating consequences)

Unfortunately, ignoring these complexities of data protection won’t make them go away. While some solutions minimize and oversimplify the business challenge through a single approach, true data protection for an organization operating in today’s world demands a more sophisticated model. Each organization must look at its own unique business challenges and demands and find the data protection solution or solutions that best address its needs today and in the future. 

Need for Full Spectrum Data Protection

Full spectrum data protection is a new methodology that helps make sense of this complex science. It provides a common framework for comparing the current state, assessed needs, and proposed solutions for data protection in a manner that illuminates changes, shortcomings, and inconsistencies. It helps communicate precisely the protection requirements for specific business applications and clearly compares these needs with the attributes of existing and proposed solutions. It designs and delivers a mix of products to cost-effectively address current requirements and provides a roadmap to anticipate and address future needs.

Full spectrum data protection involves five steps: assessment, design, approval, implementation, and testing and maintenance. 

At the core of full spectrum data protection is the clarification of data protection’s most important variables. In addition to cost, there are two primary objectives in data protection – data availability (avoidance of downtime) and data preservation. Too often, these are lumped together, which conceals the true need for, and ability to solve for, each. Using the full spectrum availability/preservation (AP) matrix in Figure 1 on the previous page, the solution designer can assess needs (e.g., by business value of data or applications), and the risk types (e.g., physical or logical). This provides a very precise mapping of the availability and protection attributes needed for each solution. When looked at from this perspective, the solution designer can see both the needs and risk types in a whole new light, identify gaps between them, and graphically represent expected changes over time. 

Using the insight from the assessment in Step 1, the solution design is created by using the AP matrix to overlay and align the needs with potential solutions (e.g., tape, snapshot, continuous data protection), so organizations can then analyze their needs and make appropriate selections (see Figure 2).

As always, costs will factor into the decision-making process. However, if mapped correctly, the organization can at least identify the gap (caused by cost compromises) between needs and solutions to allow a full disclosure and discussion of the trade-offs in a meaningful manner. 

With full spectrum data protection and the AP matrix, the design and approval of data protection solutions can happen simultaneously in working sessions where the business needs, business risks, solution attributes, project costs, and compromises are fully discussed. This then becomes a component of the overall business continuity planning process. Additionally, the AP matrix helps managers communicate the precise needs, current state, proposed solutions, and compromises that are being proposed in a manner that executives will consider easy to understand.

One thing to consider: Data protection solutions often suffer because they ride the coattails of, or help cost-justify, other projects (e.g., storage or server virtualization projects). When this happens, commitments are cast, and investments are made, which lock the organization into solutions based on someone else’s set of priorities. Having the data protection assessment, design, and approval done ahead of these projects helps avoid being stuck in compromised or dead-end solutions that don’t meet the organization’s current or future data protection needs. 

Because data protection may be a latter step in a complex consolidation or migration project, such as server and storage consolidation or migrating to a SAN, it’s important to make sure that the data protection portion of the project remains a priority and is followed through to completion before resources are redeployed to other projects.

Implementation components that require particular attention include:

•   Network considerations
•   Integration
•   Automation
•   Job assignments
•   Processes
•   Management
•   Validation  

A successful data protection strategy requires regular testing and maintenance to ensure readiness if and when disaster strikes. Testing should be as real to life as possible, including the involvement of human or system elements that it relies upon. Any inconsistencies or issues brought to light by the testing should be addressed and retested.

Since change in data protection requirements is inevitable, part of the maintenance plan should consider alternatives for addressing changing needs, which can happen at a moment’s notice in response to:

•   Natural disaster close calls
•   Data corruption close calls
•   A new president, CFO, or CIO
•   A new heavily regulated customer
•   New products or services in a regulated industry
•   Increased risk of litigation
•   Increased service level agreement commitments made to customers

Full Spectrum in Action

How does full spectrum data protection work in the real world? Here is a real scenario that builds on the e-commerce example mentioned earlier. Heritage Auction Galleries is the world’s largest collectibles auctioneer providing an online trading platform for nearly 314,000 members. Given the organization’s online presence, having highly available, secure, and reliable customer-facing data is not just a convenience, rather it is absolutely critical to Heritage’s business. In fact the organization estimates that for every hour its customer-facing system goes down, it easily loses six figures in revenue.

Heritage recognizes that its customer-facing applications required both high data availability and high preservation. The organization found that while some solutions promised automatic failover, these same solutions still would take up to 30 minutes to get them running after a failover. While this might work fine for organizations that don’t operate 90 percent of their business online, Heritage’s customers demand uninterrupted access and a 30-minute wait time is not a viable business strategy. After a careful analysis, Heritage implemented a storage solution that provides automatic data replication, protection, and recovery within a single storage system distributed across two locations. In case of a localized failure, the solution re-routes server access to the other location without interruption, ensuring information remains protected and available in the event of a local disaster.

Heritage is currently backing up all of its non-customer facing data to tape, as this information is not as time sensitive. 

Next Steps – Full Spectrum Data Protection

The full spectrum data protection approach is ambitious. It uncovers weaknesses that managers would rather not know about, and it dishes out a dose of reality that isn’t always pleasant. Most importantly, it provides precision and clarity for the assessment of needs, the evaluation of options, and the communication of proposed solutions to those who make the final decisions. It’s not always as easy, familiar or convenient, but it will result in a solution with fewer unwanted surprises.

To take the first step into specifying the right data protection solution, an organization needs to work with its own internal leaders and decision makers across functional areas to classify data and applications. Once a business impact analysis or a records/information lifecycle assessment is completed, the organization can then map its data into the AP matrix to determine the best data protection solutions for its specific requirements – focusing initially on its most critical data and applications. The organization should look for a vendor who can deliver all the identified solutions in an integrated, yet modular, approach. This can reduce complexity and costs, while providing a single point of contact for all data protection-related products and services.

v