All businesses, small and large, face similar problems when it comes to protecting data and preparing for disaster recovery. What do we protect, how do we protect it, and—most importantly—how do we get it back when we need it? Backup and disaster recovery can be one of the most important decisions that an IT department makes. Data protection is an insurance policy, and one that doesn’t pay anything when you need to use it. Using the data protection insurance policy simply means that you are able to continue in business. Because of this, data protection is often under-funded and more difficult than it needs to be.
1: Assess Your Risk
To begin a data protection or disaster recovery plan, it helps to understand what is at risk. If there is no cost associated with losing data, then it will be difficult to justify spending money to protect it. The financial impact of lost data on a business is a topic of much debate, and there are a lot of analysts that publish numbers on this topic. Ultimately, the cost of lost data is different for every business and for different types of data. To assess your risk, you will need to understand all of the applications that are running in your environment, which departments depend each application, and what the value is to the business. Assigning the business value of an application can be difficult, and every department will insist that you will be out of business if their application isn’t the first one running again if a disaster happens. Completing this step requires a solid understanding of your business, and how it interacts with customers.
2: Map Data to Applications
Now that you understand what is at risk, you can begin with the next step in data protection and disaster recovery: understanding the data you have and which applications it belongs to. All data is not created equal and doesn’t deserve to be protected equally. There is no reason to replicate, backup, and store multiple copies of an MP3 collection or family photos, but many businesses do just that. Treating all data the same is not cost effective and wastes valuable resources, mainly time and money. To stop protecting the wrong data, you need to determine what you have. A storage audit is a good place to start, but you can also go through your shares and LUNs (if you have a SAN), and determine which applications or users are connecting to them. If you choose to do a complete audit, there are many tools available that will help automate the process.
3: Assign a Recovery Point Objective and Recovery Time Objective
Up until this point you have been collecting information so that you can properly determine how to protect your data. After assessing risk and mapping data to applications, you can assign a Recovery Point Objective and Recovery Time Objective. Recovery Point Objective (RPO), is simply stated as “how much data can you lose?” If you have a 4-hour RPO and a disaster strikes, you will lose 4 hours of data. Recovery Time Objective (RTO), is a measure of time until the data is available again. A 4-hour RTO means that it will take 4 hours to get the data restored, applications connected, and end users working. The reason that assigning an RPO and RTO is so important is because it dictates how you protect the data. Everyone wants to have an RPO of 0, but that can be cost prohibitive. Setting RPO and RTO should be based on business need and data value.
4: Choose Your Data Protection Method, Implement it, and Test it
Once you have an RPO and RTO assigned, you are ready for the final step of choosing a data protection technology to deploy. There are many ways to protect data: backup to tape, backup to disk, snapshot-based replication, continuous data protection, synchronous replication, and several more. Each type of data protection carries a different cost, and has many available solutions to solve the problem. With cloud-based solutions becoming more common, the options are increasing. Each solution has its own challenges and benefits, but they all have one thing in common: for disaster recovery to work, your data must be offsite. Backing up to tape or disk, taking snapshots, replicating locally—none of these will solve the problem of disaster recovery if your primary site is gone. Perhaps the most important thing when it comes to data protection and disaster recovery is testing. After you have deployed a solution, you must test it and test it again. Having a stack of tapes, or a replica offsite, will provide no value if you can’t restore the data or get the replica online.
Data protection shouldn’t be difficult, and it should be very well funded by every business, but it isn’t. Understanding the value of data to the business, and the impact when it isn’t available, will help you build a case for funding and resources. The information you collect will also help in the daily management of your storage environment, and how best to protect it.