In a previous post, I laid out the first three questions your CIO should answer before you start your backup and recovery research. The CIO should provide direction around the value of the data, the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO).
Once these executive-level business requirements are understood, the context can be used to ask the next set of high-level business and technical questions that drive your backup and recovery strategy.
1) How confidential or compliant does your data need to be? Do you need your backups encrypted — both in transit to your provider and at rest on the provider’s backup storage — to meet HIPAA, PCI or Sarbanes-Oxley compliance requirements? Do you need to choose a provider that meets specific compliance requirements for your industry so your company can remain compliant at your next audit?
2) How secure does your backup strategy need to be? Security is different from compliance. Compliance is the set of rules and audits that surround the data center and any provider delivering backup services. Security is the physical, electronic and network measures that are put in place to prevent theft or unauthorized access to the data.
If you drive tapes off-site, consider the human factor and physical security risks. Consider the type of security infrastructure that you want to see delivered by your offsite backup provider to keep your backup data secure. Do you know where they are physically storing the data? Do you understand their approach to data encryption and data deletion?
3) What is your recovery strategy? If you lose a file, how quickly do you need it be restored to your servers? If you lose a server, how quickly can the server be recovered? If you lose your data center, how quickly can your business be up and running again?
Once you understand your RTO, you can design your recovery strategy to meet these objectives. For example, sending your backups to a file storage system in the cloud (like Amazon) can be very cost effective, but the data is unstructured and getting your data back across the internet can take a very long time (days). Enterprise-grade backup and recovery with deduplication technology can reduce the recovery time significantly.
4) Do you need a backup partner that can provide cloud servers for you to quickly restore your data in the case of a disaster? For even faster recovery times, consider a provider that can recover your backup data directly onto cloud servers in the same data center. Providers that can connect your cloud servers to your backup data over a 10G network can change your recovery times by orders of magnitude.
5) Can you bring your own servers or SANs directly to the data center to recover your data? The internet is the slowest pipe when it comes to recovering terabytes of data. If you can’t use cloud servers at your backup provider, consider the option of collocating backup servers or SANs to recover the data over their 10G network into your equipment.
6) How automated is your backup procedure and how many technical man-hours are required on your part to set, monitor and restart failed backups? These are often overlooked costs. Many CIOs don’t understand how often their backups fail or how much time is spent managing the backups on a daily basis.
7) What is the infrastructure of the backup target — is it designed to withstand drives, hardware, network and data center failures? Not all backup targets are built with RAIDed drives or redundant network infrastructure.
When it comes to your backup and recovery strategy, it’s best to take the time to understand your critical drivers, ask the tough questions of your backup vendor and test your recovery strategy before you need it.
Backups don’t matter until they matter. You don’t want the last remaining copy of your data to be corrupted or find out that your recovery strategy isn’t fast enough to recover your business when you need it.