Disaster Recovery Meets Business Continuity
Disaster Recovery Meets Business Continuity
Mike Vizard: When everybody talks about disaster recovery in the context of IT, theyre always talking about the data center and the servers and theyre really not talking about the whole holistic structure of the company and the infrastructure and the whole play. So as we get ready to kind of enter into what I would call the disaster season, with hurricanes coming and, you know, whatever else may happen in the world that may be politically related or whatever, how do customers need to think about their approach to disaster recovery and that whole issue of business continuity? How does that all come together in some kind of way to manage that in a holistic way?
Bill Spencer: Well, one of the biggest problems that weve experienced is that organizations really dont have access to the kind of information they need to get at quickly when an incident occurs or a disaster occurs. Theyre going around and theyre maybe gathering together some spreadsheets, some various database information, maybe some Visio drawings, some AutoCAD drawings, some geospatial information, various databases, and a lot of that information is out of synch and difficult to understand quickly. And oftentimes, what they end up doing is actually having to send people out to the site to determine exactly what did happen, what the impact of that event was.
Vizard: And more often than not, they cant actually get to the site so its kind of too late at that point.
Spencer: Absolutely yes. So the areas that we have focused on primarily address the ability to consolidate all that information into a visual. Not just a database repository, but a visual repository thats geo referenced and layered and vectorized so that not only can they get information relative to what impact that particular disaster may have occurred, but also take a look at all of the relationships around the data that surround that particular incident.
Vizard: And then that data itself wouldnt reside in some central location, it would be accessible through a distributed mechanism so that, you know, if I have operations in Texas and something happens in Florida, I can actually see whats happening from Texas and then take some steps to replicate what I need to replicate to keep the business going.
Spencer: Absolutely. In fact, from our perspective, that was probably the biggest challenge that we faced, because as you consolidate all this information, if you can imagine consolidating information that was geo-referenced and from a geospatial system, maybe information that was in a CAD system and then information that might have been in a Visio drawing, like rack elevations or other types of data like that, if you can imagine trying to consolidate that into a solution and then somehow making it available to someone out in the field in a way that they could understand it. It was really the biggest technology challenge that we faced as we evolved our solutions. And the way we solved that was to take a look at some of the technology that Adobe introduced with Acrobat 6, and that was the ability to produce a portable document that has layers and also has metadata embedded it. By using that technology, we were able now to provide an intelligent document that a first responder or a field support person could access through a portal and create the document real time and provide him with useful information in Texas or wherever that incident occurred. And that was our singular biggest challenge that we had to face.
Vizard: Now, every time I talk to a CIO and I ask them at the beginning of the year especially, to list their priorities for the year, business continuity, disaster recovery usually winds up somewhere on like the top five. And when I get to the end of the year and I ask them the same question, its still sitting on the list at the top five. So therere a lot of good intentions, but what in your experience is holding people up from crafting a real disaster recovery/business continuity plan and, you know, making something that works. Because every time we have a disaster it always seems like we study what we should have done but nothing ever changes.
Information from a Tactical
Spencer: I think what you just observed is the same problem weve observed across a lot of enterprise organizations. And part of the problem is that they look at the information from a tactical perspective more so than a strategic perspective. And with a lot of solutions out there the CIOs basically are getting tactical information from their internal teams that theyre trying to use to address strategic problems. And that tactical information is just not always that useful. And so I think as things are changing over the last three or fours years with the introduction of ITIL [Information Technology Infrastructure Library] frameworks for change or release management to - and with the introduction of ITIL version 3, which is a lot more strategic in nature than the earlier versions of ITIL, I think what were seeing is that the CIOs are starting to realize that they need to take a look at the infrastructure information that theyre maintaining from a strategic basis rather than just from a tactical basis.
Vizard: And as part of that they really dont seem to have a direct link between what part of the infrastructure is actually related to what business process. So even if I can replicate the infrastructure, I dont have the information that really tells me what that infrastructure is linked to back on an application or a business process level. So now do you guys help capture those relationships and how does that help with the process of recovery?
Spencer: Yes. Of course, you can imagine if youre trying to map, for example, applications such as an Oracle database server or some application like e-mail or ERP application onto the infrastructure, its pretty difficult today because theres no relationship thats been established between that application and the IT infrastructure that supports it. Thats the area that we address is that by consolidating all the information, including the applications, were able to map a particular service, an application like e-mail for example, onto the infrastructure that supports it and take a look at all the dependencies. Vice versa, we also can take a look at a failure of a particular component in the infrastructure, i.e., a server or even a switch or a router, and then from that map back and say what applications and services are going to be impacted and what level is that impact going to take effect. In other words, is it at such a low level that the impacts going to be insignificant, or is that particular device at a higher level and has dependencies that could have a much greater impact on that application.
Vizard: Now, you guys talk about this in the context of managing infrastructure and some of the concerns around business continuity, yet when I talk to people - you know, were always trying to bridge the eternal divide between business and technology, so isnt what you guys do kind of moving into something that I would want to consider as a day-to-day tool rather than something that I use in the event of an emergency.
Spencer: Yes, because I think in order for you to maintain the strategic information that you need to support business continuity disaster recovery, you need to do a very good job managing the tactical side. In order to do that, you really have to make sure that youve got good change management processes in place and good processes in general in workflow. Again, I refer back to ITIL as basically a framework that we see a lot of enterprise organizations moving toward, although we still look at that as a very immature world today although most organizations are talking about deploying it. I think over a period of time, everyone will get better at doing that.
Vizard: Yes, so ITIL creates the framework by which I can manage the business and then I can have an intelligent conversation with the CFO about, you know, where are the dollars being spent to associate with what business process? Is that kind of the general theme?
Spencer: Yes. Yes, absolutely. And, of course, I think youre right in saying that - at least our observations were that, prior to September 11, a lot of organizations looked at this type of technology or solution as being a nice-to-have. And at least with our - especially in the federal government, which has been an area weve had a lot of deployment both at the Pentagon and at the Department of Homeland Security, both of which occurred after September 11, and, you know, as a result they realized that this was no longer a technology that they could look at as a nice-to-have.
Right Level of Management
Vizard: So is there a customer you can talk about who you can detail how they used your software and how that process worked? Because its always a point of validation for people listening, is to say whos been down this path. And I dont know if they had a disaster that, you know, was worth actually invoking the DEFCON 4, or whatever you guys call it, when you actually get to that point.
Spencer: Well, I think probably the one that most people would relate to would be the Pentagon. And the Pentagon was in the midst of a program over 10 years to renovate the entire Pentagon. They had just completed renovating wedge one of the Pentagon. Fortunately, the plane hit wedge one. And as a result of it hitting wedge one, the loss of life was a lot less substantial than it might have been had that plane hit one of the other wedges. Within about six months after that, we were brought in to basically - they realized that when they tried to look at some of the failures they had within the Pentagon as a result of that incident occurring, that they were really scrambling to find out where things were, where their document - what services were impacted and et cetera. So as a result, we - our technology was brought into the Pentagon and we were now - I think were on wedge three right now. They rebuilt wedge one and weve done wedge two, were working on wedge three. And by 2010, that project should be complete.
Vizard: Now, the Pentagon, at least in some peoples minds, has sort of more or less an unlimited budget. So what does it cost to create the right level of management around this and at what point and what size company can afford to do this? How does it kind of roll out?
Spencer: I think, again, if you take a look at the organizations that have been sort of the innovators in our space, youll find its organizations like Department of Homeland Security and the Department of Defense in the case of the federal side. But also, airports. We have a number of airports that are using our technology now. Another huge transportation company has used our product to manage the shipment of packages through their airport facility. But I do believe that a smaller organization can certainly justify the investment. The investment, by the way, is not as much the cost of a product, but more the cost of basically maintaining - entering the data and maintaining the data and putting all the processes in place to make it work.
Vizard: Are we ever going to get to the point where the software can automatically discover where all the data points are and what all the systems are and then when those things get changed, send some kind of alert? Because it feels like right now theres a fair amount of labor involved in the actual process so I think the Nirvana that people are trying to get is, you know, how do I get to some level of automatic detection.
Spencer: Actually, the interesting thing about the data side of it - from our perspective, the problem is not getting the data into a system that Ive described, but more getting the data. And so obviously, discovery technology makes a whole lot of sense. There are three or four technologies out there today that do a reasonably good job of desktop discovery as well as server discovery and even going after the applications and determining what applications are there. We have a generic interface that weve built to support any discovery technology thats out there, and there are a number of them. And its actually pretty exciting the technologies that have been developed over the last three or four years, many of which now do an unbelievably terrific job of discovering information and are also agentless. In other words, they dont need to be deployed on every desktop, on every server, or every system out there in order to do the job they do.
Vizard: Do you think this is going to remain a boardroom-level issue because its been a few years since theres been a major disaster? I think Katrina might be the last one that people might remember. And it always feels like it takes a disaster of that level to get everybody kind of motivated around what to do. It feels like the technologys advanced considerably since the last big disaster but I dont think that businesses as a whole have, you know - I worry theyve become a little more complacent in the last few years and its just kind of slid down their list of things to do.
Spencer: I guess it depends on the enterprise. On the federal government side, I think theyre clearly focused on the problem and continue to be clearly focused because of the oversight they get from the Hill and just because of the nature of the way the federal government works. So I think theyre much more attentive to the possibility of another incident occurring, an event occurring. But even in the enterprise side, if you look at those infrastructures that are critical, and I would even throw in financial organizations, you know, where theyre - you can imagine what would happen in a financial organization. So I think those types of organization. Maybe some of the other types of organization such in the retail and those areas may get a little complacent. But I dont think the organizations that have critical infrastructure today are letting it get out of control.
Multiple Power Grids
Vizard: Do you see companies working together more? Because I mean its almost inconceivable how even this company could operate if seven or eight other entities that were linked to werent able to operate. Any one or two of them could probably take an "if they go, we go." And so therere all these relationships between dependencies and the systems. How do you kind of A) map those and discover those, and then B) plan for, you know, Plan B around what if this isnt here because everybodys assumptions is that certain things are always going to be there and they may not be there.
Spencer: Well exactly, I mean you can imagine, for example, that this building would have a hard time functioning without power. Im not sure whether youve got generators to back it up or whatever backup systems you have but you may not. Certainly data centers are trying to do the best they can but the powers a big issue. And obviously services. You know, what types of services are you going to have: wide area services, connectivity, network services. So I know again that most organizations today at the enterprise level are - we seem to see them focusing on things like power and services. They realize that even though they may have local backup facilities and power facilities where they can generate power but they still are dependent upon all these other services. And it is a big focus. In fact, when the Department of Homeland Security recently put out an RFI for their second data center, one of the mandates in it was to have it in a different power grid than the first backup data center. So they were thinking about things like that.
Vizard: And thats more likely to be our next big emergency rather than some cataclysmic event. It may just be a series of brownouts caused by some, you know, happenstance that hits some grid in Ohio that takes out the rest of the Eastern seaboard.
Spencer: I didnt realize that there are actually three major grids in the country: Eastern, Central and Western. And actually, the whole Eastern could go down at one point. And thats why they wanted to make sure that they had the second data center in a different power grid.
Vizard: I always thought that was a West Coast problem till that happened to the East Coast myself. Is there some kind of council or some kind of group that you guys are part of that the federal government puts together that kind of says, you know, lets all get together a couple of times a year and kind of, you know, think about best practices around that space? How do people tap into that or become part of that or gain any knowledge around that?
Spencer: Probably the most visual group is a group in the Washington, D.C., area, which youd expect a federal group to be, called ACT/IAC, American Council for Technologys Industry Advisory Council, which is made up of CIOs within the civilian agencies as well as DOD and industry leaders. And we participate in that organization. There must be at least 15 or 20 different meetings per month. They have an annual conference where all the CIOs and all the industry people get together every year. So I think that particular organization has a lot of [special interest groups] that theyve set up both on specialty areas to develop white papers and pursue certain challenges from a technology perspective and try to assist the government in developing solutions.
Vizard: Just taking a step back. But despite all the talk, what percentage of the companies that you see out there, in your opinion, are prepared to handle some kind of catastrophic disaster event in some kind of reasonable fashion: keep their business uninterrupted today. I mean is it still single digits?
Spencer: I think its still single digits to be honest with you. We see a lot of people motivated and working and concerned, but I think youre absolutely right that I think its still a very small group that are - if any, that are really fully prepared for another incident.
Vizard: Do you think that the insurance companies that work with these companies are a place that maybe that we can get a little more impetus going, a little more push? Because, you know, as I look back over other things that have been successful in other industries, particularly in healthcare, it always seems like theres an insurance company at the backend of that process with a whip thats saying, you know, ladies and gentlemen, were going to do this because were trying to mitigate our risk.
Spencer: Well, thats interesting. Actually, one of the things that we have experienced was that insurance companies - a lot of organizations are trying to get more control over their infrastructure just so that in the event something does occur, they can define what it was that was impacted. So they can actually give the insurance company a list of the assets that were actually affected by the incident as part of the recovery. But you know, this is an area that Im not really that familiar with in terms of how they might be able to drive change within the industry to impact disaster recovery.
Vizard: All right. Well, that may be a challenge that we lay out there to the insurance industry right now.