If there was ever an it initiative that seemed like a no-brainer, it would be continuous data protection: ensuring that a company’s IT systems won’t lose their family jewels in the event of a power outage or natural disaster. Still, many businesses don’t have a CDP plan in place.
A 2007 Gartner study found that about 50 percent of 220 organizations it surveyed were at low levels of data recovery maturity: Stage 0 (no team, no plan) or Stage 1 (a team in place, but no plan).
Michael Osterman, of Osterman Research, told eWeek that business owners certainly understand the liabilities involved in not protecting data, but because data disasters are merely a potential problem, a CDP strategy often isn’t put into place until it’s too late.
“I just think that it sometimes takes headline shock to make people move on some things-especially when we’re talking about potential liabilities,” Osterman said. “In other words, if it hasn’t happened to them yet, it hasn’t happened. But once they read about a data loss case involving somebody else, they’re more likely to get something started.”
Before something happens to your company, consider planning for and installing some kind of CDP system. Here are five key steps to accomplishing this.
Step 1: Plan Around Staff.
IT managers need to plan CDP strategies around their staff capabilities and in accordance with company policies. Com??Ãpanies need to anticipate a range of potential problems and create a realistic plan to address both disaster recovery and continuity of essential business processes.
“The key driver in all of this is your people,” said Phil Dunkelberger, president and CEO of PGP (for Pretty Good Protection), a security software provider. “They’re the ones who handle the data on a daily basis and the ones who will be using the CDP tools to maintain the data. They have to know exactly what to do ahead of time in the case of a disaster, like they do in a fire drill.”
Dunkelberger added that enterprises should be sure the CDP plan and its corresponding hardware/software also is designed to work smoothly for remote employees. Analysts have reported that some large companies have as much-if not more-critical company data stored on scattered corporate laptops as they do in their data centers. All these systems can and should be backed up and protected by a good CDP deployment.
IT Planner: 5 Steps to Continuous Data Protection – Page 2
It’s important that a CDP system be easy to use and transparent in how it works, Dunkelberger said.
“You can insulate your people from the complexity as you design the system, if you obtain the right software. You want a system that allows them to do their jobs and not have to worry every day about security,” Dunkelberger said. “You also have to plan for workloads, travel, time zone changes, etc. You need a good training and awareness program for all employees who will be empowered to use the CDP.”
In addition, organizations should assess all networks and business models to determine risks, as well as operational and financial exposures, said Jonathan Nguyen-Duy, manager of business continuity services at Verizon Business.
“Coordinated network and continuity planning are essential,” Nguyen-Duy said. “Base decisions on the principles of risk management. Identify critical business functions and processes and deploy assets to help ensure seamless operations.”
Step 2: Determine What Needs to Be Saved.
It’s critical to determine what data and applications you need to protect.
Key company data should be identified early in the CDP planning stages. What data is of highest value will all depend on the company, but there are staples that all enterprises need to protect.
Chief among them is e-mail.
“Everybody needs more and more data to do their jobs,” Dunkelberger said. “I saw a great quote the other day from an analyst: 90 percent of all company data ends up in e-mail. I don’t know if that’s exactly true, but it might be close. It’s the most commonly used office application. Think about how much data you have in your PC-most of it probably came from somebody sending you a Word document, a spreadsheet, a photo or something else through e-mail.”
Also important for CDP storage are instant messaging logs, database content, financial records and CRM (customer relationship management) records. All should be channeled to a CDP system.
Obviously not needed are music files, video games, movies, non-business photos and other kinds of personal documents accrued by employees. These types of files will only slow the entire CDP/storage process. If these files commonly exist on company desktops, laptops and servers, then some other serious corporate issues need to be addressed.
IT Planner: 5 Steps to Continuous Data Protection – Page 3
Data duplicates should also be winnowed down. Gartner analyst Dave Russell has reported that most enterprises keep between two and seven copies of their data at all times, depending on the application environment. Limiting that number to two or three at most will save a great deal of time, space and performance throughout a large system.
Deduplication, all the rage at the moment in the storage industry, is software that keeps copies to a minimum, depending on company policies. Consider buying it.
Step 3: Evaluate Technical Requirements.
After deciding what data needs to be protected, IT managers need to determine what CDP hardware, software and services are required.
Choosing the right CDP hardware, software and/or services for your organization depends on budget and breadth of coverage needed-just like an insurance policy.
EMC provides two full-fledged CDP platforms: RecoverPoint and Kashya. IBM, meanwhile, offers backup software and hardware snapshots in its Tivoli Continuous Data Protection for Files offering. eWeek has also learned that IBM is now working on new CDP software.
Microsoft and Dell have no enterprise CDP products in their lineups as yet, but they do offer low-end replication and snapshot packages for Windows systems. Hitachi Data Systems offers a replication and snapshot solution using CommVault.
Through its acquisition of Alacritus, NetApp offers a combination of FlexClone and Snap??íRestore that works only for data residing in its own storage, so there’s a lock-in issue to consider.
LiveOffice, meanwhile, offers a well-regarded e-mail storage and access system for enterprises and small and midsize businesses.
Other companies in the CDP space to consider include Symantec, CA, Mendocino, Iron Mountain, Exanet, Idealstor, BakBone, Availl, SonicWall and Mimosa Systems.
Step 4: Include Compliance Monitoring.
When developing your CDP plan, incorporate immediately the state, federal and industry regulations with which your company must comply as guidelines.
“Do [the CDP systems] meet all the accounting rules? Are they compliant with local and international law? If you’re an American company, are they Sarbanes-Oxley-bulletproof?” Dunkelberger said.
IT Planner: 5 Steps to Continuous Data Protection – Page 4
In addition to ensuring business continuity, many CDP systems offer sophisticated search capability that allows com??ípanies to locate specific files quickly-a requirement for recent additions to the Federal Rules of Civil Procedure regarding digital data that went into effect Dec. 1, 2006. The new rules require com??ípanies to have policies in place regarding data storage and quick search and accessibility in case of litigation. A good CDP system will find digital evidence in a timely manner.
Step 5: Test for Holes.
Once the CDP system is up and running, test it frequently to make sure there are no holes in coverage.
Most CDP systems are equipped with self-testing tools. Gartner estimates that these kinds of tools are used only once a year on average. That’s not nearly enough, according to Dunkelberger, who said that monthly-or at least quarterly-testing is preferred.
“IT managers should be rigorous about making sure their CDP systems are always tuned and doing what they’re supposed to be doing,” he said. “Compliance is going to change, technology is going to change, data formats are going to change … Do you think that anybody ever envisioned that you were going to be able to put the Library of Congress on a USB thumb drive someday? I don’t think so.”
Consider Apple’s iPhone, Dunkelberger said. “[The iPhone] is causing fits among IT security and business continuity professionals,” he said. “It’s not just a phone; it’s a 60GB, multifunctional device with all kinds of processing power on it.”
Dunkelberger recommends that IT managers look at all devices in terms of their data storage capabilities and what that means for CDP planning-or the subversion thereof.
“Look at the new devices for data storage,” he said. “If you do not have a continuous, rigorous continuity strategy that involves the senior management business plan, you will find yourself in the lurch at some point, driven by the next new toy someone wants to bring into the environment.”
What does it take to persuade IT decision ??ímakers to plan ahead and look at a CDP strategy?
The answer: pain.
First of all, IT managers can pretty much count on at least one major outage per year, according to IDC and Forrester Research market studies.
IT Planner: 5 Steps to Continuous Data Protection – Page 5
MessageOne, whose hosted e-mail continuity package guarantees that a Microsoft Outlook deployment will work no matter what happens to the IT system, reported recently in a market study that 75 percent of com??ípanies experience a major unplanned outage at least once a year. The average outage lasts a bit more than 32 hours, the study found: Forty-three percent of the outages lasted longer than 48 hours.
Most of these outages were caused by technological failures, such as hardware lapses (35 percent); connectivity losses (19 percent); SAN (storage area network) failures (16 percent); and database corruption (16 percent). Fourteen percent of the IT system failures were the result of natural disasters, such as hurricanes, flooding, earthquakes and fires. According to the Federal Emergency Management Administration, there were 61 disaster declarations in the United States in 2007-up from 58 in 2006.
For some businesses and services, such as banks, hospitals, utilities, law enforcement and defense, even a few minutes down without flowing data is unacceptable.
The bottom line is this: How much downtime can your company absorb before it’s too late?