232 a7d01

College of virtualization: Lessons in integrating data protection

software

Sponsored by Dell VMware

Speaker: Tom Nolle, President, CIMI Corporation

Moderated by Kate Gerwig

Karen Guglielmo: Hello, and welcome to a SearchStorage.com presentation, ‘College

Of Virtualization - Lessons For Integrating Data Protection Software’. This presentation

is being brought to you by Dell and VMware. For more information on Dell and

VMware, you can click on their logo in the lower portion of your screen. My name is

Karen Guglielmo, and I will be your moderator today. Joining me today is Laura DiDio,

a Hi-Tech Analyst and Consultant, a professional writer and a former reporter. She is a

principal at Information Technology Intelligence Corp., a company she founded. Before

we begin the presentation, I would like to review a few housekeeping items with you.

First, the slides in the presentation will be pushed to your screen automatically. If you

have any questions throughout the presentation, you can type them in the ‘Ask A

Question’ area located on the right-hand side of your screen and they will be addressed

following the event. If you have any difficulty viewing or reading the slides, click on the

‘Enlarge Slide’ button located in the bottom portion of your screen, and finally, if you

experience any technical difficulties with this presentation, click on the ‘Help’ button in

the lower right corner of your screen. With that said, I am now going to turn things over

to Laura DiDio to begin today’s presentation. Laura.

Copyright © 2009 ITIC All Rights Reserved

Agenda

•Overview: Data protection software

•Getting Started: General Advice

• Business & Technology Considerations

•Deployment

• Configurations & what to buy

•Conclusions & Recommendations

Laura DiDio: Thanks, Karen, and welcome everyone. It is a pleasure to have you here

with us. We are going to dive right in and get started because this is a hot topic and we

have a ton of information and data to help you with. Okay, so our agenda, we are going

to give you an overview of data protection software. We are going to give you some

general advice, business and technology considerations and some, you know, deployment

considerations, configurations, what to buy, what to do, and then we will give you our

conclusions and recommendations and we will wrap up with Karen doing some Q and A.


Overview: Data Protection

• Effective, efficient Data Protection is a core, fundamental network component

• SMBs using virtualization will face additional challenges in managing and protecting data

• Data protection ties into DR Strategy

• Virtualization generates lots of data

• Organizations must be able restore and recover data quickly

• Absence of data protection will compromise the entire network and potentially put your business at increased risk for litigation

Okay, so data protection. Okay, this is a no-brainer, as we see on the slide. Efficient,

effective data protection is a core fundamental network component. Now, SMBs that use

virtualization, and that is many of you, especially on the server side but in your head we

are expecting a lot of you are also going to implement VDI, Virtual Desktop,

virtualization and also application virtualization as time goes on. You are going to face

specific additional challenges in managing and protecting your data and as we will see,

your data protection strategy is going to tie into your disaster recovery strategy and also

your virtualization strategy. One reason for that, virtualization generates a lot of data

when you are actually looking at things. So, there is going to be in some ways more for

you to manage at once. Clearly, organizations have to be able to restore and recover data

quickly and they have to make sure it is protected. The absence of data protection, we

don’t have to tell any of you, will compromise your entire network and especially

because you are SMBs who are even more risk averse than your enterprise counterparts, a

really bad hack could potentially put your business at increased risk for litigation or even

put you out of business.


Data Protection: Getting Started

•Thoroughly review existing infrastructure & data protection

• Start with a pristine network

• Fix what’s broken

• Regularly upgrade data protection equipment and software

• Make a data protection/security plan, stick to it and enforce it!!!

Now, as we turn to the next slide, getting started with data protection, once again, you

have to start at the beginning and that means you want a pristine network environment or

as pristine as it can be. That means you have got to start by thoroughly reviewing your

existing infrastructure, locating what are the weak points, are there any open doors, open

ports, backdoors, what type of hardware do you have, server hardware, do you need

ruggedized server hardware, how is your encryption. So do you have the latest upgrades?

You need to fix what is broken or what is old and outmoded, and you should be regularly

upgrading your data protection equipment and software. There was a famous German

19th

century military strategist who said that military secrets are the most fleeting of all.

In the 21st century computing environment, what I would say is security and data

protection is one of the most fleeting of all, because as soon as you have one thing fixed

there is a hack to exploit something. There are always new and improved ways to crack

into and compromise the security and data protection of your network. So you have to

stay on your toes with this and it is a question of months, not years. You need to make a

data protection and security plan, stick to it and enforce it and by enforcing it that means

with all of your users and you need to disseminate what your security and data protection

plan is, what the rules are, and what the penalties are for violation.


Have you determined the cost of one hour of

downtime for critical or mission-critical

processes?


Do you have defined benchmarks to measure

component, system or infrastructure

performance?

So, as we turn to the next slide, the next few slides we are going to show you are based

on the realities of what is happening now. This is survey data from ITIC over the last six

months. We asked folks, have you been able to determine the cost of one hour of

downtime? Okay, now you will notice only one third of companies said yes. That is the

bad thing. So you have 51% who say no, and 14% who are unsure. So guess what? The

majority of people don’t know what damage can be brought. That is bad. You have to

know what the consequences are and if you don’t know how much downtime costs, there

is probably a lot of other things you don’t know either. When we look, we ask people, do

you have defined benchmarks to measure performance? Now security, actually this is a

better one, almost 40% said yes, but almost 50% said, you know, no. Again, bad number

there. We asked people what happens when something goes down, what factors do you

include in the cost? Once again, you can see productivity lost, but you look for all of

these things and this is all tight security and data protection. If your security is

compromised, if your data is unprotected, guess what? All of these things are going to

happen. You are going to have dissatisfied customers, damage to your reputation. You

are going to have regulatory exposure. You will lose, almost certainly lose revenue.

There is going to be an upstream and downstream impact from, everyone from the C

level executive to your endusers, to your business partners, to your suppliers, to your

customers. So, there is also the risk of SLA penalties, risk of litigation, the cost for what

happens for lost productivity for your employees, all sorts of things.


If yes, which factors are included in calculation

of downtime cost (select all that apply)?

Next slide, we asked people how many tier 2 outages, that is midlevel, 30 minutes to four

hours has the firm experienced within the last 12 months? Now, this is always dicey

because people talk about these things a little bit, you know, differently, but 44% said 1

to 3 outages. We also had 28%, nearly one, you know, one third said we did not have

any. That is not necessarily a number I believe in, but 15%, as you could see, we got,

said that they had 3 to 6 outages and then 5% said 5 to 10 outages. We had other people

who were unsure and then only 3% owned up to having more than 10 tier 2 outages, but

any outage is going to cost you money. Again, so...these numbers, a lot of people are just

guesstimating or they are not owning up to it, but still, you can see that this is pretty

prevalent. The tier 2 outage by the way is going to involve your network administrators,

having to do remediation, getting involved, so it is going to be time, it is going to be

productivity loss on the enduser side, it might mean your clients cannot get access to

data, business suppliers, partners, etc.


How many Tier 2 outages (30 min. to 4 hrs.) has

your firm experienced within the last 12 months?

But it is not the worst thing that can happen, as you can see from the next slide. We

asked what about the most severe tier 3 outages? That is four hours plus and you may or

may not have data loss, but you probably have some data loss. We had two thirds of

people said, no we have not had any, 66%, we have not had any tier 3 outages. Again,

that is not necessarily a number I believe because a lot of people want to keep quiet about

it. But as you can see, the remaining one third do have outages and this is going to be

significant in terms of the business operation, the cost, the remediation, the potential

damage to your reputation. So, the only good outage is not to have an outage.


How many Tier 3 outages (4+ hrs. w/data loss)

has your firm experienced within the last 12

months?


If your firm was unprepared to respond to the

Tier 2 or Tier 3 incident, what changed

afterward?

We also asked people to say, how prepared are you to address these outages when they

occur and as you can see, 41% or 2 out of 5 businesses said they are prepared. Then

51%, the majority said, we are somewhat prepared. We have some plans in place but

there was also some confusion. This is getting closer to the truth and then 5% basically

said they were unprepared, caught off-guard and really had to scramble, and 3% said that

they were totally caught off-guard and they were unable to respond in an effective timely

manner. So, you could imagine if you were in that 8% category minority, how damaging

that could be, especially since you folks are smaller businesses. It is going to really

impact you more. So you don’t want to be in a position where you are reacting to data

losses, network outages because you don’t have a data protection plan. Then we also

asked, well okay, if you were in that, if you are unprepared or only somewhat prepared

for data losses after one of these incidents, what changed? Now, 42%, again 2 out of 5

businesses that is, basically said they learned their lesson, but they are still working on

being proactive. But 22% said nothing changed, it was business as usual. We had 10%

who really became proactive and said we learned our lesson, we established service level

agreements and we made a future response plan. And then you had a 2% minority that

said, look we just played the blame game, pointed fingers and we have not done anything

constructive. So, this is an object lesson here for those of you who are in our College of

Virtualization, for what happens when you get out to the real world, you don’t want to be

in those slices where you are being reactive rather than proactive and have not done

anything constructive.


How certain are you that the SLA commitments

you expect from others align with the IT

services expectations your clients have of you?

Another question we asked and this plays right into data protection, security, etc. We

asked people do you require SLAs from your IT vendors, your hardware, your OS, your

application, your storage, your network virtualization vendors because if you don’t, you

should, and what we saw here is that only 17% absolutely say they do all of it. Now, you

can see from these, the smaller globe here, the pie chart, it is a higher percentage, 56%

from enterprises, with more than 3000 users, so clearly the SMBs are lagging behind

here. And we see 23% said we are not requiring anything beyond standard warrantee.

Again, you should require SLAs. It does not matter whether you have 10 people in your

organization or 500. You should require service level agreements and basic minimum

metrics and standards for performance from your vendors. Again that should be a staple

of any data protection plan.


How certain are you that the SLA commitments

you expect from others align with the IT

services expectations your clients have of you?

And this one here, this is scary. How certain are you that the SLA commitments you

expect from others align with the IT services’ expectations your clients have of you?

And again, only 2 out of 5 businesses were reasonably sure. You see that the largest slice

of this pie, okay, by 58% is either uncertain, you know, or excuse me you only have 12%

that are certain that they align. You have to make sure again data protection is 50%

technology, but it is 50% policy and human due diligence and that is what these slides

talk about here. So, you can get all of your best hardware from Dell, your best

virtualization and security software from VMware, but it is not going to mean a thing if

you are not putting policies and practices in place to protect your data. It would be akin

to buy the most expensive security or alarm system for your home and then going out and

leaving the windows open and the doors unlocked and not arming the security system.

So, half of this is going to be up to you.


Data Protection: Best Practices

• Check for compliance

• Virtualized environments contain more data – if there a 6 VMs on a single server you will see > 1 Tbytes of data if it fails

• Virtualized data protection failures will take down multiple servers!

• Ensure adequate bandwidth

• Check carrier routes

• Determine whether you’re protecting the data at the hypervisor or OS level

• Ensure that you have the latest versions, patches

• Standardize the environment as much as possible

So turning now to the data protection best practices, the first thing you have to do is take

a look, are you in compliance? Okay, with all of your licensing agreement, are you in

compliance with regulatory issues for security and that is going to have pretty big

implications for those of you who are in the SMB space, you might be in a doctor’s office

or a dentist’s office, what have you, where medical records are kept. You have got to

protect that data, if it gets out, wow! You know what happens. It could just be business

records. It does not have to be medical records. It could be anything but you need to

protect and preserve your data. In a virtualized environment and many of you now, as the

cost of virtualization and hardware has come down so much, you are virtualizing, you

know, your server and increasingly your application environment. Virtualization is a

great thing. You can consolidate space, you can consolidate application, cutdown on

your manpower hours, utility costs, you name it, but you have to be aware that virtualized

environment will contain more data. So, for example, if you have six virtual machines on

a virtual server, on some level, as the network administrator, you will see six machines,

however, if you connect...once you connect to the host server, what you are going to see

is probably 1.5 terabytes of data. So, if that fails, if the virtualized environment fails, six

servers are going to be taken down. So, data protection is crucial because now much

more of your infrastructure is going to be contained under a single physical host server.

So, you are going to have a single point of failure even though you might...your

applications are in isolated containers. Okay, and if you have got locally attached

storage, it is going to be another big single point of failure. If it is SAN attached storage,

you will lose access to the data. So, from the business standpoint, the data would still be

inaccessible. Okay, so you need a comprehensive, cost effective solution that will

manage both your physical and virtual servers alike and that is one of the things that we

are seeing with VMware’s, vSphere, the latest version vSphere 4.


Conclusions & Recommendations

•Data Protection is a MUST!!!

•Business & technology planning are symbiotic

• Formulate a data protection plan and adhere to it!!!

•Keep Records – Organizations should document everything: costs, manpower, remediation efforts; fallout (e.g. lost business) from a disaster

•Budget accordingly

•Upgrade infrastructure as needed

•Adhere to the three “Cs”: Communicate, Collaborate & Cooperate

• Enforce SLAs!

Now, your virtualized data protection failures will take down multiple servers, again, so

you don’t want that to happen. You want to be proactive not reactive. You have to

ensure adequate bandwidth. Again, all the data in the world contained in these

virtualized environments won’t be any good if you cannot transmit it if the pipes are too,

you know, not adequate, they are too small. So check your bandwidth. You also want to

check your carrier routes. Okay. Access in and out of the server, you might think that

you have enough redundancy, but you want to make sure that the carriers are not

subletting the same lease lines. So there has been many an instance where it is on the

same line and that line, that one trunk line goes down and you are still out. The other

thing you need to do is determine whether or not you are going to protect your data at the

hypervisor or the OS level. Okay that has implications as well. You also want to ensure

that you have the latest versions and patches updated. You need to standardize the

environment as much as possible that will cutdown on the amount of time you are

spending doing remediation work and it will cutdown on your management time as well.

Standardized environment can really cut your time to recover from a data loss or a hack

by about on average one third, but standardizing the environment helps because you are

not running hither and yon and a lot of times we find that the data is compromised

because you have not applied a patch or you have got different versions and the versions

are not interoperating together and that can cause disruption to the operation, you know,

to the network operation.

As we turn to the next slide, finally the conclusions and recommendations. You know

this, data protection is a must. Your business and technology planning are symbiotic.

Again, cannot overstate this, 50% of your data protection strategy will depend on the

technology. So you need good, strong underlying technology from your virtualization

vendors like VMware, from your hardware vendors like Dell, but the onus is also on the

C level executive, the IT department, and the endusers to strictly adhere to best practices.

You have to formulate a data protection plan, you must adhere to it. I cannot tell you

how many times I have been in consulting situations with some of the top Fortune 100

firms and they are four revs behind on their antivirus software. They have a data

protection plan that is four years old, they have not looked at it, they have not set

penalties or, you know, disseminated and distributed the computer data protection policy

and rules. You have to have rules in place, you have to enforce them, your endusers have

to know what they can and cannot do and what the penalties will be for infringing on the

rules. You also need to keep very, very good records. You have to document

everything. That means if you have had some data protection losses, how much did it

cost? How much is it costing you to buy the software, do you have adequate data

protection software and hardware in place, what is the costing to your manpower, what

about the remediation efforts, what has been the consequence or fallout from lost

business, if you have had a disaster or a hack? Budget accordingly. This is one area

where you do not want to skip. You need to also keep the entire infrastructure upgraded

as needed and once again you have to adhere to the three Cs, which is Communicate,

Collaborate and Cooperate, both internally and externally that means with your hardware,

software, virtualization providers. Ask them to help you out with best practices.

Companies like VMware now have an incredible array of tools, documentations, white

papers, that are available for free to assist you, so there is really, you know, no reason to

be behind the eight ball even if your organization is on a very, very tight budget and once

again, finally, you want to enforce those SLAs, service level agreements. You are paying

for all this equipment, so you and your vendors should be in sync and agree upon SLA

metrics that are most appropriate for your business and if it is not there, then you need to

rethink that policy and perhaps move on to another vendor. So, with that, I will turn it

over to Karen for the Q and A.


Getting Started: General Advice

•Know what’s on your network

•Adhere to the Three “Cs”: Communicate, Collaborate & Cooperate

•Perform a thorough inventory and assessment of your current environment

•Identify & Replace outmoded hardware

•Standardize the application environment

•Check and upgrade storage, bandwidth as necessary

•Security, security, security!

•Review Licenses

•Review SLAs

•Construct Operational Level Agreements (OLAs)

Karen Guglielmo: Great! Thank your Laura for your presentation. I would like to take

this time to remind everyone again that you are participating in a SearchStorage.com

presentation on ‘Lessons For Integrating Data Protection Software’. Today’s

presentation is being brought to you by Dell and VMware. If you would like more

information on Dell and VMware, you can click on their logo in the lower portion of your

screen. And now, we are moving on to the moderator Q and A portion of today’s

presentation. I am going to be asking Laura a couple of questions related to today’s

topic. So, let us get started. First, let me ask you, how is using data protection software

different in a virtual environment?


Deployment Best Practices

•Determine how you’re going to segment the virtualized & cloud infrastructure

•Mix & Match: you can deploy Web servers and other classes of servers in the same physical host

•Keep Production Applications separate for security purposes!

•Adjust your network architecture/infrastructure to deal with virtualized & private cloud environments

•Virtual infrastructure should have its own network • It should not share with Email/messagging

•For the Virtualized/Private Cloud buy the most robust hardware configuration the budget will allow

Laura DiDio: Well, it is different because, as we noted, virtualization is wonderful for a

lot of things, consolidation, for saving money, for saving time, but you have to really be

on guard because all of your, you know, data, you are going to have multiple instances of

application and data contained in a single physical server. So that can potentially be a

single point of failure, if you have not put the proper data protection controls and

configuration in place. So that is a scary thought. You know, you don’t want to take a

direct hit. So you really need to make sure that you have the proper hardware, proper

software and the proper data protection in that virtual environment.


Deployment Best Practices, contd.

•Public Clouds: Due Diligence is a must!

•Determine what tier of service you need

•Ask for References

•Ask Questions:• What hardware do they use?

• How many paths in and out of the cloud

• What is the guaranteed response time

• Where are the hosts physically located

• What about security – physical and what are the country policies if the host provider is outside of the U.S.?

• How are they segregating the services? SMBs will operate much differently than an Amazon.com type business

Karen Guglielmo: Okay. So how is data protection linked to your disaster recovery

strategy?

Laura DiDio: They are inextricably linked. I mean it is a real symbiotic relationship.

So, for example, if you have protected your data but you don’t have a disaster recovery

plan in place and the worst happens, if you cannot recover from a disaster, then the best

data protection in the world, your data will still be safe but you are not able to access it.

So, the two have to go hand in hand, you have to protect the data to make sure it is not

compromised and it is not lost in the event of a disaster and the in the wake of a disaster

you have to make sure that you can recover quickly so you can get your users back up

and running and able to access the data. So overall, it is, you know, its data protection,

its disaster recovery, and it is business continuity. That is the Triumvirate that people

have to live by.


Conclusions & Recommendations

•Make a Business Plan based on the technology needs

•Construct a three-year technology plan

•Purchase the most robust hardware your budget will allow

•Make a security plan

•Adhere to SLA and OLA agreement

•Engage virtualization vendors & cloud providers

•Make use of tools & documentation available from vendors like Dell, VMware and others

•Make sure your cloud providers are meeting their SLA agreements with your organization

Karen Guglielmo: Okay, and finally, what would you say is the most common mistake

that people make in respect to data protection?

Laura DiDio: The most common mistake is the human error and that is they don’t have

a policy in place, they have an...or they have got an old policy, they have not dusted it

off. Things are really changing fast in security, data protection, managing the data, so

you have to constantly be upgrading this policy and again, I understand the focus of many

users, especially those people in the SMB space where you might have an IT department

that might be anywhere from one or two people up to maybe 10 people rather than dozens

or hundreds of IT managers. There is an incredible burden placed on these people and

the emphasis oftentimes is on just keeping the network up and running on a daily basis,

even if that means, you know, doing patch jobs here and there. But you have to make the

time and spend the money on data protection and that means you have got to get that

network protected to the extent it should be in 2010 and going forward because the

hackers are not standing still, there are...you are always going to find errors in software

that require a patch or some type of remediation or a fix. So you really want to stay on

top of this and once again if you are an overburdened IT manager or if you are in our

College of Virtualization right now and you are coming out and you are going to go to

work for an SMB, get to know your vendors. The vendors have a lot of tools at their

disposal. There are many free tools for self- assessment. There are many white papers

out there and documentation with best practices and how to, so engage them, also ask

them, what do I need? Is this the appropriate configuration for me in terms of my

hardware, how should I be configuring my virtualization environment so that it is

optimized for disaster recovery and data protection.

Karen Guglielmo: Okay. I am sorry, go ahead. You are going to wrap up?

Laura DiDio: No, so, I was just going to say, so that basically is the human element. It

is equally as important as the technology if not more so.

Karen Guglielmo: Okay, and that does conclude today’s presentation on, ‘College of

Virtualization - Lessons For Integrating Data Protection Software’. If you would like to

review today’s material at a later date, an archived version of this event will be made

available in our SearchStorage.com webcast library. I would like to again thank Laura

DiDio for taking time to be a part of today’s presentation, and I would also like to thank

Dell and VMware for sponsoring this event. And as always, thank you for taking the

time out to join us today. This is Karen Guglielmo, wishing you all a great day.

232 a7d01

Documents