Disaster Recovery on a Budget

Info-Tech Research Group is a professional services firm dedicated to providing premium research and objective advice to IT managers of mid-sized enterprises, serving more than 25,000 clients worldwide. Our purpose is to provide practical and thorough solutions that enable IT managers to bridge the gap between technology and business.

www.infotech.com

888-670-8889 (North America)519-432-3550 (International)

© Info-Tech Research Group, 2006

Disaster recovery and security issues are becoming increasingly important for enterprises of all sizes. In the past, the need for immediate recovery did not exist, and the technology was only available at the large enterprise level. Data protection technologies are now becoming more affordable for the SME and outsourcing all or part of the business continuity process has become a viable avenue for smaller enterprises.

Inside this report: Introduction ........................................................................................................................ 2

Disaster Recovery and the Smaller Enterprise ................................................ 3Threats ................................................................................................................. 4Defining a Solution ............................................................................................. 5

Developing a Recovery Program ............................................................................ 5Establishing Requirements ................................................................................. 5Prioritizing Recovery ........................................................................................... 6Cataloging Risks ................................................................................................. 7Determining Objectives .................................................................................... 8Determining Strategy......................................................................................... 8Recovery Plan Components ............................................................................ 9

Establishing Supporting Infrastructure ...................................................................... 9Backup Options ................................................................................................ 10

Putting Management Structures in Place ............................................................. 12Outsourcing Recovery Functions ........................................................................... 13Conclusion ................................................................................................................ 17

© 2006 Info-Tech ReseaRch GRoup 2

Disaster Recovery on a Budget

TOC

IntroductIon With digital information increasingly critical, disaster recovery and business continuity planning are increasingly essential. Data is a precious resource, and it is coming under an ever expanding array of threats as the information age progresses. Not only must enterprises consider natural disasters such as fires and floods, but they must also face the possibility of direct attacks upon data resources through terrorism or hacker intrusions. At the same time, the need to maintain electronic records in unalterable and searchable form has also arisen as a result of regulations such as Sarbanes-Oxley (SarbOx) and in response to information storage requirements of vertical markets such as pharmaceuticals and construction.

Disaster recovery has long been a concern for large enterprises, whose massive databases represented a critical corporate asset. Smaller enterprises were content to implement a minimal tape backup system, with capability to restore most critical information on a leisurely basis, provided that the tape was accessible, and essential data was more than a few days old. Disaster recovery capability is now needed by enterprises of every size and, at the same time, the period between last backup and the present must continue to shrink as the cost of data lost on a minute by minute basis continues to increase. An array of technologies has developed around the need to support Continuous Data Protection (CDP), including tape libraries, RAID, disk mirroring, virtual tape libraries, and the like.

Data storage, backup, and recovery for large enterprises have long been quite different from that of small enterprises. While the smallest organizations simply have disks in workstations, and possibly a tape or CD-based backup strategy, larger enterprises utilize special high-speed networks, dedicated servers, disk and tape libraries, and hierarchical storage schemes. Use of such strategies can vastly improve reliability, guard against failure, ensure immediate data availability, and aid in maintaining long-term archives suitable to meet a wave of regulations based on SarbOx.

Smaller enterprises have been waiting for this technology for quite a long time. In the past, the technology has been too expensive, too bulky, and too management intensive to suit the needs of smaller organizations. All of this is about to change. During the past several years, CDP technologies have been migrating down toward the Small to Mid-Sized Enterprise (SME) space, where it has been enthusiastically welcomed as a solution for vast growth in data storage and management requirements. CDP technologies do, however, command a price and must be viewed as a component of an overall Disaster Recovery Plan (DRP) rather than as a substitute for planning.

© 2006 Info-Tech ReseaRch GRoup 3

Disaster Recovery on a Budget

TOC

Disaster recovery anD the smaller enterprise

Disasters do not make distinctions between enterprises, either by size or by industry. A catastrophic Data Loss Event (DLE) can occur for many reasons, anywhere, at any time. It also has the potential to easily destroy a business. The only safeguard is to have a DRP in place with the infrastructure and procedures to support it.

In general, developing a complete DRP can minimize loss should a disaster strike, as well as ensure that critical issues are not overlooked in the haste to create an ad-lib solution. There are also strong legal incentives to create a thorough DRP.

These are relevant for enterprises of all sizes, and in all industry sectors. The research firm Contingency Planning Research has categorized the numerous statutes operating in the US under which enterprises may be found liable for failure to provide adequate disaster recovery, business recovery, and security safeguards. These categorizations are1:

• Contingency planning statutes addressing recovery of critical systems (particularly for financial institutions).

• Liability statutes, based on “Prudent Man Laws,” addressing activities of corporate officers.

• Life/safety statutes ensuring worker protection.

• Risk-reduction statutes aimed directly at reducing or mitigating effects of a disaster (particularly for financial institutions).

• Vital records management statutes specifying retention and disposal of records.

Additionally, numerous statutes relating to information security, consumer privacy, and regulatory exposure may become issues if it is determined that the enterprise did not adequately address the possibility of a serious threat to their data or their systems and did not take all prudent preventive and management measures.

The main difference, in this space, between large and small enterprises is that small enterprises need to rely upon a lower level of technology. The key to costs saving, however, lies in planning and prioritization. While affordable technology might not match what is available at the large enterprise level, the smaller enterprise will also have less data to protect, and data is less likely to be distributed throughout the firm in a manner that would cause access problems.

In general, smaller enterprises need to determine the value and recovery requirements of their data, and match it against available backup and mirroring business continuity solutions.

1 Schreider, Tari. “White Paper: The Legal Issues of Disaster Recovery Planning.” Disaster Recovery Journal (1996): Contingency Planning Research, Inc., April, May, June 1996.

© 2006 Info-Tech ReseaRch GRoup 4

Disaster Recovery on a Budget

TOC

In addition to handling all requirements in house, one solution that has become increasingly popular with small business is to engage an outsourcing company or consultant to handle all or part of the recovery process. The cost of such a solution may appear high at first, but it eliminates the need for expensive expertise in this area, as well as the need for special equipment and dedicated personnel. The resulting savings can be substantial.

threats

Data processing risks can be broadly grouped into two areas: data loss and security. Data loss issues are those in which systems are unable to function or data is lost, requiring an emergency recovery response. Security risks are those in which outside access to systems results in the loss or pilfering of data or in physical damage to equipment (not to mention the consequences of such events that may affect regulatory compliance or competitive advantage). The line between data loss and security risks is, of course, thinly drawn, and a crisis can easily create problems in both areas. Recovery is generally concerned with the return to normal operation following a DLE, but issues of security still need to be considered.

Data loss and system outages can occur in a wide variety of situations, including:

• Natural disasters, such as earthquakes, fires, and floods.

• Deliberate acts of sabotage or terrorism.

• War or civil unrest.

• Break-ins.

• Hacker attacks resulting in system shutdown, data corruption, or data loss.

• Hacker attacks resulting in extensive data theft.

• Power and/or communications failures.

In addition, there are numerous scenarios in which operations may be disrupted due to problems of economy, priorities, scheduling, or management.

The most feared event in data storage is a complete data system shutdown and the resulting loss of all local data (a large possibility in a natural disaster). In addition to full-scale disasters, partial disasters in which some portion of the data is lost also need to be considered. Data must be recoverable; therefore, adequate backups must be available and produced on a frequent enough basis. Systems also must be able to be immediately restored so that business can continue as soon as possible.

The recovery plan needs to include provisions for any possible scenario involving data or systems loss, and it should be rehearsed.

© 2006 Info-Tech ReseaRch GRoup 5

Disaster Recovery on a Budget

TOC

Defining a solution

A complete disaster recovery solution requires a threefold approach:

1. Developing a recovery program.

2. Establishing supporting infrastructure.

3. Putting management structures in place.

Each of these areas is discussed below. For the smaller enterprise, each of these areas includes a variety of trade-offs between cost and recovery capability.

Moreover, many smaller businesses need to consider outsourcing some or all of the recovery process to external vendors. External vendors can provide a wide range of infrastructure and consulting options, and can help to create a comprehensive plan to ensure data survival. Outsourcing firms can be used to manage the entire process, or can be employed to provide required services and offsite data protection in hot or cold sites.

dEVELoPInG A rEcoVErY ProGrAM A recovery plan needs to be drafted and approved. It is important that the plan be tested, preferably on a regular basis, to ensure that no holes exist and that the facilities required are available and can be easily brought online. The recovery plan also needs to be continuously reviewed. Changes in business can affect the type of recovery and facilities required. Remember that tying up expensive facilities when they are no longer necessary is likely to incur unnecessary added costs.

The most important part of developing a recovery plan is to undertake a risk and business impact analysis. Every area of potential risk needs to be identified, and all possible contingencies need to be considered.

establishing requirements

The best data recovery solution for any business would be one that immediately restores all company data on a live system, without data loss. Except in very few situations, this is neither feasible nor affordable. Backing up and restoring data requires resources and incurs expense. Expense can be extraordinarily high, including a need for such items as duplicated servers, tape libraries, disk mirroring and RAID systems, additional network capacity, media costs, software costs, and management costs.

One important issue to consider is the cost of recovery versus the cost of downtime. In general, the quicker the restoration, the more expensive. This is because a faster restore with a tiny window of lost data requires data mirroring, immediate live system availability, capability to handle immediate transfer, and related infrastructure. Requirements and costs diminish over time. At the same time, the cost of downtime increases as systems continue to be down. Downtime

© 2006 Info-Tech ReseaRch GRoup 6

Disaster Recovery on a Budget

TOC

may start by causing minor postponements and continue with orders becoming lost, which may potentially lead to the loss of customers and the inability to process existing business.

The overall result is revealed in Figure 1. The graph will differ for each business, but the overall scale is likely to be a matter of only a few hours.

Figure 1: Recovery Cost vs. Time

The first key to developing an affordable recovery strategy is to optimize the recovery process by prioritizing what needs to be stored, determining the profile of data that must be restored (i.e. how much, how recent, and so on), and cataloging potential risks and the likelihood of occurrence.

prioritizing recovery

Enterprises today run on data, and loss of critical information can quickly lead to business failure. However, there are vast differences in what constitutes essential data across industries and across enterprises. Financial data is almost always critical, but detail on individual transactions may or may not be important. For example, importance of data is vastly different between sellers of automobiles and sellers of paper clips. Similarly, e-mail may be more important for a consulting firm than for a small retailer, and stored documents may be more important for an insurance company than for an online publisher.

How information is prioritized depends upon the nature of the business. One common method is to separate data into mission-critical, business-critical, and operationally-important items. Mission-critical items directly affect revenue and customer relationships; this is the data without which the enterprise would fail.

Time from Disaster to Recovery

Cos

t($)

Cost of Recovering from a Disaster Over an Increasing Period of TimeCost of Downtime Due to System Unavailibility

Best Recovery Point

© 2006 Info-Tech ReseaRch GRoup 7

Disaster Recovery on a Budget

TOC

Business-critical data is tied to internal business operations, including e-mail, supply chain, coordination information, and back office applications. This is data that, if lost, could severely cripple the enterprise, but would still make it possible to continue doing business. Operationally-important data can be explained as general database information, HR records, data-mining results, analysis, and other secondary processing. It is data that could be re-developed, and if astray will not impact operations, but will still incur a replacement cost if it is unavailable.

When data has been prioritized, a recovery profile needs to be developed for each item. The two base measures to be considered are how fast data must be recovered before it begins having a serious impact upon the firm, and how much of the data is essential. These are defined by two variables, the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). The RTO is the time by which the data must become available, and the RPO is the amount of data loss that can be permitted between failure and the last backup or copy (in some cases, this may be zero, in which case a mirroring system is essential). These two factors can determine the overall costs of recovery. They can also specify the type of infrastructure that would be acceptable. For example, any data for which the RTO and RPO approach zero will require a real-time mirroring solution. If a large amount of data must be restored in a brief period of time, it will require substantial bandwidth or a hot site to accommodate requirements.

cataloging risks

The number of scenarios in which data might be lost is extremely large, ranging from natural disasters to sabotage and hacker intrusions. Collectively, these risks are referred to as DLEs.

Enterprises are faced with a wide range of potential DLEs, some of which affect all businesses, and some of which are specific to a given industry or firm. DLEs also range in magnitude from the loss or corruption of a few files due to human error up to the loss of an entire site due to war, natural disasters, and the like. Serious DLEs are, however, relatively uncommon.

• Over 80% of DLEs involve human error, typically data entry errors or deletions.

• Another 10% involve file corruption, limited to a few files and resulting from viruses or minor system problems.

• Storage loss, such as from disk crashes, account for another 5%.

• Server level problems, ranging from system shutdown and equipment failure to theft and sabotage, are less than 1%.

• Site-wide disasters constitute less than 2% of all DLEs.

It is often helpful to attempt to categorize possible data loss scenarios and their likelihood of occurrence as they apply to your site. This can be used to determine protective measures, as well as to decide where recovery funds should best be

© 2006 Info-Tech ReseaRch GRoup 8

Disaster Recovery on a Budget

TOC

spent. Threats can vary widely according to geographic location, political area, communications and power infrastructure, accessibility, network connections, and many other features.

Determining objectives

The information that has been collected can now be used to determine the overall recovery requirements. Potential DLEs can be linked to the type of data loss that is likely to occur, and the RTO and RPO for the specific data. The likelihood of occurrence for each event can then be used to determine basic requirements.

It is important at this stage to prioritize in terms of overall effect upon the business. Data that is absolutely vital to business operation must be restored at all costs, and within a period that will result in the slightest possible effect upon the business.

Determining strategy

When the recovery scenario has been plotted, it is then necessary to look at the three components of a solution: prevention, continuity, and recovery. Prevention includes all measures taken to ensure that a given DLE does not occur, does not result in actual data loss, or its potential effects are reduced to a minimum. Continuity includes measures taken to ensure that the business can continue to function between a catastrophic DLE and recovery of all systems. Lastly, recovery is the measures that are taken to bring about a complete recovery of data, or a final disposition.

Planning must move from the general to the specific, determining recovery procedures, responsibilities, and facilities to be provided in the event of certain types of problems, including:

• Emergency procedures for sudden data and systems loss, either total or partial.

• Crisis management procedures in the event of a manageable threat.

• Recovery procedures for scenarios ranging from single server outages up to a catastrophic failure of all systems.

• Technology and infrastructure repair and recovery procedures for when the crisis is over and operations need to be permanently restored.

• Development of a catalog of available recovery options and procedures that can be invoked to meet specific instances.

Response in each area needs to consider the three basic components of prevention, continuity, and recovery and provide an appropriate response for each, as discussed below.

Finally, the last step in developing a recovery and security program is to have the plan validated, verified, and, if possible, tested.

© 2006 Info-Tech ReseaRch GRoup 9

Disaster Recovery on a Budget

TOC

recovery plan components

A DRP, or business continuity plan, is a comprehensive set of measures developed to ensure immediate resumption of business in the event of a natural or man-made disaster in which all or some portion of data and systems become unusable. Many enterprises have some sort of recovery plan in place, though complete recovery plans tend to be somewhat rare even among major corporations. These plans can easily become out of date and certainly need to be revisited to incorporate recovery from problems that occur in outsourcing.

As mentioned, there are three main components to a DRP: prevention, continuity, and recovery.

PreventionPrevention involves preplanning to ensure that, if at all possible, the disaster will not occur. The keys to prevention are training, emergency preparedness, rapid response, and management. All reasonable scenarios need to be worked out in advance, from a prepared immediate response to making a complete hot-site operation continuously available. Roles and responsibilities as well as availability of equipment and use of external recovery providers or consultants need to be worked out. Preventative measures will also mitigate problems if the disaster does occur.

ContinuityContinuity is the maintenance of mission-critical processes and basic infrastructure required to keep the operation going at an acceptable minimal level. The assumption here is that the major systems and current operating data are destroyed, for example, by serious flooding at the central office. Planning for continuity requires a determination of which systems are most critical, how long processes can remain offline before they become critical, where resources can be obtained, and which processes are needed to transfer data, systems, personnel, and other items to a new location.

RecoveryRecovery is the post-crisis phase in which everything must return to normal. This too requires planning because it is important to ensure that data isn’t lost in the transition, that equipment and infrastructure can be put in place quickly (such as through bulk equipment purchase agreements), and that the transition from emergency back to normal operations goes as smoothly as possible.

EStABLISHInG SuPPortInG InFrAStructurEFor SMEs, recoverability and recovery costs are heavily tied up in the type of infrastructure that is being maintained. There are four essential areas of concern:

© 2006 Info-Tech ReseaRch GRoup 10

Disaster Recovery on a Budget

TOC

1. Continuity and redundancy measures, such as mirroring and RAID.

2. Storage, backup, and recovery architecture, such as tape storage, hot sites, standard backups, and so on.

3. Simplicity of data storage architecture and overall manageability.

4. Accessibility of data center to physical threats (break-ins) or hacker attacks.

In the business continuity area, costs have significantly decreased for mirrored disk systems and supporting software, and many enterprises are now employing Virtual Tape Libraries (disk storage masquerading as tape backup, otherwise known as VTLs), as an intermediary between archival tape and immediate storage. Network storage systems are also coming more easily within range of smaller enteprises, making it much easier to access data for backup and mirroring operations. A business continuity system provides a combination of disk mirroring and hierarchical storage to ensure that data is as secure and accessible as possible. These systems have developed in sophistication through the years, and are now migrating down to the SME level. Although they are expensive, they are also coming down in cost. Recent developments that have favored this approach include lowering costs of disk storage and growth of network bandwidth to the extent that some vendors are now making these systems available on standard LANs rather than utilizing Fibre Channel storage. An example is the recently introduced VLS 1000i storage unit from Hewlett-Packard. iSCSI, with high bandwidth and low cost, provides another low cost storage network option.

Research has shown that over half of the enterprises that lack a solid DRP will be out of business within two years of a major incident. However, a comprehensive DRP can be expensive due to the high level of redundancy involved. A full hot-site backup system requires mirroring the equipment in the primary data center. Moreover, this equipment must be continuously updated with the base equipment in order to remain in sync.

The DRP must include a combination of protection methods based upon likely risk scenarios, plus a comprehensive set of procedures to be followed in the event of a DLE. It is important that the program include assignment of responsibility and specific instructions for transfer of programs and data.

backup options

Backup and redundancy levels need to be specified according to how sensitive and/or critical the data is. Levels of backup and redundancy are presented below in decreasing order of security.

• Continuous availability.

• Online hot sites.

• Cold sites.

• Conventional backup to tape.

© 2006 Info-Tech ReseaRch GRoup 11

Disaster Recovery on a Budget

TOC

An important aspect of data recovery is spreading the risk by locating backups and hot or cold recovery centers in different areas. Areas can be across locations, departments, or even countries.

It is important to note, as with all outsourced services, that the greater the service, the greater the cost. Since one of the objectives of outsourcing is generally to save money, it does not make sense to provide a greater level of security than is really necessary.

In all cases, it is important to ensure that the recovery plan includes adequate geographical separation of data used in recovery. Adequate separation will depend upon the specific conditions, and it may require placing data outside of the outsourcing country. Some enterprises are able to maintain backup data at the home site, but this may not be possible for everyone due to real-time requirements, insufficient bandwidth, or other considerations.

Continuous availability architectures include load balancing and data replication, with storage and processing distributed across geographically distributed platforms. Each platform is provisioned with spare capacity, and data is mirrored, so that if one platform fails, the workload is simply redistributed. Business operation is continuous and uninterrupted. This infrastructure, and its variants, provides the maximum protection. However, it can be extremely expensive depending upon the types of applications, data, and infrastructure in use. Systems based on late model ERP or database architectures, for example, will likely have built-in support, while simpler applications and legacy programs will not. It is also important to ensure that the continuity architecture embraces all essential data elements and is not limited to a single application or system.

A second architecture is to provide near line or online hot sites where applications can be moved in the event of a disaster with minimal disruption. The failover site is maintained with all of the facilities required to host enterprise data. The data, applicants, and system information is replicated to the failover site. The hot site may be owned by the enterprise, but for small businesses it is more likely to be owned by a disaster recovery outsourcing vendor. This approach may not provide the immediate recovery of a continuous system, but it does ensure a relatively small downtime window, which can be further optimized by setting priorities for restoration and putting the emphasis upon getting processes up and running. Procedures need to be put in place for transferring data and operations to the hot spot and also for how hot-spot operations themselves will be overseen and how security will be assured.

Cold sites are a less expensive option than hot sites and can be more easily maintained. Contractually, the same issues are raised as with hot spots. The only addition is that cold spots need to be checked periodically to ensure that they can be made operational and that data can be transferred within a reasonable amount of time. They also need to be up to date and remain of sufficient capacity to handle the workload. Data requirements are always growing, and it is easy for tomorrow’s data to vastly exceed the capacity planned for today.

© 2006 Info-Tech ReseaRch GRoup 12

Disaster Recovery on a Budget

TOC

Standard backup is the fourth basic strategy. This remains the most common strategy for smaller enterprises. Backup is performed on a file by file or incremental basis, on a simple backup schedule, with storage generally going to tape. This type of infrastructure is appropriate in some circumstances, but it can provide a false sense of security. Without replication, data can only be restored to the last scheduled backup. There may also be no actual recovery plan in place, and it is likely that restoration is untested. Backup procedures need to be carefully spelled out. Geographical separation of backups also needs to be ensured. Then, the backup schedule and “grandfathering” issues need to be settled – how frequently do backups need to occur, and how many backup generations are likely to be required? In many cases, under regulations such as SarbOx, it is prudent to retain backups for all periods indefinitely. The backup schedule depends upon the time sensitivity of the data, and this is an issue for the client to determine. Note, also, that today’s hierarchical storage systems with disk mirroring and multiple media types may require further specification.

PuttInG MAnAGEMEnt StructurES In PLAcE

One of the greatest threats to security and recovery is the lack of clear roles and responsibilities in each phase of the process. Speed and efficiency are of extraordinary importance, and lack of clearly defined responsibilities will hinder operations and ensure that details – and, potentially, important data or processes – will become lost.

The DRP must provide the specific procedures to be carried out in the event of catastrophic data loss. Responsibility is likely to vary according to the nature of the disaster. Lines of authority need to be established, and the skills that will be required need to be made available to the recovery team. In many cases, management will require developing agreements with outside organizations such as hot or cold site providers. If much of the recovery program is outsourced, then it is important to determine in advance how the two organizations will work together – including what personnel will be needed, and lines of authority.

The recovery plan must also extend to all enterprise data assets. Although this is not generally an issue for smaller enterprises, many mid-sized enterprises will have a variety of outsourced services that will need to be included. Defining responsibility in this case can become complex, and requires both contract protection and careful cooperation.

It is not enough to establish management structures in the event of a disaster. Prevention and continuity must also be addressed and all measures must be subject to periodic testing and review. This requires a permanent review board or committee, composed of individuals who have a good knowledge of both data processing and business requirements. Recovery involves the whole organization,

© 2006 Info-Tech ReseaRch GRoup 13

Disaster Recovery on a Budget

TOC

and prioritization of restoration functions will require difficult trade-offs.

Buy-in from upper management is essential for the entire recovery process. It will require resources, and it may directly affect the viability of the business.

outSourcInG rEcoVErY FunctIonSAs security and recovery become increasingly complex, firms have emerged that specialize in the outsourcing of these processes. These firms generally provide and maintain hot and cold recovery sites plus a variety of other services, including security and recovery consultation. These firms are often an essential part of the recovery process, and it may pay to create a relationship with one or more, stipulating that it should also be used for recovery of outsourced data. This may not be beneficial in every case, however, and it is important to note that the outsourcing companies themselves will generally have some relationship with one or more recovery services for at least part of their general security requirements.

Vendors specializing in disaster recovery and business continuity generally perform a business impact analysis. This involves interviewing staff and executives to identify and prioritize critical processes. A report can then be made of these findings, including details of which areas are most critical and how quickly various processes become critical after an emergency. They also provide help in planning, identifying, and defining recovery time objectives, losses, and costs.

A wide range of services are available. Some firms provide the option of outsourcing portions of the recovery process, offer recovery management, handle data storage and data transfer, or specialize in certain industries that have special needs. Some also target smaller businesses, while others have a global reach that may be helpful in handling diversified operations.

For the smaller firm, or firms strapped for cash, outsourcing can provide access to state of the art recovery services without the need for capital expenditure. The outsourcer can provide and maintain infrastructure, as well as supplying management and expertise in determining actual threats and recovery options. Some will also provide and install recovery software, and there are often options for recovery components to be installed and maintained locally or online.

In addition to consultants and general service providers, there is a special range of outsourcing providers that mainly provide secure sites for data and for the continuation of operations. These “alternate site” providers can make hot sites or cold sites available for recovery based upon a contract. By sharing the service with a number of clients, the cost of maintaining the site is greatly reduced, and expertise is concentrated to handle recovery processes efficiently when a disaster occurs.

Table 1 lists outsourcing disaster recovery and business continuity consultants, with the services that they offer.

© 2006 Info-Tech ReseaRch GRoup 14

Disaster Recovery on a Budget

TOC

Table 1: Disaster Recovery and Business Continuity Consultants

Consultant Description and Expertise

21st Century Software Software and consulting for disaster recovery, business continuity, Direct Access Storage Device (DASD) administration, and storage management.

Advanced Continuity Provides solutions focusing on business continuity planning, disaster recovery planning, and Continuity of Operations Planning (COOP).

Agility Recovery Solutions Agility is a former division of GE with 16 years of experience. Restoring business lifelines is its only business.

Automata Provides a “one stop shop” of products and services to enable those involved in business continuity to cost-effectively protect their organizations and professionally manage unforeseen incidents.

Binomial International Binomial International produces business continuity plans/DRPs for both government and private sector clients and conducts both in-house and public seminars. Also provides proprietary planning and plan management software.

BRProactive A comprehensive business recovery planner. Focuses on providing quality DRP development solutions using a template approach backed by best practices to meet the needs of small, mid-sized, and large enterprises and government entities.

Business Protection Systems Offers products and services to meet business continuity needs for enterprises of all sizes – from global corporations to small and mid-sized, privately-held enterprises.

CAPS Business Recovery Services Comprehensive business continuity program with continuity and disaster recovery.

Contingency Now Provides end-to-end practical and affordable disaster recovery and business continuity plans and services for private and public enterprises.

Continuity Solutions (CSI) A disaster recovery and business continuity planning consulting company.

CPACS Business continuity planning and risk assessment software tools, business continuity planning consulting and educational services.

Disaster Survival Planning Network

Assists enterprises in developing emergency response and business recovery plans.

Eagle Rock Alliance An independent management consulting firm specializing in business reliability planning.

© 2006 Info-Tech ReseaRch GRoup 15

Disaster Recovery on a Budget

TOC

eBRP Solutions Canadian company, offering a Web-based eBRP toolkit and provides business continuity and disaster recovery planning with process modelling to facilitate end-to-end planning.

EverGreen Data Continuity A business continuity firm that is focused on providing customers with solutions that mitigate the impact of natural disasters, terrorism, and other catastrophic events.

Forsythe Business continuity and disaster recovery experts.

HP Business Recovery Services HP strategies, services, and technologies to reduce exposure and vulnerability and ease recovery.

IBM Business Continuity and Recovery Services

Solutions for total business protection.

LBL Technology Partners Business continuity planning consulting services.

Mainstar Disaster recovery and storage management software plus complete consulting services in these areas.

Performance Technology Group Disaster recovery planning and IT resumption services.

Persson Associates Provides easy to use, low cost DRP development products.

RecoveryPlanner.com Provides online business continuity planning software.

Recovery Specialties Provides storage, business continuity and disaster recovery consulting for z/Series environments.

Rentsys Services catering to the recovery of workspace, hardware, and communication needs.

RSM McGladrey Provides a complete range of business continuity planning consulting services and business recovery planning software.

Sentryx Comprehensive business continuity, disaster recovery, and emergency management and preparedness training and consulting services.

Strohl Systems Offers a wide range of business continuity planning and consulting options to enterprises worldwide.

SunGard Availability Services Disaster recovery experts, providing total solutions for all recovery needs.

TAMP Computer Systems Planning solutions and software, including the Disaster Recovery System (DRS).

Virtual Corporation A consulting company that specializes in business continuity.

Vistastor A consulting and integration firm focused on helping enterprises ensure business continuity and simplify storage management.

© 2006 Info-Tech ReseaRch GRoup 16

Disaster Recovery on a Budget

TOC

Table 2 lists vendors that primarily provide hot and cold sites for disaster recovery. Using an external site can be cost-effective and provide additional security by placing recovery facilities in a remote location and under the control of experts in rapid data restoration.

Table 2: Disaster Recovery Alternate (Hot and Cold) Sites

Vendor Address and Location

Agility Recovery Solutions 2281 North Sheridan WayMississauga, Ontario L5K 2S3 Canada

bigbyte.cc 123 Central AvenueAlbuquerque, NM 87102

BRM Disaster Recovery Services 1018 Western AvenuePittsburgh, PA 15233

Business Recovery Center 1259 Route 46 East, Building 1Parsippany, NJ 07054

CAPS Business Recovery Services 2 Enterprise Drive, Suite 200Shelton, CT 06484

Cervalis 1200 Bedford StreetStamford, CT 06905

Dataside 1950 N. Stemmons Frwy, #2033Dallas, TX 75207

DPS Management Consultants 2320 Gravel DriveFort Worth, TX 76118

DRS Disaster Recovery Services 10336 Southern Loop Blvd.Pineville, NC 28134

E.V. Bishoff Company 33 N. Third St., Suite 500 Columbus, OH 43215

FirstMerit Disaster Recovery 6625 West Snowville RoodBrecksville, OH 44141

GramTel USA 316 E MonroeSouth Bend, IN 46601

Hewlett-Packard 2124 Barrett Park Dr.Kennesaw, GA 30144

IBM Business Resilience and Continuity Services

300 Long Meadow Road Sterling Forest, NY 10979

MDY Advanced Technologies 21-00 Route 206 SouthFair Lawn, NJ 07410

MPA Systems PO Box 838Sanger, TX 76266

Recovery Point Systems 75 West Watkins Mill Rd.Gaithersburg, MD 20878

© 2006 Info-Tech ReseaRch GRoup 17

Disaster Recovery on a Budget

TOC

Rentsys Recovery Services 200 Quality Circle College Station, TX 77845

Sentinel Properties 114 East 32nd St., Suite 1402New York, NY 10016

Services Conseils RDI 6555 boul Metropoliain Est, Bureau J2Montreal, QC, Canada H1P 3H3

SUMMIT Information Systems 4500 SW Research WayCorvallis, OR 97333

SunGard Availability Services 660 East Swedesford RoadWayne, PA 19087

Titan Ultra Secure Data Center 5005 3rd Avenue SSeattle, WA 98134

Unisys 12010 Sunrise Valley DriveReston, VA 20191

Vanguard Vaults 9750 Kent StreetElkGrove, CA 95624

concLuSIonData has become increasingly critical to all business operations, and its time value has risen dramatically. In the past, data that had been lost could be recovered and systems could be restored at a leisurely pace (often several weeks). Enterprises today demand the immediate recovery of vast amounts of critical data and systems need to be back online almost immediately. The recovery window continues to shrink as enterprises move into 24/7 real-time operations, with transactions taking place over the Internet at any time of the day or night, and with other systems, such as help desk support, similarly employed.

Even as data is increasing in importance and in time value, threats are growing in frequency and in severity. Security and disaster recovery issues are becoming increasingly intermingled as critical data of every type finds its way into computer systems. Increasingly important sources of data loss and data exposure “disasters” are hacker attacks and general breaches in security that release vital information, compromise records, or decrease confidence in the enterprise’s capability to do business. Similarly, disasters of other types also result in opportunities to evade normal security procedures if appropriate measures are not taken. Any type of event can expose a firm to an increasingly wide range of legal problems related to due diligence in protecting data.

As the range of potential threats expands, the consequences are becoming increasingly dire. As operations move toward real-time and as more and more critical data goes online, relatively minor interruptions of service can have expensive consequences if recovery measures are not in place. Government

© 2006 Info-Tech ReseaRch GRoup 18

Disaster Recovery on a Budget

TOC

regulations in areas such as liability, continuance of essential services, data privacy, data security, and transaction storage also put an imperative upon recovery planning. Enterprises need to be able to demonstrate that they have taken every possible measure to ensure efficient and effective recovery, and this includes the evaluation of service vendors.

For smaller enterprises, all of this means that disaster recovery and security issues are becoming increasingly important. Disaster recovery has long been relegated to the back burner, with the need apparently satisfied through routine backup to tape. In the past, the need for immediate recovery did not exist, and the technology was only available at the large enterprise level. This situation is rapidly changing. Restoration needs to be faster, data exists in much larger volumes, and the technology to provide continuous data protection is moving down to an affordable level – at least for those areas in which it is required.

As technology becomes available, it is important to ensure that the data recovery program remains both affordable and manageable. The cost of maintaining infrastructure and supporting skills can be extremely high, and may not be justified. Because of this, many small enterprises are turning to outsourcing some or all of their disaster recovery solution. Outsourcing provides a number of advantages, including eliminating the need for immediate capital and special skills. Contracting out disaster recovery planning has recently increased in popularity with the expansion of broadband networks, which make it possible to swiftly move large amounts of data to external destinations. Conversely, outsourcing also imposes a new range of costs and risks and needs to be considered very carefully.

© 2006 Info-Tech ReseaRch GRoup 19

Disaster Recovery on a Budget

TOC

About the AuthorBrian J. Dooley is an author, analyst, and journalist with more than 20 years of experience in analyzing and writing about trends in IT. He has written six books, numerous user manuals, hundreds of reports, and more than 2,000 magazine features. Mr. Dooley is the founder and past president of the New Zealand chapter of the Society for Technical Communication. He has been a Senior Analyst for Datapro (Gartner), and a Senior Product Information Specialist for Unisys Corp. He initiated and is on the board for the Graduate Diploma of Technical Communication program at Christchurch Institute of Technology, and he is on the editorial advisory board for Faulkner Technical Reports. Mr. Dooley currently resides in New Zealand.

Info-Tech Research & AnalysisThis is an independent, non-sponsored research report. It was not funded by any vendor or other party.

DisclaimerThis material is for the general information of clients of Info-Tech Research Group. It does not constitute a personal recommendation or take into account the particular objectives, situations, or needs of individual clients. Before acting on any advice or recommendation in this material, clients should consider whether it is suitable for their particular circumstances and, if necessary, seek professional advice. The information contained herein has been obtained from sources believed to be reliable. Info-Tech disclaims all warranties and conditions as to the accuracy, completeness or adequacy of such information. Info-Tech is not liable for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection and use of these materials to achieve its intended results. Opinions expressed are our current opinions as of the date appearing on this material only. The opinions expressed herein are subject to change without notice. We endeavor to update on a reasonable basis the information discussed in this material, but for certain reasons we may be prevented from doing so.

© 2006 3409945 Canada Limited, operating as the Info-Tech Research Group (“Info-Tech”). All rights reserved. Reproduction in any form without prior written permission is forbidden.

Note: All Web links in this document were checked for accuracy and functionality at the time of publication. We cannot, however, guarantee that referenced Web sites will not change the location or contents of linked materials, and will not be held responsible for such changes.

About Info-Tech Research GroupOur research and advisory services offer unparalleled access to IT research specifically geared to the unique needs of IT professionals working in mid-sized enterprises. Research Seats with Info-Tech Advisor will provide you and your team with the research and analysis needed to succeed with daily IT tasks and management. Research Seats with McLean Report will support your IT strategy development and provide access to relevant, industry specific research. To compliment both Research Seat options, tap into customized guidance and advice with an Analyst Inquiry Service, and gain access to unlimited, on-demand advice from industry experts.

Find out more – www.infotech.com 888-670-8889 (North America) 519-432-3550 (International)