Virtualisation driving organisations to re-evaluate disaster recovery plans

Symantec Corp. (Nasdaq: SYMC) today announced the global results of its fourth annual IT Disaster Recovery survey, which demonstrates a significant decline in executive involvement in disaster recovery planning and a significant increase in the number of organisations re-evaluating their disaster recovery (DR) plans due to virtualisation. As more applications and data are managed in a virtual environment, organisations are evaluating the most efficient ways to manage applications and data in both physical and virtual environments.

Nearly one-third of organisations reported they have had to implement part of their DR plan. However, in the past year there was a significant decrease in executive involvement on DR committees. And, while there appears to be improvement in successful DR testing, one-third of respondents indicate testing will impact their customers, and one-fifth admit such testing could negatively affect their organisation's sales and revenue.

With a rapid increase in mission critical applications combined with the continued growth of stored data - both physical and virtual - it is crucial that organisations incorporate a comprehensive, proven DR plan into the overall business strategy. This will help ensure the successful recovery of data and applications with the least amount of impact to business operations should a disaster - natural disaster, human error or system failure - occur.

On average, respondents indicated that 56% of applications were deemed mission critical - significantly up from 36% in 2007. With the increase in the number of mission critical applications, it becomes difficult for organisations with flat IT budgets to maintain the availability of a greater number of mission critical applications. As a result, companies should look at more cost effective ways to protect applications including reducing spare servers, increasing server capacity, looking at physical to virtual configurations, and more.

Disaster recovery plans are not documents collecting dust on shelves. In the past year, one-third of organisations surveyed had to execute their DR plans due to a variety of factors including: hardware and software failure (36% of organisations); external security threats (28% of organisations); power outage/failure/issues (26 % of organisations); natural disasters (23% of organisations); IT problem management (23% of organisations); data leakage or loss (22% of organisations); and accidental or malicious employee behaviour (21% of organisations). Given the regularity of events that cause downtime, IT organisations should expect that their DR plans will be tested at some point in the future.

Survey results also indicate that C-level involvement in DR planning is declining. In the 2007 survey, 55% of respondents said that their DR committees involved the CIO, CTO or IT director. However, in 2008 that number dropped to 33% worldwide. Symantec believes that such a move is a troubling trend, particularly in light of the mission critical applications not currently covered in DR plans and the re-evaluation of plans due to virtualisation. Increased executive involvement has been shown to increase the success of DR plans.

Virtualisation is the major factor that is causing more than half (55%) of respondents globally - 64% in North America - to re-evaluate their DR plans. In some cases virtualisation is being deployed for DR purposes and applications and data in virtual environments pose a difficult challenge since processes for physical environments may not work in virtual environments. In addition, native DR tools in virtual environments are immature and don't provide the enterprise-class protection that organisations require. The respondents reported that 35% of their virtual servers are not currently covered in organisations' DR plans, and only 37% of respondents reported that they back up all of their virtual systems.

Fifty-four percent of respondents listed resource constraints as their top challenge with backing up virtual systems, which points to the need for simplification and automation. Globally, 35% of respondents cited too many different tools as the biggest challenge in protecting mission-critical data and applications within physical and virtual environments. Complications with having different tools for physical and virtual environments include higher training costs, operating inefficiencies, greater software costs and workforces that work in silos. Lack of automated recovery and insufficient backup tools came in close second, each with 33%.

According to survey data, while having a DR plan is essential in most organisations today, knowing that DR plans work is equally important. In 2007, 88% of IT professionals polled carried out a probability and impact assessment for at least one threat. In 2008, that number increased to 98% of respondents indicating that they have carried out an assessment for at least one threat. However, respondents report that 30% of tests fail to meet recovery time objectives (RTOs) with an average global RTO of 9.54 hours.

Respondents also reported the top reasons why their tests failed include: human error (35%); technology failure (29%); insufficient IT infrastructure (25%); out-of-date plans (24%) and inappropriate processes (23%). Since human error is the greatest problem hindering successful recoveries, organisations should look to automation that will speed recovery and reduce errors and reliance on personnel.

In addition, 93% of IT organisations report they have tested their DR plan since it was created, yet 30% of those tests are not fully successful - improved from 50% failed tests in 2007 - and only 16% say that tests have never failed.

The study showed that approximately 47% of organisations test their DR plans either only once a year or less due to disruption to the business and lack of resources. Reasons cited include: lack of staff availability (39%), disruption to employees (39%), budgetary issues (37%) and disruption to customers (32%). In addition, 21% admit DR testing could impact sales and revenue. In fact, those in Asia and Europe, the Middle East and Africa (Emea) are less likely to test their DR plans, with 12% of respondents in Emea and 8% in Asia Pacific reporting that they never test their DR plans.

While survey results indicate that the IT industry has demonstrated some improvements in successful DR testing over the past year, only 31% of respondents report that they could achieve baseline operations within one day if a significant disaster occurred that destroyed their main data centre. And, only three% of respondents said they could have baseline operations within 12 hours and nearly half (47%) reported that it would take a full week to achieve 100% normal operations.

“While the research identifies a significant improvement in DR testing in the industry, we are concerned that organisations are not testing more frequently to improve their plans, and are not using adequate tools to reduce the overall business impact,” said Sheldon Hand, storage specialist at Symantec. “Virtualisation is obviously changing the game for disaster recovery and organisations should involve IT executives in the process of re-evaluating their DR plans and then implement best practices and solutions that ensure confidence in a successful and rapid return to full operations in the event of a disaster.”

Symantec recommends that enterprises implement a holistic data protection solution across virtual environments, remote offices, desktops, laptops, servers, applications and databases that can quickly recovery vital data and systems in the event of a disaster. In addition, consolidating on a single management tool that manages both physical and virtual environments will also help reduce the number of tools needed.

Symantec also recommends that organisations implement automated solutions that minimise human involvement and address other weaknesses in their DR plans to help to reduce downtime. Finally, using solutions that provide testing tools that minimise the impact of testing on customers is also recommended, so that organisations can test without affecting business processes, customers and employees.