The continuity compromise
As technologies such as virtualisation and cloud computing mature, companies can better balance risk and cost in business continuity planning.
An increasingly mobile workforce, an explosion in the amount of data the average organisation needs to manage, and growing regulatory pressures are all forcing South African organisations to rethink their traditional approaches to disaster recovery and business continuity planning.
The old approach of throwing hardware at the challenges of recovery and resilience is giving way to the more strategic use of automated tools and services from third-party providers. With IT budgets under pressure, even conservative large companies are turning to solutions such as cloud computing and outsourcing to contain their spending on disaster recovery infrastructure.
South African organisations used to be at two extremes of the business continuity spectrum, says Mariana Kruger, IT services executive for IBM Global Technology Services in SA. On the one hand, larger organisations invested heavily in duplicating their entire data centre infrastructure at a mirror site for disaster recovery. On the other, there were many companies that did not invest much in business continuity and disaster recovery planning at all.
Now, CIOs are looking at their environments very carefully to understand where they will duplicate infrastructure and where they will opt for solutions such as cloud-based back-up and recovery. “Big businesses like the banks used to see disaster recovery and business continuity as something they would handle in-house,” says Kruger. “They are now more open to innovative ways of providing resilience.”
Rudie Raath, technology consulting country manager at HP SA, says replicating a data centre environment in a disaster recovery site is complex and expensive. Yet trends such as online business and workforce mobility mean organisations need their technology to be up-and-running 24/7. IT departments no longer even have a window at night to perform systems maintenance and back-ups.
Cost pressures are forcing companies to be more flexible in how they approach disaster recovery and business continuity, he adds. “People are no longer scared to share their risks with an outsourcing provider,” says Raath. Large corporates are also more open to using home and virtual office space in their continuity planning.
CIOs and IT managers face a careful balancing act when they roll out their disaster recovery and business continuity plans, says Vishal Mothie, technical specialist at Novell SA. The technology is there for companies to achieve a recovery time objective (RTO) within hours or even minutes of a failure and a recovery point objective (RPO) near the moment of the failure, but it is expensive to put in place.
For most organisations today, the RTO is measured in hours rather than days, says Mothie. Most organisations are also unable set their RPO (the period of time for which the business can tolerate losing data after a failure) too far in the past, which means they need to back up data at frequent intervals. “How much are you willing to spend to achieve your desired RTO and RPO? That is where the compromise happens,” says Mothie.
One major challenge organisations face in the roll-out of their continuity plans is that the amount of information they must manage, back up and possibly recover in the event of a disaster is growing at an exponential rate, says Sheldon Hand, Symantec's CTO for emerging regions.
“Our approach to the problem used to be to throw more hardware at it - bigger SANs, more network upgrades, and so on,” says Hand. “But the improvements in infrastructure are not keeping up with the explosion in data and the costs are prohibitive.” Backing up all this data is placing major strain on IT systems and processes at many organisations, he adds.
“Business continuity has to become faster, cheaper and better.”Richard Broeke, Securicom
Information explosion, the emergence of virtualisation, rapid adoption of new applications, and 24/7 business needs have broken the traditional backup model, says Hand. “We need a different approach - we need to become more intelligent about how we back up.” Companies are keen to invest in technology that reduces the time and infrastructure needed to back up their data - data de-duplication tools, for example.
One common problem lies in the fact that many organisations have rolled out multiple products and solutions for backup and recovery across different lines of business and different projects, says Hand. This is expensive and inefficient because of the need to maintain, license and provide training across multiple vendors.
Virtualisation has also added new layers of complexity to recovery planning and continuity, says Mothie. Many companies have ended up putting two disaster recovery plans in place - one to cater for virtualised systems and another to provide for non-virtualised systems.
But there are systems management tools that are able enough to cater for both. Virtualisation is a mature technology today and companies should no longer need specialised backup tools for virtualised environments.
The growing maturity of systems management tools and software infrastructure means it is becoming easier for companies to manage their disaster recovery, business continuity, virtualisation and application optimisation needs in an efficient, integrated manner, says Bryan Balfe, solutions specialist at Dell SA.
For example, a VMware customer can now a create virtual machine, create data policies and allocate storage from one management screen, whereas these tasks may once have been performed through multiple tools.
Virtualisation technology also creates some interesting opportunities for more cost-efficient disaster recovery and business continuity planning, Mothie says. For example, there is a trend among larger enterprises to use virtualised infrastructure to power two production sites that provide redundancy for each other rather than build a production site that shoulders most of the workload and a disaster recovery site that is seldom used.
Challenges and opportunities
“Too many organisations put a disaster recovery plan together only to satisfy an auditor or a business partner.”Scott Orton, Triple4
Two related trends having a profound impact on disaster recovery and business continuity planning are the rise of cloud computing and the growth of the mobile workforce. Raath says the desktop market is in sharp decline while smart access to corporate systems using mobile devices is exploding as users bring their own smartphones and tablets to work.
“This is increasing risk because people are bringing devices into the business environment that are not under the IT department's control.”
The trend towards mobility is straining IT organisations because they have to maintain IT availability, despite the fact that user information is not always under their control, says Sumash Singh, business unit manager for backup recovery systems at EMC Southern Africa.
As a result, many IT departments are turning to cloud-based storage to ensure they have some control over end-user data and that their users can keep working if there is a disaster at the data centre or if they lose their devices.
“Companies don't necessarily want to move their production systems into the cloud, but they do increasingly see it as a cost-effective alternative for disaster recovery,” says HP's Raath. The benefit of the cloud as part of a disaster recovery and business continuity strategy is that it can enable even mid-range businesses to access and recover data on demand in the event of a disaster, says Richard Broeke, security consultant at Securicom.
These companies don't have the budget to mirror data at a disaster recovery site in real-time, yet they want to be able to access data instantly in the event of a disaster. “It always takes a bit of time to get systems up and running again when companies invoke their disaster recovery plans,” Broeke adds. “Business continuity has to become faster, cheaper and better.”
Michael Davies, MD at ContinuitySA, says cloud services can provide companies with more flexibility and better scalability in their disaster recovery plans. Cloud-based services may offer superior RTO and RPO to an offsite disaster recovery site that the organisation runs itself. They also have the benefit of moving the IT investment off the balance sheet and reducing the need for in-house skills.
However, he cautions that an organisation needs to carefully investigate any service provider it plans to partner with to ensure that it can offer the availability and security the business requires.
Companies also need to make sure that cloud partners have business continuity plans of their own and that they are financially sustainable into the future.
One subset of cloud computing that is gaining traction is desktop virtualisation, which enables employees to access their applications and data wherever they are through public or private cloud infrastructure. This means employees can keep working as usual at home or in a coffee shop if they can't go to work because of a disaster such as a violent strike, fire or adverse weather, says Cary de Sousa, enterprise relationship manager at Citrix Systems SA.
A grudge purchase
Regulatory compliance remains one of the largest factors driving business continuity and disaster recovery investment among South African organisations. “Business people are getting more serious about continuity because they are being held accountable for data security and integrity,” says Balfe.
An eight-hour outage in a large company's data centre can mean a massive loss of reputation and opportunity for the business, he adds.
The King III report on corporate governance has turned IT risk management into a boardroom concern for JSE-listed companies, says Kruger. In the public sector, the auditor-general is putting more pressure on government departments to show that they have put sound processes and systems to manage IT risks and ensure business continuity, says Mothie.
Many companies still regard disaster recovery and business continuity planning as a grudge purchase, says Scott Orton, sales director at Triple4. The reason for this is that they don't see much value from it unless they actually experience a disaster.
Too many organisations put a disaster recovery plan together only to satisfy an auditor or a business partner, says Orton. Often, they don't even put these plans to the test and find out they don't work when they do face a disaster. What's more, many companies focus only on hardware disaster recovery without thinking about business processes.
Companies often take a narrow approach to disaster recovery that focuses on the doomsday scenario of a plane hitting the data centre, agrees Balfe. They invest millions in high-end storage area networks, but don't take into account that one of the most common threats to continuity is human error from a careless hand on a keyboard.
“There is a tendency to throw too much technology and not enough process at the problem,” says Balfe.
Hand says many people still use the terms 'disaster recovery' and 'business continuity' interchangeably, even though disaster recovery is just a subset of a wider business continuity
programme. Disaster recovery focuses on IT issues such as the recovery of data and systems after an outage, but companies also need to address issues such as where people will work after disaster strikes and the processes they will follow.
Companies should always start out with a business impact analysis that will allow them to determine what the biggest threats are to the continuity of their businesses, says Kaseya SA MD Garth Hayward.
From there, they can begin to assess which technology choice is best for them - from online, cloud, or onsite back-ups through to provisioning mirror sites for critical business processes.
Curses and invocations
Companies around the world invoke their business continuity plans more frequently than one might imagine. Research last year conducted by Forrester Research and the US-based Disaster Recovery Journal (DRJ) found 61% of respondents had invoked their business continuity plans at least once within the past five years.
This is an increase over a similar survey in 2008, when 50% had invoked a continuity plan at least once during the past five years. The surveys canvassed DRJ members working in business continuity at large and medium-sized companies around the world.
The most common reasons for invoking business continuity plans in 2008 and 2011 were extreme weather and natural disasters, followed closely by power outages, IT failures, floods and fire.
Respondents in the 2008 and 2011 surveys said the top two lessons they had learnt from their invocations were that there had not been enough training and awareness across their organisations and that their plans did not pay enough attention to internal communication and collaboration.
A third lesson that emerged in 2011 was that failing to include key staff in tests means employees don't know what their roles and responsibilities during a crisis are, or how to carry out their tasks during times of stress.
Despite the fact that the majority of companies need to invoke business continuity procedures at some point in the past five years, most respondents to the 2011 survey tested their plans only once a year.