Ian Masters, UK sales and marketing director at Double-Take Software, discusses Continuous Data Protection (CDP) to separate the buzz from the benefits. For organisations focused on solving real-world problems, understanding the distinction will help them make the best choice to safeguard their electronic assets.
There is some uncertainty in the market over what defines CDP. The Storage Networking Industry Association (SNIA) defines CDP as “a methodology that continuously captures or tracks data modifications and stores changes independent of the primary data, enabling recovery from any point in the past. CDP systems can provide fine granularity of restorable objects to infinitely variable recovery points”.
The capabilities described by the SNIA definition of CDP are not trivial. They require a technology solution that stores all data changes as they happen and can arbitrarily return to infinite points in time to recover previous versions of data. This makes true CDP a very expensive proposition for customers. This expense may be difficult to justify when an organisation’s data isn’t perceived as sufficiently valuable and even where the value is recognised, most can’t afford these types of CDP solutions. In this sense, true true-CDP products are a solution to a problem that customers cannot afford to solve.
Companies are instead opting for near-CDP solutions or backup and recovery solutions that integrate CDP-like capabilities. While solutions based on the strictest definitions of CDP may eventually gain momentum in the market as the enabling technology comes down in price, the majority of businesses don't have a Recovery Point Objective (RPO) that requires, and justifies, this type of CDP. There is clearly a need for something that provides better recoverability than tape but is simple and affordable enough to deploy across the enterprise, not just on a few systems.
Another issue affecting take up of CDP is that it has traditionally taken a very narrow approach to business continuity. Solutions have mainly focused on file-level recovery and not application data like that created by Microsoft Exchange Server or Microsoft SQL Server. If the first line of defense in a disaster recovery solution is protecting the data, the second is undoubtedly protecting the application. Providing a real-time copy of the data and availability of the application associated with it, enables a Recovery Time Objective (RTO) significantly better than that provided by solutions like tape backup or CDP. CDP provides no provision for RTO and focuses solely on RPO, which is only half of the customer challenge.
While true-CDP solutions have not gained widespread traction, the promise of CDP, despite its problems, thrives. It does so in the form known as near-CDP. Many traditional backup vendors have differentiated themselves from their competitors by integrating CDP capabilities into existing solutions rather than attacking the concept head-on. These solutions provide many, but not infinite, points of recovery. This satisfies most customers’ RPO goals far more readily than relying on retrieval from tape-based solutions by providing snapshot copies of important data for recovery purposes.
Though near-CDP promises to be an easy way to augment the backup solutions that customers use today, it still doesn’t account for the complete recovery of a company’s business critical systems. To the end-user, recovery isn’t complete until they are able to resume their work where they left off. This means not only restoring a previous version of the data but also the operating systems and applications and all the other aspects that are required to give users access to that information. Double-Take Software believes the future of CDP lies in hybrid solutions that incorporate an overall recovery management strategy combining data replication and protection, application availability and point-in-time recovery.
Alternatives exist today that provide this unified approach to recovery. In these solutions, asynchronous file-based replication is combined with application availability and snapshot technologies to fulfill at least the spirit, if not the definition, of CDP. In terms of data protection, real-time replication provides for the continuous capture of changes to protected data and the storage of those changes separate from the production data. If needed, a company can recover to this real-time copy of the data in the event of a major disaster. Because these solutions are typically based on byte-level replication, including features such as compression and bandwidth throttling, they are more efficient at moving data across long distances when compared to the data movement technologies employed by purebred CDP solutions.
For recovery from unwanted changes such as those caused by human error, viruses, or corruption, disk-based snapshot capabilities allow rollback to multiple (albeit not infinite) copies of the protected data. Disk-based snapshots are usually difference-based (copy on write technology) and consume less storage space. Their periodic nature also further reduces storage requirements when compared to keeping infinitely accessible copies of data changes. A combination of data replication and disk-based snapshots ensure that the RPO goals for a company’s data can be met.
Where these solutions truly exceed the promise of CDP is their ability to ensure RTO goals as well as RPO goals. By continuously monitoring the availability of the production systems and failing over to a secondary system in the event of an outage, they provide an RTO of minutes rather than hours or days. Most true-CDP solutions today do not provide any high availability for the applications creating the data and instead leave recovery to the IT administrator who is most likely using a complex, manual, time consuming process.
Evaluating the Options
No solution is ‘one size fits all’. Each company’s business is unique so each business continuity recovery plan will be different. However, the high-level approach to business continuity planning is generally the same. The key to business continuity and recovery planning is to first understand the impact an outage, loss or major disaster would have on your ability to provide a product or service and then pick the right procedures and tools to minimise that impact.
The first recommendation we make is to assess and rank each of the business systems within your organisation and assign the appropriate level of protection to them. Not all systems require the same levels of protection; in fact, some may not need protection at all. Successful plans account for this and are able to restore systems defined as business-critical as rapidly as possible while making the most of limited resources. The challenge for most companies in prioritizing these systems and choosing the right solution is simply a matter of quantifying the value of the data the solutions protect and calculating the Return on Investment (ROI).
Summary
The reality of CDP is that it has not lived up to the buzz it generated. This is not because the promise of CDP isn’t appealing to customers but because CDP, as narrowly defined by industry organisations, was not permitted the opportunity to integrate with other data protection and recovery capabilities. A hybrid solution combines the best of CDP with the best of continuous data replication and application availability while keeping costs down. Successful vendors will continue to build CDP into their products where it is appropriate and successful IT organisations will learn to use the technology in a way that best addresses all of its recovery goals while staying within budget and without sacrificing capabilities.
Double-Take Software will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
Fact Sheet: Creating a Culture of Preparedness Among Schools
The U.S. Department of Homeland Security (DHS) offers a wide-range of emergency preparedness resources to help schools create safe and secure environments for their students. Emergency preparedness is an important responsibility shared by all individuals as well as communities, including schools. In order to advance school preparedness nationwide, DHS offers several planning and training resources to help local schools prepare comprehensive all-hazard emergency preparedness plans that are exercised regularly and developed in partnership with their community leaders and first responders.
- Safe School Initiative: Established in collaboration by the U.S. Secret Service and the U.S. Department of Education’s Safe and Drug Free Schools Program, the Safe School Initiative (SSI) focuses on prevention and provides useful information about the thinking and behavior of students who commit acts of targeted violence in our nation’s schools. One of the key recommendations of the SSI was that schools form multidisciplinary threat assessment teams to assist with identifying, assessing and managing students who may pose a threat of targeted violence. An interactive CD-ROM, titled A Safe School and Threat Assessment Experience: Scenarios Exploring the Findings of the Safe School Initiative, complements the published documents of the Safe School Initiative. The CD is available to law enforcement and school safety personnel across the country and can be ordered via the Department of Education website at http://www.edpubs.org/.
- Protecting Our School’s Infrastructure: DHS’ Office of Infrastructure Protection (OIP) has developed and issued Characteristics and Common Vulnerabilities, Potential Indicators of Terrorist Activity, and Protective Measures reports for public and private schools (K-12) and higher education institutions. With dual benefits in addressing both terrorism and criminal-related security issues, these resources are available to local law enforcement and school officials to help identify site-specific vulnerabilities, anomalies or incidents that may precede a terrorist attack or other kind of harmful incident, and certain measures that can be taken to better protect and create a safer environment. DHS has conducted over 40 Site Assistance Visits at schools to help officials identify potential vulnerabilities as well as Soft Target Awareness Courses that address the security of schools and higher education institutions.
- Protecting Against Man-Made or Terrorist Incidents: The DHS Federal Emergency Management Agency (FEMA) offers a series of manuals and publications to help schools address their physical design and layout as part of a mitigation process to protect against terrorist attacks and natural disasters. These materials include: Design Guide for Improving School Safety in Earthquakes, Floods and High Winds; Primer to Design Safe School Projects in Case of Terrorist Attacks; Incremental Seismic Rehabilitation of School Buildings (K-12): Providing Protection to People and Buildings; and FEMA Mitigation Case Studies Protecting School Children from Tornadoes: State of Kansas School Shelter Initiative.
- School Preparedness Training Courses: FEMA also offers several courses – both online and in-person, through the Emergency Management Institute to help schools and district personnel develop emergency plans for all-hazards. Through “train-the-trainer” courses, FEMA links school personnel with first responders, law enforcement, public health officials and others to discuss different needs and decisions that may arise during an emergency such as transportation, food and health, medical assistance, facility management, and communication. More information on available courses may be found at http://training.fema.gov/emiweb.
- Lessons Learned Information Sharing (LLIS): Established to help first responders, emergency planners and managers, and homeland security partners prevent, prepare for, and respond to terrorism, this web portal includes valuable best practices and lessons learned information, including a section on school emergency planning. Additional information may be found at https://www.llis.gov.
- DHS “READY” Campaign: A national public service advertising campaign produced by The Advertising Council in partnership with the Department of Homeland Security, the Ready Campaign is designed to educate and empower Americans to prepare for and respond to emergencies, including natural disasters and potential terrorist attacks. Ready Kids is the newest addition the campaign and provides a family-friendly tool to help parents and teachers educate children, ages 8-12, about emergencies and how they can help their families better prepare. Individuals interested in more information about family, business and community preparedness can visit www.ready.gov or call 1-800-BE-READY to receive free materials.
- Citizen Corps: Created by President Bush in 2002, Citizen Corps provides Americans of all abilities with opportunities to gain information, training, and hands-on volunteer opportunities that increase community preparedness and resilience to all types of hazards. Headquartered at FEMA, there are more than 2,220 Citizen Corps Councils nationwide. These councils operate at the community level bringing public and private sectors together with local government, emergency managers, voluntary organizations, and first responders to coordinate disaster preparedness planning and response efforts in our communities. Schools are encouraged to partner with local Councils to integrate school emergency plans with community plans; coordinate alert systems; and educate, train and exercise the school community. Visit www.citizencorps.gov for more information.
- Funding and Additional Resources: DHS offers several grant programs to State and local governments with potential applicability to school-related violence or terrorism. States and local governments make the decision as to whether this program may be applied to educational facilities. Information on DHS grants is available at www.grants.gov.
Are You Getting Value from Your BIA?
James R. Mitchell, CBCP
Director, eBRP Solutions, Inc.
Cost vs. Benefit
The standard practice of conducting a Business Impact Analysis (BIA) to determine the basic recovery requirements (Mission Critical Processes, RTO’s, RPO’s, Critical Applications, Suppliers, and other Resources) is a vital phase of every Business Continuity Management program.
The BIA process can be long and difficult – no matter what data collection method is used. Is the return on your BIA investment (time, manpower and resources) offset by the value of the results?
If a BIA is a fundamental part of BCM, the underlying cost may simply be a necessary evil. But, when a BIA is a one-time ‘project’ – as in many organizations – is the cost realistically proportional to the value?
Some organizations conduct a BIA expecting to repeat the process at regular intervals. However, once the initial BIA is completed and the true cost known, such expectations are often abandoned.
Focus on change
Failure to update a BIA is a leading cause of Recovery Plan failure. Change is the only constant in business. A BCM program lacking up-to-date BIA data yields Plans that don’t reflect the organization’s true requirements.
Intending to update a BIA is easy; yet the update process often fails.
Consider the effort required to complete the original BIA: questionnaire preparation, distribution and collection; interviews to “normalize” the results, plus the cost of analysis and report generation.
Often, the original BIA process “project”, may take three to eight months. Significant business changes make the prospect of repeating that lengthy process daunting. Postponing the update may be rationalized. Like most things in life, postponing difficult tasks allows them to grow more unwieldy
To streamline the process, the updated BIA must focus on the changes – rather than repeat the entire process. It is likely that much of the information from the earlier BIA is still valid. The update process simply entails drilling down to which business processes have changed, and how those changes affect the original BIA results. Of course, the method used to conduct the earlier BIA will determine just how easy – or how difficult – the update process becomes.
In Information Technology, an updating process is generally ongoing (Change Management) because IT changes have a direct impact on daily operations. In business operations, changes occur regularly, but are seldom, if ever, documented. (To be fair, no matter how robust the IT program, not every organization consistently correlates its Change Management information with its DR Plan.)
The Whole is Greater than the sum of its Parts
Is it sufficient for individual business process “Owners” or function leaders to update their own critical resource requirements? Yes, if the update method allows for the capture of changes in enterprise-wide dependencies (on other processes, applications, etc.). But no effective update can be conducted in a vacuum; any change to critical dependencies or resources is likely to have a corresponding affect upon those dependent processes.
While it may be efficient for a process team to update its own BIA, only by collecting and integrating changes across the enterprise can the true impact of business changes emerge.
The Path of Least Resistance
Frequently, the cost of updating a BIA (in manpower and time) is perceived as unjustifiably high. Not updating a BIA may become an accepted risk. BCM management may opt to focus on BC/DR Plan updating (assuming most process owners understand the impacts of change and will modify their Plans appropriately) without revising the BIA. The more burdensome the BIA process, the higher the propensity not to repeat it.
Once made, such a decision often becomes institutionalized. Later, the failure to reflect fundamental changes in the organization’s structure may result in flawed Plans and a failed recovery. With luck, flaws show up in a test or exercise – not a real life incident.
What’s in your Toolbox?
Does your existing BIA format lend itself to manipulation? Or do you have to start from scratch? Do you use software that integrates BIA and Plan development?
Does the BIA format lend itself to the use of collaborative tools? Can business process owners gain access to the original BIA survey? Network- or Web-based collaborative tools reduce the pain of updating a BIA, while enabling monitoring and auditing of the process by the BCM leaders or planners.
Assess your options, and pick a BIA updating method that works best for your situation. It may not be free, it may be time-consuming, and it may not be painless. But it will pay dividends if you have a disruptive event.
An out-of-date BIA exponentially increases the chances of Plan failure. The BIA provides the core upon which an organization’s Plans depend. Without up-to-date BIA information, the validity of Plans should be questioned, and their successful execution must be suspect.
eBRP Solutions, Inc will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
Director, eBRP Solutions, Inc.
Cost vs. Benefit
The standard practice of conducting a Business Impact Analysis (BIA) to determine the basic recovery requirements (Mission Critical Processes, RTO’s, RPO’s, Critical Applications, Suppliers, and other Resources) is a vital phase of every Business Continuity Management program.
The BIA process can be long and difficult – no matter what data collection method is used. Is the return on your BIA investment (time, manpower and resources) offset by the value of the results?
If a BIA is a fundamental part of BCM, the underlying cost may simply be a necessary evil. But, when a BIA is a one-time ‘project’ – as in many organizations – is the cost realistically proportional to the value?
Some organizations conduct a BIA expecting to repeat the process at regular intervals. However, once the initial BIA is completed and the true cost known, such expectations are often abandoned.
Focus on change
Failure to update a BIA is a leading cause of Recovery Plan failure. Change is the only constant in business. A BCM program lacking up-to-date BIA data yields Plans that don’t reflect the organization’s true requirements.
Intending to update a BIA is easy; yet the update process often fails.
Consider the effort required to complete the original BIA: questionnaire preparation, distribution and collection; interviews to “normalize” the results, plus the cost of analysis and report generation.
Often, the original BIA process “project”, may take three to eight months. Significant business changes make the prospect of repeating that lengthy process daunting. Postponing the update may be rationalized. Like most things in life, postponing difficult tasks allows them to grow more unwieldy
To streamline the process, the updated BIA must focus on the changes – rather than repeat the entire process. It is likely that much of the information from the earlier BIA is still valid. The update process simply entails drilling down to which business processes have changed, and how those changes affect the original BIA results. Of course, the method used to conduct the earlier BIA will determine just how easy – or how difficult – the update process becomes.
In Information Technology, an updating process is generally ongoing (Change Management) because IT changes have a direct impact on daily operations. In business operations, changes occur regularly, but are seldom, if ever, documented. (To be fair, no matter how robust the IT program, not every organization consistently correlates its Change Management information with its DR Plan.)
The Whole is Greater than the sum of its Parts
Is it sufficient for individual business process “Owners” or function leaders to update their own critical resource requirements? Yes, if the update method allows for the capture of changes in enterprise-wide dependencies (on other processes, applications, etc.). But no effective update can be conducted in a vacuum; any change to critical dependencies or resources is likely to have a corresponding affect upon those dependent processes.
While it may be efficient for a process team to update its own BIA, only by collecting and integrating changes across the enterprise can the true impact of business changes emerge.
The Path of Least Resistance
Frequently, the cost of updating a BIA (in manpower and time) is perceived as unjustifiably high. Not updating a BIA may become an accepted risk. BCM management may opt to focus on BC/DR Plan updating (assuming most process owners understand the impacts of change and will modify their Plans appropriately) without revising the BIA. The more burdensome the BIA process, the higher the propensity not to repeat it.
Once made, such a decision often becomes institutionalized. Later, the failure to reflect fundamental changes in the organization’s structure may result in flawed Plans and a failed recovery. With luck, flaws show up in a test or exercise – not a real life incident.
What’s in your Toolbox?
Does your existing BIA format lend itself to manipulation? Or do you have to start from scratch? Do you use software that integrates BIA and Plan development?
Does the BIA format lend itself to the use of collaborative tools? Can business process owners gain access to the original BIA survey? Network- or Web-based collaborative tools reduce the pain of updating a BIA, while enabling monitoring and auditing of the process by the BCM leaders or planners.
Assess your options, and pick a BIA updating method that works best for your situation. It may not be free, it may be time-consuming, and it may not be painless. But it will pay dividends if you have a disruptive event.
An out-of-date BIA exponentially increases the chances of Plan failure. The BIA provides the core upon which an organization’s Plans depend. Without up-to-date BIA information, the validity of Plans should be questioned, and their successful execution must be suspect.
eBRP Solutions, Inc will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 2- 3rd April 2008 - the UK's definitive event for managing risk, resilience and recovery. This event will explore the solutions and best practice to ensure operational continuity and protect a company's interests before during and after an incident.
For further information visit www.businesscontinuityexpo.co.uk
NATIONAL AND INTERNATIONAL SECURITY – THE THREATS, THE RESPONSES, THE OPPORTUNITIES
Insights into US homeland security science and technology priorities, expert analysis of a range of threats from terrorism to pandemics, and examination of major security programmes in the UK and overseas are all features of the International Security & National Resilience (ISNR London) conference, which will be held at London’s Olympia from 3-5 December 2007. ISNR London incorporates the former APTS show.DAY 1
Top US Department of Homeland Security official to give insights
Day One of ISNR London is designated the US Department of Homeland Security 2007 Science & Technology Stakeholders International Conference – the first ever initiative of its type to be staged in the UK. The S&T Directorate is the gateway to the US Department of Homeland Security for private sector and academic solutions providers and this event will provide a unique opportunity for conference delegates from the UK and other European countries to meet with senior DHS leaders.
The Honourable Jay M Cohen, the Department’s Under Secretary, Science & Technology, will lead the plenary level insights into how the DHS S&T Directorate is employing science and technology to enhance security and safety. Participants will include the S&T Directors of Transition, Research and Innovation.
DAYS 2 AND 3
Highlights include:
Matching capability with threats
The plenary session will be led by Admiral Sir Alan West, Parliamentary Under-Secretary of State for Security and Counter-terrorism; Dr Paul Weissenberg, Director, Aerospace, GMES, Security and Defence, Enterprise and Industry Directorate General, EU Commission and the Honourable Jay Cohen. Three of the world’s most senior government representatives will discuss how new strategies and technologies are being adopted to enhance security on a national and international level.
Terrorist attack scenarios
The key issues concerning critical infrastructure protection will be put under the microscope by leading experts. Global and generic threats, including terrorism and pandemics, will be examined, and insights provided into UK and wider European CIP policy. A significant new feature for a conference of this type is two table-top exercise scenarios on defeating the terrorist threat to CIP. The subjects are an attack on a major event and a city centre.
Illegal migration threat
E-borders is a key component of UK Government’s border transformation programme and central to its strategy for immigration and asylum. The conference stream on integrated border management will feature a session examining the major milestones of this multi-billion pound programme. There will also be analysis of the security consequences of illegal migration, a factor which is changing the social, economic and political landscapes of communities on a global basis.
The challenge of Al Qaeda
Internal security, policing and intelligence are high on virtually every government’s agenda. The challenges addressed in this stream include changing Al Qaeda operational patterns in Europe, the recruitment of terrorists via the web and the impact of global insecurity on the UK. Also examined is the role that the media can play in the event of a major crisis and how it can be used more effectively to disrupt a threat.
NATO – an opportunity
The role of the NATO Technology Development Programme is to identify national capability gaps and achieve common approaches to technology requirements. A dedicated session will highlight the requirement gaps in the NATO programme and how they can be exploited by potential suppliers.
For further information please contact Victoria Bailey or Nick Johnstone at CMS Strategic on Tel: +44 (0)20 8748 9797 or email: info@cmsstrategic.com
For more information about ISNR London please visit: www.isnrlondon.com or contact Richard Clarke, Event Director, Tel: +44 (0) 208 910 7142 or email: richard.clarke@reedexpo.co.uk
Subscribe to:
Posts (Atom)