Re: IT and end users
by Anne Marie Capaz (05-Nov-01 2:49 PM GMT)

Dear Mr.Garvey, Please take a few minutes to log in at www.contactip.com and click for the live demo, I think this could be part of the answer... Anne Capaz

There's a better way to do this
by Esther Schindler (07-Nov-01 5:08 PM GMT)

Anne, I'll address this note to you, but it applies equally to several vendors whom I know are lurking on this roundtable.

PLEASE do not post a message that says, essentially, "go look at my web site to see what I'm selling." First, it's annoying to those of us who are trying to have an enlightening conversation. Second, it's ineffective. All you've done by saying, "go look at whatever.com" is to tell us that you're trying to advertise your services. You haven't given us any idea why we should bother or why we should give your ad any credibility. Instead, I'd prefer that you ADD TO THE CONVERSATION HERE.

It's an old skill: show, don't tell. If you think that your company has the expertise and experience necessary to appeal to the IWK readers who are participating here, then demonstrate that expertise, give examples of that experience, and join in the spirit of this conversation. We're here to learn from one another, not to read ads. Share an anecdote in the "horror stories" thread. Give us the benefit of your experience in the industry. Tell us what you think is most important for an IT manager to consider, in devising her disaster recovery plan, and what mistakes you think are most likely to be made. If indeed you lie awake at night, trying to figure out how to better serve the customers who need these products and services, tell us about the epiphany that finally let you get to sleep. Show, don't tell.

Thanks for understanding.

Esther Schindler
site editor
InformationWeek.com

Re: IT and end users
by Dee (07-Nov-01 7:05 PM GMT)

Thank you, Esther!!! I agree with you 100%. There are other chat forums on disaster recovery (or whatever you want to call it) that have the same problem of vendors just saying "check my web site" without going into specifics of what can be done to help the person requesting some help. I do not want to hear that 'my product can help you' but I want to know some specific type solutions or answers - let me know you know what I am talking about or what I need before telling me to check your web site!

Re: plans on the cheap
by Carlos Rios-Doria (07-Nov-01 3:35 PM GMT)

I believe that any Co. can not be cheap or overlook the cost of prevention of destruction of data in general. If any company loses a center of information, the company will lose millions and have very unhappy customer to support. So any company should invest what is necessary according to the volume of business they support and transactions volume. Small or big company, should spend for disaster recover according to annual budget spend and of course look after the customer care for data preservation. This date is not limit when, where or how is going to happen a big catastrophe, but we have to be aware of the cost and safety of people.

Re: Building disaster recovery plans on the cheap
by Martin Garvey (08-Nov-01 0:45 AM GMT)

Thanks Carlos and I agree with you. What's great for many companies is that some affordable options are becoming available. A hospital is testing FalconStor but might still end up outsourcing to IBM. They at least have an alternative. Are we there yet, with affordable business continuity? No. But we're taking the necessary baby steps. So thousands of companies outside the Global 2000 can get the protection they need.

Re: Building disaster recovery plans on the cheap
by Esther Schindler (07-Nov-01 4:56 PM GMT)

Okay. So how do you decide "what is necessary"? What's the magic formula?

Re: Building disaster recovery plans on the cheap
by Bob Williamson (08-Nov-01 0:59 AM GMT)

You have to employ a methodology that will help you determine the business impact of being without certain data or functions for a period of time, we call this a Business Impact Assessment. It's not a simple thing to do, but most businesses can identify their most critical functions and data and make an educated guess as to the impact of being without for an hour, a day, a week, a month, ....

Then, you look at cost of recovery solutions (insurance policies) that will have you back up and functioning within an hour, a day, a week, a month, ....

With that data, you can decide how much you want to spend for this insurance based on how much exposure the business can tolerate.

Not a simple decision, but following a defined methodology to gather some data can at least give parameters to study as the decision is made. Of course, we're still back to the question of what would prompt someone to even start down the path of doing the BIA?

We know that most folks only think about life insurance as the result of some critical life event - child's birth, marriage, job change, house purchase. Is it the same with a business, that it takes some similar critical event to make this even a topic for discussion?

Re: Building disaster recovery plans on the cheap
by Jason Buffington (08-Nov-01 3:55 AM GMT)

I think the real question comes back as "what is your data worth?" The best metrics are RTO and RPO. RTO (Recovery Time Objective) is how long until you are up again. RPO (Recovery Point Objective) is where is the data, once you are up. D/R budgets should really be based on how much money can you afford to lose, based on those metrics. For example, if D/R is strictly restoring from tape and the outage is at 4PM - what is the $$$ of lost productivity for 7 business hours (hint - Gartner estimated $39/hour/person).

So ... if you have 100 employees and worst case between backups is one day. An outage after half of one business day (half = so that sometimes it might be at the beginning and sometimes at the close of business) would be 4 hours times 100 employees times $39 (estimated) = $15,600.

So, any solution that can be amortized over a year (the average amount of time that some level of significantly impacting outage might occur) but costs less than $15,600 is worth it. For example, you wouldn't pay $500 per month for a $5000 insurance policy. You might pay $100 per month, depending on the risk. You would definitely pay $15 per month. So, understand your exposure - and work backwards for D/R.

Interesting side note> Someone once measured businesses impacted by the first World Trade Center bombing and a California Earth Quake. "Small to Medium" businesses (under 500 users on site) experienced a 50% rate of going out of business if they could not get to their data. LESSON> D/R is actually more important for small/medium businesses - since they are more volatile to any changes in their operating model.

Re: Building disaster recovery plans on the cheap
by Wayne Lam (09-Nov-01 0:53 AM GMT)

Good topic. I don't have a catch-all answer, but I can share some of my views on how to minimize cost.

1. Stick with software, particularly, a software that is certified with multiple hardware (storage, network, server platform...)

2. Don't pick something that is single-server to single-server, meaning, requiring you to buy 1000 copies for your 1000 servers, and worst still, requiring you to also deploy a matching set of servers at the DR center that is identical in platform to your primary data center. For example, if you have NT, Win2K, Linux, HPUX, AIX, Solaris in your primary data center, you must have each of these in your DR center just to receive the data.

My specific suggestion is to look for an in-band storage networking software that can run on a dedicated 'storage server' layer, and demand that this storage server can replicate/mirror data across FC SAN (for near range synchronous writes) and IP (for remote asynchronous writes). Why In-band? Because you need to be in the datapath to catch every write (can't afford to miss any transaction), and offer a centralized, cross-platform approach so that you can replicate/mirror your data from ONE point (regardless if you have many servers on many platforms) to another.

Since you are running replication/mirroring from ONE machine that is servicing many, you achieve the economy of scale. Since the remote partner at the DR center is independent of any platform, you only need one. Since the in-band architecture allows for any storage element of any brand, you don't need to even have matching hardware (storage). This obviously saves lots of money because your primary data center might have lots of fancy super-duper high end storage, but your DR center need not - just plug in cheap SCSI JBODS to receive the replicated data.

Re: Building disaster recovery plans on the cheap
By Jerry Masters (09-Nov-01 7:11 PM GMT)

As a couple people have already implied, you asked the wrong question.

To quote the late Admiral Grace Hopper, the question should be:

How Much will it cost Not to have a good Disaster Recovery plan in place?

Once you have the answer to That question, you can sell upper management on the need to do it Right.

A side note: A very necessary part of the disaster recovery process is to examine the system as it operates on a Day To Day basis and identify places where poor design or overly complicated "solutions" are hindering the development of the disaster recovery planning.

Looking at your processes in this light, ie, is this process or equipment or software or whatever, making life Harder instead of Easier for us?? is a good idea even in the normal course of events.

Many shops have processes, procedures, software packages, equipment, etc, that was sold to them as a "magic bullet" but that turned out to be a "boat anchor" and/or Job Security for a vendor firm.

Any part of the system that will require calling on a Vendor to "recover" should raise particular suspicions.