By Nikhil Korgaonkar, Regional Director, India and SAARC, Arcserve
175 Zettabytes, 175 trillion gigabytes or at least five times all the data in the world; that is the quantum of new data estimated to be generated by 2025 according to IDC. With data being generated at this furious pace, protecting it and the systems that hold it is no mean task for organizations. Replicating all this after a security incident occurs is quite another.
An effective cloud backup and disaster recovery (DR) strategy can ensure a business is up and running soon, even after a massive cyber security disaster strikes. But nailing the implementation is key. It is important to appreciate the difference between cloud back-up and disaster recovery and see these as two important components of an overall strategy, and not as mere synonyms.
Cloud back-up protects your data but ensuring business continuity demands your systems can be replicated as well, in order to process recovered data and bring the business back on track.
Cloud Back-up Best Practices
Following these guidelines can smoothen the cloud back-up process for any organization.
- Do a cost-benefit analysis: To get the best value out of cloud back-ups does a rigorous cost-benefit analysis. Public cloud storage may seem cheap upfront but as data and its copies grow, cost can spiral out of control. Beware of hidden costs. For example, factor in the cost of failover testing which is critical to an effective cloud back-up planning. However, many cloud back-up service providers do not provide failover as a standard service. Instead, they offer it as an expensive premium option. Choosing the right provider offering customized, periodic testing at low or no cost is the key.
- Customize SLAs: Speaking of customization does not take a shortcut on SLAs. Customize them to your requirements. Negotiate application priorities, reporting metrics and consequences of unmet SLAs upfront to avoid heartburn later.
- Assess security: Assessing physical and digital security appliances of the provider’s datacenter is an important parameter. Look for datacenter certifications, security audit reports and encryption policies for in-flight and at-rest data. These are key indices you can employ to measure your cloud-backup provider’s security preparedness. Look for additional security layers even on cloud back-up, to maintain the highest levels of data protection and privacy.
- Assess compliance: When it comes to compliance, you are the decision-maker as the owner of data. Ensure your cloud provider is vigilant in adhering to national and international regulations such as the General Data Protection Regulation (GDPR) applicable in the European Union and European Economic Areas.
- Avoid the single cloud trap: Large public cloud providers tend to encourage customers to sign up for more services, while making it expensive to transfer data off the cloud. This behavior can lead to vendor lock-in. It would be good to assess services of multiple cloud providers and choose a combination that works best for your organization. Subscribing to several clouds can optimize individual workloads and avoid the expense of data transfer between clouds.
Disaster Recovery Best Practices
Having a disaster recovery plan is imperative for a comprehensive business continuity strategy. As with cloud back-up, there are several best practices that an organization can adopt to implement an effective DR plan.
1. List everything you will need to recover: When creating a DR plan, you must know what resources may need to be recovered. You will need to do a full inventory of every piece of hardware, software, and peripheral devices that touches your networks or is used by your employees, contractors, and vendors. Now, listing out every on-premise, cloud-based, and mobile/BYOD tool and technology your organization uses can be a daunting task but it needs to be done, so that when it gets down to brass tacks, things work as expected.
2. Define your RTO & RPO: Have you defined your Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) yet? These are metrics to determine your tolerance threshold for downtime and data loss respectively. Simply put, RTO is how much time an application can be down without causing significant damage to the business and RPO is the amount of data that can be lost before significant harm to the business occurs.
3. Three-tier your recovery strategy: A three-tiered recovery strategy is recommended to ensure priorities are mapped out clearly and everyone is on the same page. It’s good practice to distribute recovery objectives across three categories as mission critical, essential, and non-essential.
o Mission-critical: Applications are indispensable to the successful operation of a business. They need zero downtime so replication and high availability solutions should be prioritized for them. Examples include systems that enable manufacturing or logistics, web mail servers, database servers, or point-of-sale
o Essential: Essential applications are less critical than mission-critical applications and will have less negative impact on business operations if downtime extends beyond a specified limit, e.g., authentication and file & folder servers.
o Non-essential: These applications are assigned lowest priority because business can run without them for a few days, such as internal SharePoint sites and HR applications.
4. Form a DR Team: During crisis time, a trained DR team is invaluable. When every team member is assigned specific tasks, it streamlines the recovery effort and makes it more effective.The DR team can also play multiple roles. It can be the point-of-contact for crisis communications to the stakeholders. It can also train the staff and make them aware of emergency response policies and procedures.
5. Alternative Workspaces: The Covid19 pandemic has been a great eye opener on why organizations need alternative workplaces. Businesses with clearly defined remote-work policies are reaping benefits by functioning as close to business-as-usual as possible. Ensure all employees have or can quickly get access to laptops and an internet connection. And stay accessible by preparing fallback email and phone system solutions that provide essential lines of communication for employees, customers, and vendors.
6. Secure Remote Access: Accessing company data and applications remotely can be a security risk no matter how advanced the encryption or technology used. Organizations experienced this when COVID-19 forced millions of employees to work from home overnight. Don’t wait for a crisis to find out if your infrastructure can’t handle remote access securely. Update your security technology now to ensure your data can be safely accessed from outside the firewall.
7. Secure Backups: Backups must be kept separate and inaccessible from the main company network. Some ransomware can pass through the network and encrypt backup data, rendering it useless. A 3-2-1 backup strategy is highly effective in preventing such as scenario. Create three copies of your data, store them on two different media, and store one of those copies off-site or in the cloud.
8. Test, Test, Test: The best time to test your DR plan is when it is not needed.
o Test your backups to make sure your data is protected and recoverable
o Test your DR processes to make sure they work
o Test your people to make sure they know what to do in a real emergency
To conclude, nailing cloud back-up and disaster recovery implementation need not be your nemesis, if you keep the above best practices in mind. All you need is to plan ahead in good times and well before any unforeseeable crisis overtakes your organization.