Four Key Backup and Recovery Questions IT Must Ask During Deployment

Four Key Backup and Recovery Questions IT Must Ask During Deployment

This is part of Solutions Review’s Premium Content Series, a collection of contributed columns written by industry experts in maturing software categories. In this submission, Skytap Technical Product Evangelist Matthew Romero offers four key backup and recovery questions that IT teams must ask during deployment.

Organizations have traditionally used disaster recovery (DR), backups, and high availability (HA) solutions to make sure their important applications are always available to customers, protect their data against natural disasters and unforeseen software bugs, and meet regulatory and compliance requirements. With the rising number of ransomware attacks (which grew by about 93 percent in 2021 compared to 2020, and data from early 2022 suggests growth is continuing), there’s another important use case for DR and backup: as a hedge against ransomware.

There are a number of ways a robust DR/backup system can mitigate the harm of a ransomware attack. If (or, as is increasingly likely in the current cybersecurity climate, when) an organization becomes the victim of ransomware and important data is encrypted by an attacker, the organization can simply switch to a DR instance with minimal interruptions in service, and/or restore from a recent backup. This can take away the attackers’ leverage, freeing the organization from the need to make a difficult choice between paying the ransom (and potentially inviting further extortion) or losing data. A solid backup system also reduces the pressure on the organization’s other security tools, providing another layer of defense if malware gets through its firewall or other security controls.

Most IT professionals know they should be prioritizing DR/backup, but many don’t in practice. DR and backup projects can often get pushed to the back burner because they don’t generate revenue and can be hard to value. That’s a short-sighted point of view, however. Beyond the potential for lost revenue (the median cost of a ransomware attack in 2021 was $11,150, with a low of $70 and a high of $1.2 million according to Verizon), ransomware attacks can also result in lost customers, ongoing monitoring and forensic investigations, and long-lasting damage to an organization’s reputation.

Setting up backups for a core business application is a complicated task. To make this process a little easier (and hopefully encourage more IT teams to knuckle up and do it), here are four important questions IT must consider when setting up a DR/backup system.

Backup to the Cloud or Not?

The first question, which will determine much of the rest of the program, is whether to use the cloud for backups and HA/DR workloads. Using the cloud has a number of advantages; it ensures IT will have access to the backups from anywhere, that backups won’t get infected along with the originals, and it can offer better geographical resilience by putting backup workloads in a different region. Using the cloud typically saves money as well; companies don’t need to purchase and maintain backup servers (which requires hardware costs as well as salaries for employees to manage them).

In the cloud, they can reduce resources to only the level necessary to replicate data to the backup server most of the time and “turn it up” when needed. On the other hand, cloud workloads will have higher and more unpredictable latency than workloads running in the data center, which might make it a poor fit for some workloads, depending on the organization’s needs.

How Often is Data Being Replicated and What are the Time and Data Requirements for a Recovery?

The Recovery Time Objective (RTO) and Recovery Point Objectives (RPO) must be decided on early in the process because they affect the technical capabilities needed for the DR/backup system. For example, a company that must preserve as much data as possible will need to replicate more frequently than one that can afford to lose a few hours. If a system needs to be up and running as quickly as possible after an attack (a High Availability scenario), putting the secondary workload in the cloud may introduce too much latency.

A common setup is to run vital systems and HA workloads on-premise to keep latency as low as possible, with DR workloads and backups in the cloud. Companies may also want to maintain cloud instances of legacy ERP systems even after they’ve moved to a new system so business users can access historical sales, production, and finance data. Further information on general principles of resiliency as it relates to HA\DR can be found here.

Can all Applications and Data Be Backed up, Including Those Running on IBM Power Hardware?

Many enterprises – especially in industries like retail, manufacturing, oil and gas, and healthcare – have a major line of business applications running on IBM Power hardware in their data centers. These are often the applications that are most in need of backups. For example, a customer recently told me they had inherited a 20-year-old ERP system, running on a single physical server with an out-of-support version of AIX and old IBM POWER5 hardware. They were understandably nervous about how to recover data from it in case of a disaster!

IBM Power uses a different chipset and network architecture than what the three major public cloud providers use, so traditionally IBM Power applications won’t run in the cloud without rewriting (which is complex and risky, especially for highly customized applications). Unless they are in the midst of a digital transformation effort to modernize their software, most organizations in my experience take advantage of a specialized solution such as Skytap to allow IBM Power to be run unchanged in the cloud in an ‘as-is’ configuration.

This is a “best of both worlds” approach because the IBM i operating system is already quite secure (the cost of downtime for IBM i is less than 30 percent of the downtime costs of other operating systems), and you can leverage this built-in security while expanding your workloads into the cloud.

Are Backups Tested Regularly, and Does the Organization Have a Ransomware Plan in Place?

The only way to make sure that backups work as expected is to test them. Organizations should create a plan for how often backups are performed, how far back data is retained, the steps to recover, and run through the plan regularly. Any issues with the process should be discovered long before a real attack happens. Remember, some ransomware attacks can lie dormant for days or weeks before they trigger, so backups must go back before the system was first infected to be useful. I’d suggest daily backups with replication to a secondary machine to cover the data generated throughout the day.

All in all, the cloud provides a cost-effective, flexible, secure option for backups and disaster recovery in many cases. Answering these questions and following best practices when building a backup/DR program not only keeps organizations safe from natural disasters and emergencies, but can also protect them from ransomware.

Matthew Romero
Follow
Latest posts by Matthew Romero (see all)