Four Steps

Regardless of the industry or size of the organization, data loss is an ongoing threat.  Risks include lost revenue due to downtime, reputational damage, and costly regulatory fines. Simple backups are not enough to mitigate the risk.  Not everything requires data protection and certainly not at the same level of service.  To ensure the right amount of data recovery for the right cost, additional measures must be taken. The following steps are not exhaustive, by any means, but instead are a mildly prescriptive recipe for understanding the costs associated with protecting data.

1. Business Impact Analysis 

First, what needs to be protected?  Storage can be expensive, as well as the secondary management infrastructure and maintenance of recovery processes.  Most organizations do not have the budget to replicate absolutely everything at a high Recovery Point Objective (RPO) and a low Recovery Time Objective (RTO), so decisions must be made about what is protected and left out.  The Business Impact Analysis (BIA) is an engagement to identify and prioritize the most critical applications and associated data that require additional protection. BIA classification is a valuable decision-making tool for various planning and budgeting purposes where consideration of an application's business criticality influences the outcome.  WWT's approach to BIA is based on the structure outlined in ISO 22317. 

2. Application Dependency Mapping 

It is one thing to identify the most critical applications.  It is quite another to have the data and insight to know what those applications depend on to operate.  If the application won't restart or has stale data from an undocumented external system, the application is operating in a reduced capacity.   WWT uses our proprietary Data Aggregation & Analysis Engine (DAAnE) to help organizations begin transformation initiatives with a crystal-clear understanding of their application ecosystem and how it will react when things start changing.

Most organizations are not confident in their CMDB tracking systems (if they exist) yet will rely on that information for this most important use.  Key sources of data may be left out.  Dependent infrastructure might not be documented.  WWT can deliver Application Dependency Mapping (ADM) services, often in tandem with a BIA, to uncover and document these hidden dependencies.  We use a data-driven approach, leveraging WWT IP, to collect, analyze, and report application dependencies. 

The result is accurately profiled applications, the underlying infrastructure that can then be validated against data protection plans to ensure they are configured to match the RTOs and RPOs expected by the business.  In most cases, the recovery sequencing essential to a rapid recovery plan can also be documented. 

3. Runbooks 

Once you know what to protect and things have been documented, it is time to turn all of that information into action plans.  From baseline enabling services, to dependent applications, from infrastructure initialization to validation, all dependent steps, validation procedures, check/hold points must be documented. 

Furthermore, since the state of the organization and availability of key personnel will be unknown if these runbooks are ever needed, they must be written so that the person executing the runbooks does not know the application whatsoever.  All assumptions about what that operator knows or doesn't know must be put away, or a major risk will persist and not show itself until the most critical hour. 

 

These runbooks, once developed, must be tested, revised, and simplified at every opportunity.  Annual or biannual disaster recovery exercises are obvious validation points, but organizations should look for other potential windows.  Quarterly code updates and scheduled infrastructure upgrades, and patch windows all create opportunities to dial in the effectiveness of recovery runbooks. 

4. Automation 

At the critical moment when recovery is needed, an organization will be remembered by how quickly it can or was able to recover.  Adding as much automation into the runbooks and application validation will significantly reduce recovery time and is an essential final step. 

 Automation is a broad concept comprised of software, hardware, connectivity, network components, and testing to ensure the RPO and RTO are met. It's a complex task, but it will provide an organization with significant benefits with ROI and business revenue if implemented correctly. 

Automating the process of executing DR plan can help organizations better prepare and respond to unexpected events/disruptions, maintain business continuity, and remain compliant while eliminating the manual processes that are inefficient, complex, and often error-prone. 

WWT can design and automate a fool-proof runbook in conjunction with your technical team so that you can stay focused on your business without worrying about the disruption and downtime of your business operations and achieve the full benefits of a well-executed DR plan. 

Conclusion

As said, not everything requires data protection and certainly not at the same level of service because everything comes at a cost.  To ensure the right amount of data protection and recovery matches the right cost for the organization, additional measures such as a Business Impact Analysis, Application Dependency Mapping leading to creating standard Runbooks, and ultimately applying Automation, must be taken to optimize your risk and IT spend.