Why Data Backup is NOT a Disaster Recovery or Business Continuity Plan

As we mentioned in our Backup Methods are NOT Created Equal blog, March 31^st is National Backup Day! To celebrate, we’ve focused our blog entries for this month on backup and data protection related topics (do we know how to celebrate or what?). The third and final blog post will discuss the difference between simply having a backup and having a “Disaster Recovery Plan” (DRP) or a “Business Continuity Plan” (BCP) and shed some light on how to decide which is right for you. Let’s start by agreeing on some terminology.

What is a backup? In our earlier blog post, we (broadly) defined the idea of a backup as being a “second copy of important data”. As we discussed in that article this is an oversimplification, as a truly functional backup is far more than just a second copy of data.

What does “Disaster Recovery” mean? We often hear the term “Disaster Recovery” (DR) used in close proximity to the term “backup”, however, they are not the same thing. The term “Disaster Recovery” refers to a plan or process that an organization can use to resume operation after a disaster event has caused a major disruption. While having a good backup system in place is a critical component of a good DR plan, it is only one piece of the larger puzzle.

What does “Business Continuity” mean? The term “Business Continuity” (BC) describes a plan or process which has been designed to keep a business running in the event of a disaster. The primary difference between DR plan and a BC plan is the length of downtime the business endures during a disaster event. The goal of the BC plan is to eliminate system downtime due to disasters or other unforeseen disruptions.

A Side-by-Side-by-Side comparison. When comparing Data Backup vs. DR vs. BCP, the primary difference is that the level of technical and administrative complexity increases as we move from traditional data backup towards a true Business Continuity plan.

Whereas a data backup solution generally only consists of one or more stored copies of important data, the technological requirements are relatively simple:

• A data transfer method (backup software and internet/network connectivity)
• A location to store the additional copies (ex. Tape, Disk, Cloud, Hybrid-Cloud)

Moving toward a DR plan, we begin to see additional requirements which add more complexity to the plan. Along with the required data backup, a DR plan should also include:

• A pre-determined location to recover the backed-up data onto (this usually entails having a “cold” server – or servers – in safe storage until needed after a disaster, or a cloud-based server that sits dormant until needed)
• In addition to a functional recovery location, a good DR plan requires a “Master Plan” or “Plan of Action” document outlining the exact steps to be followed by all relevant personnel in the event of a disaster. This document will contain meticulously detailed information about the environment* and will outline the steps that will be taken to bring all systems back online after a disaster.

A Business Continuity plan involves all the above components (data backup, redundant equipment, Master Plan document) to be used in conjunction with an approach which is designed to provide seamless, near instant transition or failover from a failed system to functional one. A true Business Continuity Plan will consist of not only redundant hardware, but will seek to create a truly redundant environment. To accomplish this, a Business Continuity plan will include:

• Redundant Servers, Storage and Networking equipment, preferably at a geographically distant location (the Cloud or a secondary Data Center are often utilized for this purpose)
• Software utility designed for the purposes of replicating all data and applications in near real-time from the primary site to the secondary location
• Hardware based fail-over configured to transfer traffic if the primary site becomes disabled (critical for web-based organizations that process e-commerce transactions)

As we move from Data Backup towards Business Continuity, each concept builds on the one before, adding additional technical requirements thus increasing the complexity of the solution. While it likely goes without saying, it should be noted that increased complexity almost always implies increased costs. We will discuss how to decide the right approach for your business in the next segment, and cost will be a factor we take into consideration.

How do I know which type of plan my business needs? While there really isn’t a “one size fits all” answer to this question, there are a couple basic questions you can ask yourself to help determine what type of plan best fits your needs and budget:

• In the event of a disaster, how much data could I lose and still be able to continue providing my services to my clients? (This is obviously different for a landscaping company vs. Amazon.com)
• What is the financial impact to my business if my technology systems were down for 1 hour, 4 hours, 8 hours, 12 hours, 24 hours?

By answering these two questions, you can establish your Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Your RPO is simply the farthest point in history at which you are comfortable being after a recovery (i.e. if you back-up data at 7 PM each night and then experienced a system failure at 3 PM the next day, your most recent recovery point would be the backup from 7 PM the previous day).

Your RTO is the amount of time at which you are comfortable waiting for your systems to be recovered. Having a backup from the night before is great, if you have somewhere to restore that data to. If your building burns down or is damaged in a flood and all your existing technology resources are lost as a result, you may be days or weeks before you can acquire replacement hardware.

After you’ve determined your RPO and RTO, you can begin to determine what type of data protection plan best suits your organization’s needs. The smaller the number you determine, the closer you are to needing a true Business Continuity solution. However, if you can survive for 48 – 72 hours without your accounting database or client files, you may be fine with a simple data backup solution. For most Small and Medium Business clients (SMB’s), we normally recommend a disaster recovery plan that incorporates replicating their primary applications and data to a cloud hosted server in our secure data center. For our larger clients that rely heavily upon up-to-the-second access to data, we have implemented continuous system replication solutions that leverage industry leading replication tools and a fully redundant infrastructure environment in our secure data center.

As you can see, there are many ways to protect your business against loss of productivity due to disaster. While there is no way to predict when disaster will strike, having a quality solution in place that fits your organization’s needs and budget can mean the difference between being a success and being a statistic.

* Items like the name and function of each server, the order in which the workloads and data should be recovered, a list of important phone numbers (the Disaster Recovery team members, critical staff, etc..), and additional information that will likely be lost or impossible to locate if the building were to be destroyed or otherwise inaccessible.