More stringent regulations on the retention of email and other types of data will compel companies to revisit their data retention policies and strategies in 2008-as well as focusing on tune-up measures for their disaster recovery and business continuation plans.

While many enterprises invested in and upgraded DR plans in the Hurricane Katrina aftermath, many have also stopped there. In spite of this, the Aberdeen Group reported in September 2007 that 80% of best-in-class companies planned to make continuous improvement and investment in data protection over the next 18 months. These companies recognize that data protection is an ongoing task that is just as important as disaster recovery.

Data Protection versus Disaster Recovery

Data protection is integral to disaster recovery because it involves the systematic backup of data and the ability to recover data at all times, especially during disastrous interruptions that threaten business continuity.

However, it is also important to note that data protection goes beyond disaster recovery. It addresses other critical data needs-like archiving, the ability to retrieve data quickly from historical archives-and the safe and secure storage of historical data offline.

"Most companies have not yet sorted through their data to determine which data is mission-critical and must be instantaneously recovered, and which is less frequently used but should be archived for ease of retrieval....There is also a third category for data that is so obsolete, that records show that it has not been accessed for years. This is data that may be purged, depending on company requirements and retention policies," said Steve Rodin, President and CEO of Storagepipe Solutions (www.storagepipe.com), an online backup, recovery and data protection firm.

Without attention to data archiving and purging, companies are expending more resources and backing up more data than they should. These backups are also taking longer.

Rodin strongly recommends that the corporate data management strategy include provisions for data archiving, data purging, and safe and secure offsite storage. One simple reason: A recent IDC study projects a six-fold increase in worldwide data between 2006 and 2010. "Companies will gain operating efficiencies if they have strong data archiving and access procedures," said Rodin. "They will also be well positioned for the demands of industry regulators and  others-who want to see data for longer periods of time-and have ready access to it."

Recent regulatory pressures are hitting areas like data retention and archiving, especially with the growing importance of email and computer-based records in the compliance and litigation processes. Meanwhile, enterprises have major concerns when it comes to finding qualified persons on the IT staff in the areas of data protection that regulators are looking for, whether it is backup, recovery or archiving.

Adding Expertise

IT shops that look to train internal staff in the areas of data and storage management are usually challenged in finding what they want. One reason is the professional IT training market's focus on training and certifications in network management and technical skills, database, communications, software development, and Internet. Only a handful of storage vendors have responded to the dearth of storage training with their own internal programs. Beyond this, little else is available in the area of formal training.

"We see a severe IT skills shortage in the data protection area," affirmed Storagepipe's Rodin. "This is most evident in smaller and medium-sized companies, where individuals usually just "draw" the assignment of being responsible for the DR plan and its execution. They make their best effort, but they have no specialized training for it. In many cases, they may not understand all of the different areas that data protection should address....It's a fact that most SMBs are overloaded, and they are trying to meet their workloads with small, compact staffs. It is not hard to see how data protection and disaster recovery can be left behind in the race to meet every daily company priority."

Rodin says his company gets many calls from SMBs-and from large enterprises that are tackling the task of backing up, restoring and maintaining the data of many remote offices. These companies see outsourcing to an expert with specialization in backup, recovery and archiving as an immediate way to acquire needed expertise without diverting IT staff from other daily activities.

"For both large enterprises and SMBs, we see some major areas in data backup, recovery, archiving and protection that are still evolutionary," said Rodin.

Developing a Comprehensive Data Protection Plan

The good news for most companies is that they can "build out" from their disaster recovery plan to include the other areas of data protection that are vital for the business. Here are several steps that businesses can take:

Understand the Risks and the Value of Data Protection

Many CIOs are hesitant to address the full spectrum of data protection because they know that they have other critical projects that they have to secure budget for, and that recent business investments have been made on DR.

The value proposition for expanded data protection, as with DR, may well rest with proactive prevention of that single misstep that could come in the form of data breach, data loss, litigation or regulatory needs. No one wants to be fighting to correct a data breach or compromise, or in a position where he is waiting in the wings to talk to a news service about what happened. Even more importantly, the customers and the stakeholders of the business rely on its officers and employees to safeguard the data. If a cataclysmic breach occurs, there is probably no price that would have been too high for prevention.

Fortunately, CIOs can usually find an ROI to justify the budgetary allocation for advanced data protection. It typically comes in the form of the number of hours that are saved from IT and business staff with a streamlined plan that uses automation in its data  backups, recoveries and archiving-and eliminates human error along the way.

Define a Data Protection Strategy

Organizations differ in their approaches to data protection. Some prefer to address data protection entirely with internal IT resources, while others totally outsource, and a majority of best-in-class companies employ a strategy that combines in-house management with strategic outsourcing arrangements with online data protection service providers.

Steve Rodin noted that SMBs frequently look for an affordable turnkey solution for data protection, backup and recovery, which makes outsourcing those functions very attractive. Large enterprises also look for outsourcing assistance in DR and data protection, since they have numerous satellite offices that require localized disaster recovery and data protection. 

"Enterprises tell us that they are very challenged to maintain current backups for remote offices and locations," said Rodin. "We find that when we deliver state-of-the-art services that blend well with their corporate disaster recovery and data protection plans, enterprises integrate our online backup and recovery services for the remote sites into their master corporate plans. These enterprises receive detailed reports of all data backup, recovery and protection activities at their remote sites, which is one less thing for corporate IT to do. We can also provide corporate-wide disaster recovery and data protection, since we cover virtually every piece of hardware and software that is used in the corporate IT environment."

Implement Policies and Procedures for Data Protection

Whether you are defining or refining data protection policies and procedures, it all begins with identifying which data you will archive and which data you will permanently delete-as well as your real-time backup data. This can be daunting for any enterprise with years of stockpiled data. Very often, a good approach is hiring an outside consultant who can assist in data analysis and bring special tools to the task.

Companies should also evaluate their email archiving and retrieval. Most companies now have email retention policies (a majority chooses to retain email for seven years), but they frequently fall short in developing and publicizing corporate email policies to IT and to general business system users. This is where teamwork between IT and HR can pay off.

Data protection policies should also be periodically reviewed by IT and management. Disaster recovery and business continuation plans should minimally be tested annually. Data retention policies for email and archiving should be reviewed every three years-provided there are no major regulatory or other environmental changes that the company must respond to.

Establish SLAs for Your Staff and for Vendors

Both internal staff and any data protection vendor that you work with should have a clear understanding of your RPOs (recovery point objectives) and RTOs (recovery time objectives). Most sites prefer a nightly RPO, but others require RPOs several times daily, and still others require real-time, continuous data backups for their businesses. These expectations should be central ingredients in your SLA (service level agreement) with the vendor.

If you use a vendor, also take time to check references. "Even if an organization has a strong SLA, you need to trust the people whom you are dealing with," said Steve Rodin. "The service should meet your needs for data protection, hardware and software support at the vendor site and be of enterprise class-because the outsourcer should be able to grow with you, and to be able to support a diversity of platforms."

Final Remarks

Disasters, security breaches, data losses and data compromises have cast corporate attention on data protection like never before. Best-of-class organizations see data protection as the "next generation" of disaster recovery. They are taking steps to achieve it. If they can't handle the task internally, they are seeking outsourcers with expertise. Most are finding that a combination of internal and external resources is the "best fit" operationally and from the standpoint of the budget.

NaSPA member Mary E. Shacklett is President of Transworld Data. She is listed in Who's Who Worldwide and in Who's Who in the Computer Industry.

 

Forward this page to a friend

Your Email: *

Your Name: *

Send To: *

Enter multiple addresses on separate lines or separate them with commas.

Message Subject: (Your Name) has forwarded a page to you from NaSPA.com

Message Body: (Your Name) thought you would like to see this page from the NaSPA web site.

Your Personal Message: *

Your vote:

1

2

3

4

5

No votes yet