Comment: Pay ‘tape monkeys’, get peanuts?

Many companies choose to manage their data backup and disaster recovery in-house, as they believe it is less risky than outsourcing. If they are dealing with the tapes every day, at least they know it's happening, right? Wrong. In SunGard's experience, it is preferable to outsource backup to a professional, particularly if you are a smaller business. Peter Hough, manager of Vaulting Services at SunGard Availability Services, explains why.

Regardless of the size of the business, it is well recognised that tape or other removable media has to be used for backup purposes. And once the backup has been taken, the media must be removed to secure off-site storage, the reasoning being that data is then safe from any misadventure that should occur to the work environment, thereby providing a copy of your most recent data for reference - and recovery - should the worst happen.

However, many backup processes fall down, neither taken with the right degree of frequency or treated to the relevant security required to justify the process occurring in the first instance. Often-stretched IT departments are so busy maintaining the network or handling other projects, that tape backup may be outsourced to a ‘tape monkey’, a lowly member of the IT team, or even the admin person or office assistant. Remote offices may not even have an IT staff member on site for their backups to be taken. And when backups do occur, what next? Consider, for example, the story of one administration worker: At the end of every day, he would meticulously and accurately complete the backup, then place the day's tapes in his coat pocket to take home. He would then proceed to visit the local pub, where he would hang said coat on a hook and take a seat. Not exactly what we mean by 'secure, off-site storage'!

Of course, my apologies to the many organisations who conduct their backups in an exemplary fashion. But as for the rest, surely data - which is the lifeblood of modern commerce - deserves to be treated with somewhat greater care than depicted above?

Security issues
There are some other, less obvious security loopholes that can affect tape backup when it is done in-house. We deal with many companies which have spent millions of pounds on security systems - whether it's physical systems such as swipe cards and security guards or hi-tech systems such as firewalls and password encrypted systems. Despite this, it is my belief that - if I wanted to - I could quite easily steal the data of some 90 percent of organisations.

"How so?" I hear you ask. With off-site backup approaches, data tapes are usually collected by couriers, at broadly the same time each day. And in effect, each day companies give that most vital of assets - their data - to complete strangers. What is more, many backup tapes are not encrypted because an encrypted backup often takes too long to complete. With a minimum of surveillance, any interested individual could monitor who was coming to pick up the tapes, what time they arrived, what uniform they wore and what they said. Tapes could then be picked up by anyone with a malicious interest in the company.

Some other companies who do not wish to outsource their tapes to backup companies create a 'more secure' system by taking tapes from one building in a city to another, if they have multiple locations. In theory this works well, but one bank used to transfer data between sites using a man who carried the tapes along the street contained in nothing more secure than a plastic carrier bag! No-one would allow someone to carry the day's cash takings around in such a fashion and information - particularly for a bank - is arguably more important than hard cash.

However, this is the correct approach - tapes should be stored in a secure, remote location overnight.

Experience in backup
In my opinion, backup of the network and data held on it is the most important thing an IT team is relied on to do, as information equals money in today's marketplace. As such it should be delegated to someone with the appropriate experience and ability to execute effective and timely backups in a secure manner and in a way that enables file or server recovery should any downtime occur.

Outsourcing the backup process is one option available to IT managers. Not only does this approach free up valuable departmental time that can be deployed in other directions; it places the responsibility of effecting daily backups elsewhere, and may be supported by a set of service level agreements for additional peace of mind.

One of the most efficient and secure methods of backing up is via electronic data vaulting (EDV). With this process, after the initial full backup, daily backups are accelerated as a result of changed data only being subject to the backup process. Taking place either over secure high-speed lines or via the Internet, the password protected, data encrypted EDV approach provides a much more secure method of conducting backups - in both a logical and physical sense. The resultant data is taken off-site to two vaults, the one mirroring the other, to provide additional resilience to the solution.

Apart from security, this process means inherent business continuity, as lost files or servers can be easily restored from the vaults. And with a managed backup process, a third party assumes responsibility for monitoring each day's backup. Should anything fail, it becomes their role to spot it and correct it. The advantage here is that organisations can then be assured that backups are occurring as they would expect, unlike the experience of one company that took six months worth of backups - not one of which would actually have been of value to them had they required data to be restored during that time.

How could this be? IT teams tend to have specialist knowledge of the network they support, but this is not necessarily the technical knowledge required to achieve data recovery from tapes in the event of a disaster. Equally, because technology is so fast moving, an upgraded system can pose problems for the backup. When a system is upgraded, the IT team may not yet understand fully how to recover the new system - or the tape backup may not complete properly as it hasn't undergone a replicate upgrade.

In addition, there are some hidden technical issues with backups which only the experts will expect and deal with. Microsoft Exchange Servers, for example, when they reach 16GB of data, require a new and different software license. If this data threshold is reached, the backup begins to run incorrectly, but this is not obvious. If an IT manager chooses to outsource his backups, the outsourcer, whose day-to-day job it is to manage such issues, can anticipate these problems before they arise.

Our experience often shows people who go to retrieve data or to rebuild a server and have a niggle at the back of their minds, hoping that the backup had worked. Far too many people adopt an attitude of relief when their backup completes correctly, rather than one of expectancy. Very few people have been fired for backup failure, yet thousands of backups fail each year.

Regulation
Regulatory issues are also coming into play. The financial services sector and the legal sector are required by regulators to prove they can recover from an interruption or disaster. Previously, it was enough to show that backup tapes were in existence - now, companies have to demonstrate that the tapes are more than hardware but actually a viable route to the continuance of business. IT teams have to ask themselves "How confident are we that we could recover our systems?"

Making data accessible
If you choose to outsource, you need to look for a business continuity provider on whom you know you can rely - one which is financially sound, has a good geographical reach to support your offices and has the technical and platform experience to recover your systems quickly.

IT managers need to move with the times - the increased reliance on data within business means that keeping the IT running is now also taking responsibility for the success of the business. However, having a functional system is no use if your staff cannot access the data due to a faulty tape backup - just as information without people is useless. Keeping people and information connected at all times is what we at SunGard call ‘information availability’, and it is the next level of business continuity.

If you choose to give a third party the accountability for the backup, you make the experts responsible for making sure that the information held there will always be available - not just for your own end-users, but for your company's clients, enabling the overall continuance of your business.

www.iamresponsible.net

MAKE A COMMENT

•Date: 29th August 2003 •Region: UK/Worldwide •Type: Article •Topic: IT continuity
•Rate this article or make a comment - click here