Back to basics: understanding the difference between disaster recovery and business continuity

Published: Friday, 09 July 2021 08:50

Organizations that are new to BCM are sometimes confused about the differentiation between business continuity and disaster recovery. Neil Stobart explains and provides an overview of what a good DR strategy should include.

A common misconception exists that disaster recovery (DR) and business continuity (BC) are the same thing. However, although both are essential strategies for safeguarding business operations, they are significantly different. Business continuity involves the overall plan for maintaining business operations during a disaster across the whole business, including people, places, communications, supply chain, logistics, etc. Disaster recovery, in comparison, is a subset of business continuity and is focused on the restoration of IT services and data access.

A DR plan is essentially your insurance for IT services against failure of any kind, whether it is an environmental disaster (e.g., fire or flood), a physical disaster (e.g., data centre / center loss, power outage, or equipment failure) or a logical disaster (e.g., human error, malicious deletion, data corruption or ransomware). With any insurance there is usually much hand wringing around the cost of something you may never use. You’re gambling with your money, but the savings made from not insuring may be trivial compared to losses if a disaster does strike.

Often DR plans are underfunded and under-resourced due to the cost of implementation, but it’s only when a disaster strikes that the true value of DR investment (or lack thereof) is actually realised.

All DR plans should start with a risk analysis that looks at the business impact of different types of failure across all the components of your IT infrastructure. For example, the failure of an individual’s laptop tends not to be as critical as the failure of your core business application that impacts hundreds of people. In that case, it’s obvious where DR budget should be spent. However, if that individual’s laptop was the only place where some critical business data is stored and there is no data backup protection in place, then this could have a significant impact on your business.

Large or small businesses should recognise that the only part of an IT infrastructure that cannot be replaced is their data. While laptop, server, network, and software failures can all affect IT services, they can be repaired, replaced and re-installed. In contrast, data loss is forever. DR investment should address data protection first and service availability second. Without data there is no service.

The probability of a specific type of disaster should also be factored into your spending on DR. The chances of floods, fires, power outages, or aeroplane crashes on data centres are much less likely to happen on a daily basis compared to logical errors and hardware component failures!

The most basic DR plan is a daily data backup, where a secondary copy of all your data, or at least your most critical data, is made to a second platform. Ideally this second platform is at a separate location, providing a level of data redundancy across multiple locations to protect against site failure as well as local hardware failure. In fact, the industry recommendation is to operate a 3-2-1 strategy. This means having at least three total copies of your data, two of which are local but on different mediums (read: devices), and at least one copy off-site away from the original data set.

The other key point with data backup is that it makes a point in time copy of your data, so if you run daily backups then the worst possible case would be 24 hours’ worth of data loss. Data backup provides the most basic level of protection and can be as simple or as sophisticated as you wish, but it’s worth remembering that when disaster does strike and everyone is losing their minds, then being able to find and restore your data quickly and simply is vital.

Sophisticated data storage protection capabilities beyond simple backup are available that can reduce your data loss potential – recovery point objective (RPO) – and the time to recover your data– recovery time objective (RTO). Storage snapshots and versioning, data replication, and automated failover clustering all help to improve on the RTO and RPO of the basic daily backup routine. However, they start to add additional cost, so you need to go back to the risk analysis to see if these technologies deliver value to your business.

As the recent fire incident at the Strasbourg-located OVHcloud cloud datacentre facilities revealed, many of its customers - individuals, SMEs, and larger enterprise organisations - were storing data in OVHCloud and nowhere else, which stopped many businesses from operating for an extended period of time. People and businesses are relying on public cloud services in significant numbers these days, but at the end of the day, it’s your data and you need to take responsibility for it. You cannot rely on a data protection guarantee from cloud providers. In fact, it’s often written in the small print that they cannot guarantee data safety and it is still your responsibility.

It’s always worth taking time out to review where your data is, how it is protected and against what eventuality. Don’t wait until it’s too late. Make sure you have a comprehensive DR plan in place that takes into account the value of your data and the risk of losing it.

The author

Neil Stobart, Vice President, Global System Engineering at Cloudian.