03 2010 Online Buyer 101 Webinar

© 2009 Data Mountain LLC | All Rights Reserved.

A Buyer’s Guide - What to Look For in Online Backup and

Recovery Services

2010

1

Bob Chaput615-656-4299 or [email protected] Mountain, LLC

…Welcome to …


Background & Motivation

• We are often asked, "How do I go about selecting an online data backup and recovery service?”

• Unfortunately, in this market, unlike in the insurance marketplace, we do not have an A.M. Best, a Moody, a Standard and Poor or a Wiess Research publishing financial strength ratings on industry players. Nor do we have a J.D. Powers & Associates!

• To help organizations navigate through a market where there are new players almost every week and horrific stories of lost data almost every month.

2


Objectives Today

Learn all the right questions to ask and how to be assured that:

• Your business goals (RTO, RPO, DLE) will be met• Your data will really be protected• You can actually recovery your data• Your data will be secure at all times• Your service provider has been and will be here

for the long-haul

3


1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business

Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary

4

Discussion Agenda


About Your Speaker – Bob Chaput

5

• President – Data Mountain LLC• 30+ years in Business and Technology• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets• 25 years DR / BC experience• 20 years Regulated-Industry Experience• BA, MA – Mathematics; GE – FMP; Vanderbilt; HPI• Numerous Technical Certifications• Serve customers of all sizes in all industries• 6 years - Channel Partner/Reseller for Iron Mountain Digital• Expertise and Focus: Healthcare, Financial Services, Legal• Member: ACHE, NTC, Chambers, Boards

• Passion: Helping business owners and managers manage risks: Risk of being out of regulatory compliance Risk of going out of business Risk of throwing money away on phony/ineffective solutions




6

Discussion Agenda


Why Bother?

7

Lost data exposes your business and clients to business disruption

and possible legal set backs

Business and client data is more visible and valuable than ever…

and more vulnerable than ever

And, now, it’s law !!!

(GLBA, HIPAA, HITECH, SOX, SEC Rule 17a, PCI DSS, FACTA, State Regulations, etc)


HIPAA Security Rule – Example§ 164.308 Administrative safeguards.• (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies

and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

• (ii) Implementation specifications:• (A) Data backup plan (Required). Establish and implement procedures to create

and maintain retrievable exact copies of electronic protected health information.

• (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

• (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

• (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

• (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.




9

Discussion Agenda


All Types of Disasters Strike

• Natural / Environmental– Tornado, Hurricane,

Earthquake, Snow storms, etc.

• Intentional Acts of Destruction– Viruses, Worms, Spyware,

Arson, Terrorism, etc.

• Unintentional Acts of Destruction– Cable cut, Plumbing,

Employee error, etc.

10

“Every state in the country will suffer a natural disaster in the next two years.”

U.S. Small Business Administration (SBA)


Facts and Reality

• 93% of companies that experience a significant data loss will be out of business within five years.

• Of the companies that lose their data in a disaster, nearly 50% never reopen their doors at all!

• 7 of 10 SMBs that experience a major data loss go out of business within a year.

(Source: U.S. Department of Labor; University of Texas; DTI/Price Waterhouse Coopers)

11


More Reality…Relevant Data Loss and Data Breach Statistics• 1 in 10 …laptop computers will be stolen within the first 12 months

of purchase• 97% …of lost and stolen notebooks are never recovered• 50% …of organizations reported laptop theft• Every 43 seconds …a computer is reported stolen• Every 3 days … an information security breach is reported in the

U.S.• 82% …of all PC’s will be mobile devices by 2008, increasing 4 times

as fast as PCs• 4,425 …laptops reported left behind in Chicago taxis during a six

month period• 56 million …individuals affected by significant U.S. data security

breaches, 2005• 1 billion …PC users expected by 2010, up from 660-670 million

today• 57% …of corporate crimes are linked to stolen laptops. The latest

crimes of espionage and sabotage are theft of executive personnel devices to access vital financial or personnel data.

(data source: http://datarevoke.com) 12

Bad stuff happens to data and computers all too often…and

the trend is increasing…




13

Discussion Agenda


Elements of Business Resumption Planning

Business Continuity

Plan

Disaster Recovery Plan

Data Backup and

Restoration Plan

14




15

Discussion Agenda


Seven (7) Critical Questions1. Does the service provide a complete, end-to-end data

protection process?2. Does the service meet your business, business continuity,

disaster recovery business and data retention objectives?3. Does the service provide reliable data protection?4. Does the service provide for easy, fast, accurate and

complete recovery?5. Is the service fully automated, providing efficient, “hands

free” operations?6. Does the vendor have long-term experience in this business,

financial stability and a long-term future?7. Does the service provider meet or exceed your industry

standards for Security and Regulatory Compliance for encryption, etc? 16


Business Objectives • RTO – Recovery Time Objective

• How fast does the business / process need to be operational again?• OR, said another way, what is the maximum allowable downtime for

that process?

• RPO – Recovery Point Objective• Back to what point in time is it acceptable to resume / restart / recreate

operational activity?• OR, said another way, how much data, time, productivity can we

afford to lose?

• DLE - Data Loss Event• Not all “events” are created equal – not equal impact and not equal

frequency or probaility… against which “events” are going to focus?

17


Data Loss Event Pyramid

Severity

Site

System

Database / Exchange

Multi-Files / Folders

Single File

Frequency

Against which Data Loss Events

are you building

your plan?

18




19

Discussion Agenda


• Off-Site• Out of Reach

TCP/IP

Continuous Backup

• Fully automated backup

• Rapid recovery

Secure and safe• National underground

facility (NUS)• End to End 256-bit

AES Secure Authentication

• Secure socket layer (SSL)

Centrally managed• 24/7/365 web portal• Remote administration

and monitoring

Flexible bandwidth management

• Bandwidth throttling• Unique delta backup

and restore technology• Optional TurboRestore

recovery appliance

Data CenterData available for recovery

Mirrored Data Center

Microsoft® , Linux®, or Sun® Solaris®

Server

RemoteAdministrationand Monitoring

24/7/365

How It Works: Automated Server Data Protection and Recovery

20


TCP/IP

• Optional onsite device stores recent history

• Fast local restore for excellent RTO

• Self-managed with no human intervention

• “Extra peace of mind”

RemoteAdministrationand Monitoring

24/7/365

Linux®, Sun®

Solaris® or Microsoft® Server

• Off-Site• Out of Reach

Data CenterData available for recovery

Mirrored Data Center

OPTIONALOnsiteAppliance

Onsite Recovery Appliance: Fast Local Restore

21


Business Resumption Planning ResourcesVisit: http://www.datamountain.com/Resources/Disaster_Recovery_Planning/

• National Institute of Standards and Technology (NIST) “Risk Management Guide for Information Technology Systems”

• FEMA Emergency Planning Guide

• An Overview of the Disaster Recovery Planning Process

• Sample Business Recovery Plan

• NIST Security Controls: Covers 17 key security focus areas, including risk assessment, contingency planning, and incident response, for protecting Federal computer systems

22

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf�

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf�

http://www.datamountain.com/files/1202/File/FEMA Emergncy Planning Guide.pdf�

http://www.datamountain.com/files/1202/File/FEMA Emergncy Planning Guide.pdf�

http://www.datamountain.com/files/1202/File/DRP_whitepaper.pdf�

http://www.datamountain.com/files/1202/File/DRP_whitepaper.pdf�

http://www.datamountain.com/files/1202/File/sample_business_recovery_plan.pdf�

http://www.datamountain.com/files/1202/File/sample_business_recovery_plan.pdf�

http://www.datamountain.com/files/1202/File/NIST Security Controls.pdf�







23

Discussion Agenda


Best Practices:What To Look For When Selecting A Solution

Address Entire Data Protection Process

Free of Manual, Complex Tasks

Vendor Experience, Longevity and Experience

Meet Your Security/Privacy Regulatory Requirements

Meet Your Business Objectives RTO/RPO/DLE

Fast and Accurate and Complete Recovery

Reliable Backup and Recovery …and Track Record


Worst Practices:What To Avoid When Selecting A Solution

Emphasizes backup and not recovery

Unencrypted (ZIP) files sent for recovery

Lack of or poor Vendor Experience

Unencrypted media (DVDs/CDs) sent through mail

Does not address RTO/RPO/DLE business objectives

Cumbersome and slow online recovery processes

Poor or non-existent track record of recovery


Summary

• Get serious about real data protection• Develop your critical questions and criteria• Formalize your selection process• Try, before you buy• Remember the key pieces (prior slide)• Remember: without your data, all else is for

naught! Seriously consider offsite, electronic data

vaulting Seriously consider Data Mountain!

26


LiveVault® Server BackupProvides continuous, automatic back-up for enterprise remote offices or small & medium-sized businesses

Total Email Management Suite (TEMS)Provides indexed archiving, mailbox management, security & redundancy for email environment plus eDiscovery

Connected® Back-Up for PCs & MacsProtects distributed corporate assets while greatly reducing file share storage and support requirements

Virtual File Store Reduces costs associated with storing, managing and protecting infrequently accessed “inactive” data

Cloud Storage Solutions Portfolio

eDiscovery ServicesOrganizes your data for fast access for timely responses to litigation inquires.

Digital Record Center™ for Medical ImagesEnsures regulatory compliance; Provides long-term archiving and disaster recovery cost efficiently.

27


Complimentary Assessment --Data Disaster Recovery Preparedness

www.DataMountain.com

Thank you for

attending!

28


Bob [email protected]

Phone: 800-704-3394 or 615-656-4299

Connect: www.linkedin.com/in/bobchaput

Follow me: Twitter.com/bobchaput

Data Mountain, LLC

29

Contact


Backup material

30


1. Does the service provide a complete, end-to-end data protection process?

a. Does it offer continuous, disk-based data protection (CDP) such that it protects your data as it changes?

b. Does the service take your data offsite immediately providing protection against site disasters?

c. Is your data then accessible from anywhere, anytime via a web-enabled interface?

d. Does the service provide integrated archiving of long-term backups in a secure offsite facility?

e. Is your data protected from virus, corruption and unexpected events in the storage facility?

f. Does the service provide an optional local recovery appliance to enable high-speed, local disk-based restores?

31


2. Does the service meet your business, business continuity, disaster recovery business and data retention objectives?

a. Will the service enable you to meet your Recovery Time Objectives (RTOs) for your critical business processes?

b. Will the service enable you to meet your Recovery Point Objectives (RPOs) for your critical business processes?

c. Does the service protect you against all possible Data Loss Events and threats that may cause you to lose data?

d. Does the service allow for recovery to alternative locations and alternative hardware platforms?e. Does the service offer a choice of retention periods (e.g., 30-day, 3-month, 1-year, 7-years) appropriate to the

requirements for types of data stored?f. Does the service provide for the migration of data as desired to a digital archive service?g. Does the service provide for the recovery of data on demand through a complementary eDiscovery service?h. Does the service provide support of all the platforms that you must protect – e.g., Windows®, Linux,

VMware®, etc?i. Does the service offer pricing plans and architecture that makes capacity planning and budgeting easy and

predictable?

32


3. Does the service provide reliable data protection?

a. Does the service natively and inherently protect databases & open files such as Exchange, SQL Server, Oracle, and others without add-on software agents?

b. Does the service provide end-to-end security including Encryption, Authentication and Digital Signatures?

c. Does the service provider ensure recovery with an SLA backing the recoverability of your data?

d. Is your data stored in more than one data center? Is it also mirrored in a redundant secondary data center?

e. Does the vendor/service assure complete protection of backup and restore jobs from node failures and network resilience problems?

f. Does the service provide automatic checkpoint-restarts if backup or restore jobs are interrupted?

33


4. Does the service provide for easy, fast, accurate and complete recovery?

a. Does the service provide an optional Local Recovery Appliance to enable high-speed, local disk-based restores?

b. Are you able to recover current data (within minutes), not just last night’s backup image?

c. Does the service provide for granular recovery down to folder and individual file levels, including multiple restorable images per day?

d. Are you able to perform “Change Only Recovery” such as “Delta Restore” which provides huge performance improvements on recovery time?

e. Does the service offer Full System Recovery (versus data only) backup and restore as integral part of service?

f. Does this service offer free, unlimited, immediate Internet-based restores 24/7/365?g. Does this service allow for very large data sets to be shipped on secure, encrypted

removable media for fast disaster recovery?

34


5. Is the service fully automated, providing efficient, “hands free” operations?

a. Does the service have “Set-it-and-forget-it” capabilities?b. Does the service offer 24/7 proactive monitoring of your backup policies and

centralized control of processes, status, inventories, and reporting?c. Are you automatically notified of any backup issues through an automated alert

system?d. Is the task of reviewing and managing error logs each day automated?e. Are you able to perform restores anytime, anywhere you have web access?f. Are onsite appliances or devices integrated seamlessly into the backup process?g. Does the service provide data reduction technologies that include snapshots, filters,

delta engine and automatic de-duplication of data?

35


6. Does the vendor have long-term experience in this business, financial stability and a long-term future?

a. Has this vendor been in the data protection and/or online data backup and recovery business for 10 or more years?

b. Is the vendor a reputable, publicly traded company listed on a major exchange?c. Does the vendor do business with large, known companies and businesses in your industry?d. Does this vendor’s backup and recovery service form an integral part of a broader spectrum of information

management and data protection services?e. Is this vendor leveraging existing capacity for additional revenue only or is their service a core offering?f. Does this vendor offer a full spectrum of information management and data protection services?g. Has the vendors offering been proven and tested as evidence by thousands of customers and multiple

Petabytes of data under management?h. Does the vendor have a full complement of engineering, operations and customer service staff dedicated to

their data protection business?i. Does the vendor “own” all systems, facilities, processes, engineering and operational responsibilities for the

service rather than outsourcing parts of it to others?

36


7. Does the service provider meet or exceed your industry standards for Security and Regulatory Compliance?

a. Is this vendor a publicly traded company subject to, aware of and experienced in Sarbanes-Oxley-type regulations?

b. Is your data encrypted at all times while “in transit” and “at rest” throughout the backup and recovery processes?

c. Is the vendor expert in and compliant with (e.g., will they sign HIPAA Business Associate agreement?) privacy and security regulations including but not limited to: GLBA, SOX, HIPAA, FACTA, Patriot Act, PCI DSS, etc?

d. Does the vendor offer encryption key escrow and the ability to retrieve lost encryption keys from escrow?

e. Are all media restores completed using secure, encrypted removable media that meets regulatory requirements?

f. Does service provider maintain the data vaults/storage facilities with proven track record in security?

g. Are the service provider’s data centers locally globally to accommodate regional security and privacy regulations?

h. Does the vendor maintain certifications appropriate to the data stored (e.g., PCI DSS compliance, SysTrust assurance, a BRUNS-Pak Level 9 or above rating)?

37

Documents

03 2010 Online Buyer 101 Webinar