Upload
bob-chaput
View
422
Download
0
Embed Size (px)
DESCRIPTION
Learn all the right questions to ask and how to be assured that: -- Your business goals (RTO, RPO, DLE) will be met -- Your data will really be protected -- You can actually recovery your data -- Your data will be secure at all times -- Your service provider has been and will be here for the long-haul
Citation preview
© 2009 Data Mountain LLC | All Rights Reserved.
A Buyer’s Guide - What to Look For in Online Backup and
Recovery Services
2010
1
Bob Chaput615-656-4299 or [email protected] Mountain, LLC
…Welcome to …
© 2009 Data Mountain LLC | All Rights Reserved.
Background & Motivation
• We are often asked, "How do I go about selecting an online data backup and recovery service?”
• Unfortunately, in this market, unlike in the insurance marketplace, we do not have an A.M. Best, a Moody, a Standard and Poor or a Wiess Research publishing financial strength ratings on industry players. Nor do we have a J.D. Powers & Associates!
• To help organizations navigate through a market where there are new players almost every week and horrific stories of lost data almost every month.
2
© 2009 Data Mountain LLC | All Rights Reserved.
Objectives Today
Learn all the right questions to ask and how to be assured that:
• Your business goals (RTO, RPO, DLE) will be met• Your data will really be protected• You can actually recovery your data• Your data will be secure at all times• Your service provider has been and will be here
for the long-haul
3
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
4
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
About Your Speaker – Bob Chaput
5
• President – Data Mountain LLC• 30+ years in Business and Technology• Executive | Educator |Entrepreneur• Global Executive: GE, JNJ, HWAY• Responsible for largest healthcare datasets• 25 years DR / BC experience• 20 years Regulated-Industry Experience• BA, MA – Mathematics; GE – FMP; Vanderbilt; HPI• Numerous Technical Certifications• Serve customers of all sizes in all industries• 6 years - Channel Partner/Reseller for Iron Mountain Digital• Expertise and Focus: Healthcare, Financial Services, Legal• Member: ACHE, NTC, Chambers, Boards
• Passion: Helping business owners and managers manage risks: Risk of being out of regulatory compliance Risk of going out of business Risk of throwing money away on phony/ineffective solutions
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
6
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
Why Bother?
7
Lost data exposes your business and clients to business disruption
and possible legal set backs
Business and client data is more visible and valuable than ever…
and more vulnerable than ever
And, now, it’s law !!!
(GLBA, HIPAA, HITECH, SOX, SEC Rule 17a, PCI DSS, FACTA, State Regulations, etc)
© 2009 Data Mountain LLC | All Rights Reserved.
HIPAA Security Rule – Example§ 164.308 Administrative safeguards.• (7)(i) Standard: Contingency plan. Establish (and implement as needed) policies
and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
• (ii) Implementation specifications:• (A) Data backup plan (Required). Establish and implement procedures to create
and maintain retrievable exact copies of electronic protected health information.
• (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
• (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
• (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
• (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
9
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
All Types of Disasters Strike
• Natural / Environmental– Tornado, Hurricane,
Earthquake, Snow storms, etc.
• Intentional Acts of Destruction– Viruses, Worms, Spyware,
Arson, Terrorism, etc.
• Unintentional Acts of Destruction– Cable cut, Plumbing,
Employee error, etc.
10
“Every state in the country will suffer a natural disaster in the next two years.”
U.S. Small Business Administration (SBA)
© 2009 Data Mountain LLC | All Rights Reserved.
Facts and Reality
• 93% of companies that experience a significant data loss will be out of business within five years.
• Of the companies that lose their data in a disaster, nearly 50% never reopen their doors at all!
• 7 of 10 SMBs that experience a major data loss go out of business within a year.
(Source: U.S. Department of Labor; University of Texas; DTI/Price Waterhouse Coopers)
11
© 2009 Data Mountain LLC | All Rights Reserved.
More Reality…Relevant Data Loss and Data Breach Statistics• 1 in 10 …laptop computers will be stolen within the first 12 months
of purchase• 97% …of lost and stolen notebooks are never recovered• 50% …of organizations reported laptop theft• Every 43 seconds …a computer is reported stolen• Every 3 days … an information security breach is reported in the
U.S.• 82% …of all PC’s will be mobile devices by 2008, increasing 4 times
as fast as PCs• 4,425 …laptops reported left behind in Chicago taxis during a six
month period• 56 million …individuals affected by significant U.S. data security
breaches, 2005• 1 billion …PC users expected by 2010, up from 660-670 million
today• 57% …of corporate crimes are linked to stolen laptops. The latest
crimes of espionage and sabotage are theft of executive personnel devices to access vital financial or personnel data.
(data source: http://datarevoke.com) 12
Bad stuff happens to data and computers all too often…and
the trend is increasing…
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
13
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
Elements of Business Resumption Planning
Business Continuity
Plan
Disaster Recovery Plan
Data Backup and
Restoration Plan
14
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
15
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
Seven (7) Critical Questions1. Does the service provide a complete, end-to-end data
protection process?2. Does the service meet your business, business continuity,
disaster recovery business and data retention objectives?3. Does the service provide reliable data protection?4. Does the service provide for easy, fast, accurate and
complete recovery?5. Is the service fully automated, providing efficient, “hands
free” operations?6. Does the vendor have long-term experience in this business,
financial stability and a long-term future?7. Does the service provider meet or exceed your industry
standards for Security and Regulatory Compliance for encryption, etc? 16
© 2009 Data Mountain LLC | All Rights Reserved.
Business Objectives • RTO – Recovery Time Objective
• How fast does the business / process need to be operational again?• OR, said another way, what is the maximum allowable downtime for
that process?
• RPO – Recovery Point Objective• Back to what point in time is it acceptable to resume / restart / recreate
operational activity?• OR, said another way, how much data, time, productivity can we
afford to lose?
• DLE - Data Loss Event• Not all “events” are created equal – not equal impact and not equal
frequency or probaility… against which “events” are going to focus?
17
© 2009 Data Mountain LLC | All Rights Reserved.
Data Loss Event Pyramid
Severity
Site
System
Database / Exchange
Multi-Files / Folders
Single File
Frequency
Against which Data Loss Events
are you building
your plan?
18
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
19
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
• Off-Site• Out of Reach
TCP/IP
Continuous Backup
• Fully automated backup
• Rapid recovery
Secure and safe• National underground
facility (NUS)• End to End 256-bit
AES Secure Authentication
• Secure socket layer (SSL)
Centrally managed• 24/7/365 web portal• Remote administration
and monitoring
Flexible bandwidth management
• Bandwidth throttling• Unique delta backup
and restore technology• Optional TurboRestore
recovery appliance
Data CenterData available for recovery
Mirrored Data Center
Microsoft® , Linux®, or Sun® Solaris®
Server
RemoteAdministrationand Monitoring
24/7/365
How It Works: Automated Server Data Protection and Recovery
20
© 2009 Data Mountain LLC | All Rights Reserved.
TCP/IP
• Optional onsite device stores recent history
• Fast local restore for excellent RTO
• Self-managed with no human intervention
• “Extra peace of mind”
RemoteAdministrationand Monitoring
24/7/365
Linux®, Sun®
Solaris® or Microsoft® Server
• Off-Site• Out of Reach
Data CenterData available for recovery
Mirrored Data Center
OPTIONALOnsiteAppliance
Onsite Recovery Appliance: Fast Local Restore
21
© 2009 Data Mountain LLC | All Rights Reserved.
Business Resumption Planning ResourcesVisit: http://www.datamountain.com/Resources/Disaster_Recovery_Planning/
• National Institute of Standards and Technology (NIST) “Risk Management Guide for Information Technology Systems”
• FEMA Emergency Planning Guide
• An Overview of the Disaster Recovery Planning Process
• Sample Business Recovery Plan
• NIST Security Controls: Covers 17 key security focus areas, including risk assessment, contingency planning, and incident response, for protecting Federal computer systems
22
© 2009 Data Mountain LLC | All Rights Reserved.
1. Quick Introductions2. Case for Action – Why Bother3. Common Threats4. Where/How Data Backup Fits into Business
Resumption Planning5. Seven (7) Critical Questions6. How Online Data Backup and Recovery Works7. Summary
23
Discussion Agenda
© 2009 Data Mountain LLC | All Rights Reserved.
Best Practices:What To Look For When Selecting A Solution
Address Entire Data Protection Process
Free of Manual, Complex Tasks
Vendor Experience, Longevity and Experience
Meet Your Security/Privacy Regulatory Requirements
Meet Your Business Objectives RTO/RPO/DLE
Fast and Accurate and Complete Recovery
Reliable Backup and Recovery …and Track Record
© 2009 Data Mountain LLC | All Rights Reserved.
Worst Practices:What To Avoid When Selecting A Solution
Emphasizes backup and not recovery
Unencrypted (ZIP) files sent for recovery
Lack of or poor Vendor Experience
Unencrypted media (DVDs/CDs) sent through mail
Does not address RTO/RPO/DLE business objectives
Cumbersome and slow online recovery processes
Poor or non-existent track record of recovery
© 2009 Data Mountain LLC | All Rights Reserved.
Summary
• Get serious about real data protection• Develop your critical questions and criteria• Formalize your selection process• Try, before you buy• Remember the key pieces (prior slide)• Remember: without your data, all else is for
naught! Seriously consider offsite, electronic data
vaulting Seriously consider Data Mountain!
26
© 2009 Data Mountain LLC | All Rights Reserved.
LiveVault® Server BackupProvides continuous, automatic back-up for enterprise remote offices or small & medium-sized businesses
Total Email Management Suite (TEMS)Provides indexed archiving, mailbox management, security & redundancy for email environment plus eDiscovery
Connected® Back-Up for PCs & MacsProtects distributed corporate assets while greatly reducing file share storage and support requirements
Virtual File Store Reduces costs associated with storing, managing and protecting infrequently accessed “inactive” data
Cloud Storage Solutions Portfolio
eDiscovery ServicesOrganizes your data for fast access for timely responses to litigation inquires.
Digital Record Center™ for Medical ImagesEnsures regulatory compliance; Provides long-term archiving and disaster recovery cost efficiently.
27
© 2009 Data Mountain LLC | All Rights Reserved.
Complimentary Assessment --Data Disaster Recovery Preparedness
www.DataMountain.com
Thank you for
attending!
28
© 2009 Data Mountain LLC | All Rights Reserved.
Phone: 800-704-3394 or 615-656-4299
Connect: www.linkedin.com/in/bobchaput
Follow me: Twitter.com/bobchaput
Data Mountain, LLC
29
Contact
© 2009 Data Mountain LLC | All Rights Reserved.
Backup material
30
© 2009 Data Mountain LLC | All Rights Reserved.
1. Does the service provide a complete, end-to-end data protection process?
a. Does it offer continuous, disk-based data protection (CDP) such that it protects your data as it changes?
b. Does the service take your data offsite immediately providing protection against site disasters?
c. Is your data then accessible from anywhere, anytime via a web-enabled interface?
d. Does the service provide integrated archiving of long-term backups in a secure offsite facility?
e. Is your data protected from virus, corruption and unexpected events in the storage facility?
f. Does the service provide an optional local recovery appliance to enable high-speed, local disk-based restores?
31
© 2009 Data Mountain LLC | All Rights Reserved.
2. Does the service meet your business, business continuity, disaster recovery business and data retention objectives?
a. Will the service enable you to meet your Recovery Time Objectives (RTOs) for your critical business processes?
b. Will the service enable you to meet your Recovery Point Objectives (RPOs) for your critical business processes?
c. Does the service protect you against all possible Data Loss Events and threats that may cause you to lose data?
d. Does the service allow for recovery to alternative locations and alternative hardware platforms?e. Does the service offer a choice of retention periods (e.g., 30-day, 3-month, 1-year, 7-years) appropriate to the
requirements for types of data stored?f. Does the service provide for the migration of data as desired to a digital archive service?g. Does the service provide for the recovery of data on demand through a complementary eDiscovery service?h. Does the service provide support of all the platforms that you must protect – e.g., Windows®, Linux,
VMware®, etc?i. Does the service offer pricing plans and architecture that makes capacity planning and budgeting easy and
predictable?
32
© 2009 Data Mountain LLC | All Rights Reserved.
3. Does the service provide reliable data protection?
a. Does the service natively and inherently protect databases & open files such as Exchange, SQL Server, Oracle, and others without add-on software agents?
b. Does the service provide end-to-end security including Encryption, Authentication and Digital Signatures?
c. Does the service provider ensure recovery with an SLA backing the recoverability of your data?
d. Is your data stored in more than one data center? Is it also mirrored in a redundant secondary data center?
e. Does the vendor/service assure complete protection of backup and restore jobs from node failures and network resilience problems?
f. Does the service provide automatic checkpoint-restarts if backup or restore jobs are interrupted?
33
© 2009 Data Mountain LLC | All Rights Reserved.
4. Does the service provide for easy, fast, accurate and complete recovery?
a. Does the service provide an optional Local Recovery Appliance to enable high-speed, local disk-based restores?
b. Are you able to recover current data (within minutes), not just last night’s backup image?
c. Does the service provide for granular recovery down to folder and individual file levels, including multiple restorable images per day?
d. Are you able to perform “Change Only Recovery” such as “Delta Restore” which provides huge performance improvements on recovery time?
e. Does the service offer Full System Recovery (versus data only) backup and restore as integral part of service?
f. Does this service offer free, unlimited, immediate Internet-based restores 24/7/365?g. Does this service allow for very large data sets to be shipped on secure, encrypted
removable media for fast disaster recovery?
34
© 2009 Data Mountain LLC | All Rights Reserved.
5. Is the service fully automated, providing efficient, “hands free” operations?
a. Does the service have “Set-it-and-forget-it” capabilities?b. Does the service offer 24/7 proactive monitoring of your backup policies and
centralized control of processes, status, inventories, and reporting?c. Are you automatically notified of any backup issues through an automated alert
system?d. Is the task of reviewing and managing error logs each day automated?e. Are you able to perform restores anytime, anywhere you have web access?f. Are onsite appliances or devices integrated seamlessly into the backup process?g. Does the service provide data reduction technologies that include snapshots, filters,
delta engine and automatic de-duplication of data?
35
© 2009 Data Mountain LLC | All Rights Reserved.
6. Does the vendor have long-term experience in this business, financial stability and a long-term future?
a. Has this vendor been in the data protection and/or online data backup and recovery business for 10 or more years?
b. Is the vendor a reputable, publicly traded company listed on a major exchange?c. Does the vendor do business with large, known companies and businesses in your industry?d. Does this vendor’s backup and recovery service form an integral part of a broader spectrum of information
management and data protection services?e. Is this vendor leveraging existing capacity for additional revenue only or is their service a core offering?f. Does this vendor offer a full spectrum of information management and data protection services?g. Has the vendors offering been proven and tested as evidence by thousands of customers and multiple
Petabytes of data under management?h. Does the vendor have a full complement of engineering, operations and customer service staff dedicated to
their data protection business?i. Does the vendor “own” all systems, facilities, processes, engineering and operational responsibilities for the
service rather than outsourcing parts of it to others?
36
© 2009 Data Mountain LLC | All Rights Reserved.
7. Does the service provider meet or exceed your industry standards for Security and Regulatory Compliance?
a. Is this vendor a publicly traded company subject to, aware of and experienced in Sarbanes-Oxley-type regulations?
b. Is your data encrypted at all times while “in transit” and “at rest” throughout the backup and recovery processes?
c. Is the vendor expert in and compliant with (e.g., will they sign HIPAA Business Associate agreement?) privacy and security regulations including but not limited to: GLBA, SOX, HIPAA, FACTA, Patriot Act, PCI DSS, etc?
d. Does the vendor offer encryption key escrow and the ability to retrieve lost encryption keys from escrow?
e. Are all media restores completed using secure, encrypted removable media that meets regulatory requirements?
f. Does service provider maintain the data vaults/storage facilities with proven track record in security?
g. Are the service provider’s data centers locally globally to accommodate regional security and privacy regulations?
h. Does the vendor maintain certifications appropriate to the data stored (e.g., PCI DSS compliance, SysTrust assurance, a BRUNS-Pak Level 9 or above rating)?
37