Dick Benton, senior consultant with GlassHouse Technologies answers frequently asked questions about outsourcing disaster recovery.
>>Who should outsource disaster recovery?
>>What are the benefits?
>>What are the drawbacks?
>>What vendors offer disaster recovery services?
>>What are the most important things to consider before outsourcing DR?
In the past, it's been confined to small to midsized businesses (SMBs) or people with very expensive mainframes. But, in recent years, we've seen a wide variety of our clients looking at outsourcing disaster recovery (DR).
- Those who really want to get a solid handle on their IT investments and cost.
- People who don't really know that much about DR and want to have someone else look after it for them
- People who are really looking at the worst-case scenario, perhaps that their staff might not survive the disaster.
Once you've designed your DR plan its probably worthwhile looking at the cost of outsourcing vs. doing it in-house. It is also important to consider the time it would take to maintain an in-house DR plan vs. outsourcing.
Most organizations are operationally pressurized, and everything is about the operational imperative. It is the DR service provider's main job to look after DR and the tests that go with it. So, for those who don't have the time or the resources to dedicate to DR, having someone else take that on can really be helpful.
Also, your costs can be significantly less than trying to provide that level of disaster preparedness in-house.
Companies that already have multiple campuses and data centers can leverage those data centers fairly readily and without great expense to provide some sort of mutual disaster recovery.
I think security is a big consideration when outsourcing DR. For less than a 24-hour recovery time objective (RTO), the data needs to be on disk. So, being confident that data is secure is essential.
Also, how far away is the outsourcing site? And, how would you get there after a disaster? If you envision a regional disaster, it is important to consider who is going to operate the DR environment. Will it be the service provider or will it be your own staff? And if it's the latter, how will they get there?
It's also important to understand the length of time that you may need to be operating from your DR site. Contracts inevitably have some kind of cap on them. So, if your contract specifies six months, you need to have some kind of post-disaster recovery plan for addressing that. That issue isn't as critical if you are doing DR in-house.
Shared resources are very popular in outsourced DR services, because it allows the provider to reduce costs substantially. The assumption is that all of their clients are not going to encounter a disaster at the same time and need the same resource. Often times, that's true, but if there is a major geographic disaster then there is going to be competition for those resources.
I think SunGard is probably the leader in the open-systems environment. And, IBM is certainly the leader in mainframe environments. Those are the biggest names, but there are many lower profile co-location providers. They tend to be lower profile because they are very local. And that raises the question: How local can your colo provider be in a disaster situation?
A disaster site should as far away from the main site as possible. The SEC suggests that 250 miles away is good. The challenge is that synchronous replication has a limit of 60 to 70 miles.
Having clear appreciation of what your recovery objectives are in terms of RTO and recovery point objective (RPO) and making that determination based on business requirements rather than what the outsourcer can provide for you at a particular price point.
Another important consideration that we touched on before is how long you want to commit to operating at that DR site. And, understand exactly what you are signing up for. Are you signing up for equipment that's going to be available no matter what, even if 500 other companies show up first? If relocation is a part of your plan, it's a good idea to figure out the details of that and make any contingency plans necessary. And most importantly, understand the security of the DR site.
Dick Benton is a senior consultant with GlassHouse Technologies.
This was first published in November 2008