If there was an overriding theme in disaster recovery in 2009 it was make it cost as little as possible. In a year when the worst economic crisis in decades overshadowed the risk of any theoretical disaster, those CIOs who managed to implement or upgrade their disaster recovery plans had to consider costs from every angle -- and to compromise.
"It wasn't a matter of, 'Go build it.' It was a matter of how can we seize opportunities to make it cost as a little as possible," said Zandoli, a vice president of strategic planning services at MetLife before his recent appointment to CISO.
In MetLife's case, Zandoli's team opted to leverage an underused MetLife data center in Scranton, Pa., for its secondary site, 120 miles from the primary data center in Rensselaer, N.Y. That was too far for ideal synchronous transfer and too close to satisfy some guidelines for catastrophic protection. But the worst-case delay for the data transfer was tolerable. A 30-page risk assessment identified snow as the only big weather affecting both northeast sites at the same time, and the business had weathered enough snowstorms to live with the risk. The whole project cost $1.5 million in year one, factoring in the cost savings. The project was self-funding by year two and is projected to yield a 9% ROI by year five.
Penny pinching and concessions were also the operative modes for customers of the major DR service providers in 2009. Companies that had been eying expensive technologies to fill gaps in disaster recovery plans in 2008 were more likely to focus on people and processes in 2009, according to Patrick Corcoran, global client solutions executives at IBM. Bill Hughes, director of consulting services at SunGard Availability Services LP, also saw plenty of customers cutting corners by:
- Using corporate buildings that were vacated or emptied because of the recession for secondary and tertiary recovery sites.
- Recalibrating data tiers in order to save money on recovery services.
- Leveraging server virtualization to reduce the floor space and power consumption at leased recovery sites.
Based on more than a dozen DR projects we profiled in 2009, we offer three tips that we hope will help you pay for your disaster recovery plans in 2010.
1. Piggyback disaster recovery efforts on other projects.
At MetLife, Zandoli paired up the DR project with a data center modernization project, in particular a refresh of its storage disks. The 70% cost savings gained from refreshing the disks funded the purchase of a second mainframe used for replication at the new remote site.
Greg Folsom, senior vice president of IT at Arnold Worldwide Partners, a Boston-based advertising firm, combined a server virtualization project with a virtualized storage area network for a solution that saves money on his heating and cooling costs in the data center, streamlines the IT architecture between the firm's Boston and New York offices and improves DR.
2. Align DR to business risk and goals.
Before its DR overhaul, MetLife was shipping 500,000 tapes off-site for storage. Eliminating the reputational risk to the business of a stolen or lost tape was a strong argument for funding.
Chad Eckes, CIO at Chicago-based Cancer Treatment Centers of America (CTCA), used his organization's business decision to move from paper to electronic health records to craft his DR strategy.
Eckes' DR plan had three layers of redundancy -- remote mirroring, off-site disk vaulting and .pdf document files -- to ensure that patients' electronic health records are always available. If the main data center goes down, every system can be up and running in two hours, and data loss is zero.
The business mission should always inform IT's DR strategy, said Eckes, whose disaster recovery plan for CTCA's branch offices was profiled in March.
3. Consider subscription-based Internet services for disaster recovery and business continuity.
On-demand disaster recovery and business continuity services offer a means to get faster recovery times without large capital investment. Pinning down the vendor on security measures is critical. Forrester Research Inc. analyst Stephanie Balaouras laid out four ways to implement disaster recovery plans by remote control:
- Backup as a Service: A fully managed, subscription-based service. Vendors include: Iron Mountain Inc., with its LiveVault service; i365, with EVault; and IBM and its Business Continuity and Resiliency Services. "You just download a piece of software from these guys onto your servers, and it backs up your servers over the Internet to their sites," Balaouras said.
- Storage as a Service (also referred to as disk to cloud): A subscription-based service. This is for companies that are already backing up locally with, say, Symantec Corp.'s Backup Exec or Microsoft Application Manager, and want to get that data off-site for DR purposes or maybe want to stop shipping tapes to Iron Mountain. A second copy of the data is sent to vendors such as Iron Mountain (CloudRecovery), Amazon Simple Storage Service or Symantec.
- Replication as a Service (virtual recovery): This fully managed, subscription-based service provides full business continuity. Vendors in this space will replicate clients' data as well as system information to their sites, so they can recover clients to virtual machines and help them fail back when ready. Solutions include SunGard Virtual Server Replication, CA Instant Recovery On-Demand and i365 EVault.
- Application Continuity as a Service: A fully managed, subscription-based service that provides complete continuity and recovery for a specific business application. An example is Dell MessageOne. The service is priced per mailbox and nuanced, so companies could not only decide which mailboxes to cover, but also buy send-and-receive continuity services for everyone and then add replication just for the executives.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.