Evolving Solutions is pleased to share a recent solution success story about a rapidly growing construction and agricultural equipment provider that needed a high performing, flexible datacenter that would expand with them.

Evolving Solutions overhauled the existing datacenter and conducted an enterprise-wide IT infrastructure redesign using JD Edwards ERP software.  We helped implement and configure the ERP solution, as well as migrating data from legacy systems.

Evolving Solutions designed a storage infrastructure using the IBM XIV storage system, X86 and IBM system p Bladecenter.  This solution sets the company up for uninterrupted growth up to 79 terabytes and can be easily updated if more storage is needed later.

The solution also included virtualization and disaster recovery components. We implemented an IBM System p Blade center appliance, which allows the customer to run five diverse workloads inside a single architecture.  Their virtualized environment allows them to move running workloads between servers to maximize availability and avoid downtime, as well as dynamically adjusting server capability to meet changing workload demands.

With the company’s location prone to flooding, backing up files and moving the tapes off-site is extremely important.  They cannot risk their data being lost.  We therefore implemented a Tivoli Storage Manager disaster recovery solution to act as their insurance policy.

Summary of Benefits

• Consolidation – Streamlining and integration of disparate systems
• Scalability – Room to grow without having to implement a “forklift upgrade”
• Enhanced Performance – Virtualization has increased server utilization
• Network Connectivity – Fast and remote access to company data
• Cost Savings – Savings in systems maintenance costs  following AS400 decommissioning
• Managed Services – Scheduled healthchecks to monitor system performance

Read the full solution success story.

Data replication involves data being replicated and sent across your Wireless Area Network (WAN) to a remote disaster recovery location. Replication is scheduled for a certain time every day and automatically backed up to your remote server.

Data deduplication is the process of backing up data by eliminating redundancies. With data deduplication, only one unique instance of data is retained, meaning that every subsequent instance of that piece of data is referenced back to the one saved copy.

Data deduplication is beneficial for both replication and tape backup. With replication, it reduces replication time and bandwidth, improving recovery point objective (RPO) and recovery time objective (RTO) at the disaster recovery site with increased replication frequency. With tape backup, the increase of data retention on disk may result in lower frequency of tape copies and less tapes being stored off-site.

A more sophisticated version of replication is synchronous replication. This is a technique for replicating data between databases (or file systems) where the system being replicated waits for the data to be recorded on the duplicate system before proceeding. The synchronous replication approach requires access to all slave databases and 100% network availability for the replication to be successful. Therefore, network managers have to plan for synchronous replication and ensure that network availability is sufficient.

With synchronous replication, you have the guarantee that the duplicate system has a copy of the data, but the disadvantages that the primary system must wait for the secondary system before proceeding and replication will not be completed without high network availability.

Synchronous replication is currently the most sophisticated and costly form of data backup.

Coming next Wednesday in our Disaster Recovery series: Virtualization.

Tape has been the most common method for backing up data for years, popular because of its relatively low cost.  With data security becoming a more pressing concern and the emergence of new disaster recovery concepts, many people are quite rightfully asking whether this is the end of the road for traditional backup and recovery, as we know it.

On-site tape backup is what we would call the “high deductible” insurance plan.  Files are backed up to magnetic tape and the tape is stored on-site.  This is a riskier insurance plan because it doesn’t protect your data from a physical disaster that destroys your facility.   If your data center crashes, your data is backed up and can be restored.  If a natural disaster or a fire occurs, however, your data will likely be destroyed.

This is why many companies choose “cold site” tape backup.  With this option, your data is backed up to tape and then the tape is trucked to an off-site location, which we call the disaster recovery “cold site”. This offers you an extra layer of protection and the peace of mind that your data will be restored if a disaster hits your physical location.

There are a couple of big down sides to tape backup: security and recovery time.  In recent times, tape backup has received some negative press with stories of vanishing data at some of the largest financial institutions.

In addition to the security risk, tape backup is known for its time-consuming and cumbersome recovery process.  In many cases, the cost involved in recovering data from tape is so high that it makes more financial sense for a company to purchase new disks for data storage than to restore from tape.

Many companies have turned to a hybrid tape/disk backup solution (D2D2T) where critical data is backed up to disk for rapid restore.  For disaster recovery, the critical data can be copied to tape and a second copy produced for off-site storage. Less critical data can be staged to disk and then written directly to tape. D2D2T enables administrators to stage less mission-critical data to tape over time and ensure that critical data is available for a much quicker restore.

With a sharper focus on security and decreasing tolerance for downtime, many organizations are wondering if tape alternatives are better-suited for backup.  Of course, these alternatives come at a much higher ticket price.

Check back next Wednesday, April 21st for our next post: Disaster Recovery Options – Data Replication.

Disaster recovery options have, for the most part, remained pretty consistent over the years, with a few new technologies emerging recently.  Over the next couple of weeks, we will be posting a 5 part series of blog posts about disaster recovery strategies to help you choose the best “insurance policy” for your data.

With disaster recovery, it is not a case of one solution fits all.  There are several important considerations that dictate how protected your data should be and how much you are willing to spend to ensure this protection.

Key questions that CIOs should ask themselves include:

• What kind of data does your organization store?
• Does your data require high security storage and transfer?
• What impact would the loss of this data have on your business?
• How quickly do you need to recover data in the event of a disaster?
• What kind of technology can your existing IT infrastructure support?
• And, of course, what is your budget?

The answers to these questions will help you determine your disaster recovery requirements in terms of the following key components of a disaster recovery strategy:

• Disaster recovery location – In the event of a disaster, where will you conduct business?  You need to make provisions so that you are able to continue servicing your customers.
• Equipment – In order to recover your lost data, you need equipment on which your data can be restored.  One way to plan for this is to store redundant equipment at your DR location.
• Connectivity – Depending on the DR technology that you choose, you will need varying levels of network connectivity. Ensure that your network is able to support the amount of connectivity required for backing up and restoring your data.
• Recovery Time – You need to determine how much downtime your company can afford.  If your tolerance is extremely low, you must ensure that you choose a DR solution that will provide you with the fastest recovery time possible.

Check back on Wednesday April 14th for our next post in this series: Disaster Recovery Options – Tape.

Antivirus Researcher & Disaster Recovery Expert Peter Szor

Truly one of the most insidious of the man-made disasters threatening a company’s data center are ever present, ever-evolving, computer viruses.

On the front lines helping to backup and protect data centers from these viruses is Peter Szor, the subject of today’s Data Center Leaders Interview.

Szor is a computer antivirus and security researcher with 20 years of experience building antivirus and security solutions. He is a distinguished engineer at Symantec Corporation, holds over 30 issued computer security patents and is the author of the best selling technical book The Art Of Computer Virus Research and Defense(1).

Below, we discuss the history and rapid evolution of computer viruses, answer why companies should think broader than antivirus protection when creating disaster recovery plans, and overlook the damage caused by a few of the most malicious viruses Szor has ever seen:

Evolving Solutions:
In your experience, how many companies understand the importance of creating disaster recovery plans that take cyber-threats, like computer viruses, into account?

Peter Szor:
Large companies with critical infrastructures always understood the risk of computer malware.

Yet, while antivirus solutions remains their number one security choice, relatively few companies are focusing on other important aspects of computer security that are also critical to them, such as making sure data is kept secure, yet available at all times.

Companies know that well maintained computer antivirus solutions from trusted, dedicated security vendors will vital for their security, but I strongly believe that in the very near future companies will move to the next stage of understanding and put more focus on disaster recovery plans.

Companies need to understand that mitigation of risks is increasingly important, especially in environments where services are provided to users where any interruptions can quickly lead to negative business impact.

It is amazing how much the data needs of companies have changed over the years.  Even in homes, people store far more data than ever before as everything is increasingly becoming digital. Both companies and home are at risk of losing information, which needs to be protected and kept secure from viruses and protected by data backups.

Having spent almost 20 years developing computer antivirus and security software, I strongly feel, that customers understand security risks much more today than ever before. Fast spreading computer worms such as CodeRed, Nimda, Blaster and Conflicker all point to the same underlying issues in our networks that we share. Computer networks, operating systems and applications will remain vulnerable and exploitable, and disaster recovery plans are more important than ever. Data backup and storage management are critical.

Evolving Solutions:
What tips would you offer businesses to protect against computer viruses that seem to evolve just as quickly as software designed to prevent infection?

Peter Szor:
We often see that companies do not manage their infrastructure enough. Vulnerabilities are not always managed by deploying security updates at all end points. Companies do not always follow closely enough what software their users run, what they can do, and what attacks they might bring to the corporate network when doing so.

Operating systems are often old, as are the applications on them, meaning they often have vulnerabilities unpatched. Most users run their system as Administrator. Today, what we find is that the majority of attacks are getting in via downloads when users browse the web. Securing the browser is critical. What the user can browse has a huge impact on the internal security of the network, especially so, when the code enjoys Administrator privilege to get installed right away.

Of course, I would also recommend user education. I do not give up my hopes in this regard. My family dedicated their life to education: math, physics, history and music, you name it. I tried to contribute to the field of computer security myself and hope that computer professionals understand attacks and defenses better from my work. I am happy to see that computer security is becoming a science and that people can graduate by receiving degrees in the subject.

I strongly recommend companies to hire security professionals with first-hand experience in security. The degree is one thing and the experience is the other. The more people understand computer security, the better it will get for the company. Yet, if there is no expertise in house, security consulting should be used.

Computer security is evolving all the time with the new attacks. It is exciting to see how much antivirus has evolved over the last few years as the threat space grow to over 4 million. To me, this is an amazing expansion of the threat space.

For the first 10 years, we have witnessed just about 10,000 distinct computer virus variants and we all believed it was already overwhelming. We got the rest of the malware space during the last decade which clearly shows an exponential curve. The malware universe expansion is clearly rapidly accelerating.

Keeping your version of Antivirus engines and products up to date is important beside the definition data provided. There are true inventions in AV software today, such as advanced heuristics, software behavior management and “cloud” based reputation systems, which will all shape client protection during the next decade. These inventions come with new products which need to be deployed time to time to be sure that computer security can evolve with the new threats.

Evolving Solutions:
Your book, The Art of Computer Virus Research and Defense, is a report from behind the scenes in anti-virus research.  Apart from what is published in your book, what is the one piece of data most important for businesses to know regarding how a virus could affect their data centers?

Peter Szor:
There are many attack types, which – fortunately – have not developed to their full potential.

During the last few years, exploitation was the main focus of attackers. What we see today is that web browsing brings more and more attacks to the end points, and so, we made our defense stronger against such malware attacks.

Computer viruses can cause devastation, especially the fast spreading worms that open up the network to the remote control of the attackers. When confidential information is leaked, there is always a problem, which goes way beyond the recovery of the attacks itself on the internal network because it affects the reputation of the company who leaked the data. Therefore the protection against information leakage is increasingly important aspect of security today.

I already mentioned that so called “cloud based” security solutions will shape the security landscape during the upcoming years. Targeted, unique attacks are exploiting end points every second. It is not unlikely that we will see more than 10 million malware variants during 2010.

People who are behind these attacks operate as businesses, and make a lot of money, which they can reinvest to improve attacks. Unfortunately, this process accelerates the evolution of malware a lot.

If you think about it, attackers already use cloud computing, when they harvest bot networks for their use, such as spam delivery. Next, I think, they will increasingly use real cloud computing systems, since they can effort to borrow as many virtual machines as they want relatively cheaply, and they can certainly effort to pay for them as needed.

Modern attacks require revolutionary security software to address them, and this is precisely what we are working on.

Evolving Solutions:
How has Symantec learned to anticipate computer virus evolutions and develop software to combat these viruses accordingly?

Peter Szor:
Symantec was the pioneer of fast antivirus updates.

We realized that instantaneous pulsing update processes were important and eventually we invented the idea of providing a service directly to clients querying a central database. This provides the most up to date security protection.

Software reputation services will be a strong pillar of our computer security. We built a large software reputation database for the last few years and are getting ready to use it. With this, Symantec will help users to avoid software, which is rarely used, as most Trojan programs are very rare with few victims each.

We fight back against server side polymorphism – the effect behind the quick millions of malware increases – by realizing that users typically want to run software that many people also use. When you choose a restaurant, you want to be sure that is grade A, and have good food, and you know that if you see that the place is always packed. When you see a grade B restaurant with a few people inside, you want to avoid it, because you risk that you get sick when eating there. Similarly, if you are among the first to run a program that nobody has ever ran, you better not to take the risk. Such a policy will help protection tremendously in the future, and possibly, it is the greatest extension of the art of computer protection since my book was published a few years ago.

We understand, that our protection against malware attacks such as self-replicating viruses and worms is very strong, and thus, traditional techniques help our customers to fight back against them. We made sure during the last decade that our software provides solid protection against even the most sophisticated polymorphic and metamorphic virus attacks. We demonstrated in leading antivirus tests that we are unmatched when doing so. We made our protection against malware attacks much stronger during the last 12 months, while improving the performance of our software at the same time.

Evolving Solutions:
What is the most despicable computer virus you have ever witnessed, and without naming company names, what level of damage did you see it cause?

Peter Szor:
During the years, I have seen successful attacks, which deleted data that could not be restored since data backups were typically not available. We have even witnessed PC’s being destroyed by overwriting the content of their Flash-BIOS, as the CIH virus did, that made the motherboard of the attacked system useless.

You could not possibly prevent using add on software- the Flash-BIOS- to be overwritten, since the “metal” could be directly accessed via PORT commands with no way of interruption, once the malicious code ran on the system. This is a basic design flaw of modern computer architectures.

Instead, the actual viruses and Trojans had to be detected at the first place before they could run. Antivirus software was key to detecting these attacks and will surely remain the wheel of computer security in the future.

Back in 1995, I was certain that Windows systems would be the new target of attackers and expected to see computer worms on the platform. First, I witnessed the Happy99 worm, released a decade ago, which demonstrated the main problem infecting systems world wild.  Then, attackers finally turned towards the use of exploits.

CodeRed and Nimda worms would show how quickly attacks could spread on the Internet when exploiting remote vulnerabilities.  When I traveled to Europe in September of 2001 to visit the Virus Bulletin conference in Prague. I recall, the cab driver asked me, what kind of business I did, and I proudly said:

“I am a computer antivirus researcher.”

He quickly went on to say:

“Have you heard of Nimda, Admin backwards? It is all over the radio!!”

When he noticed that I had no idea what he talked about – I just landed in Prague a few minutes earlier, and the worm was actually released while I was in the air – he went on saying laughingly:

“What kind of security researcher are you?”

At that very moment, we both realized that the security world had dramatically changed. Then all other researchers at the conference talked to me about Nimda one by one. They all knew I was painstakingly analyzing every single variant of Win32 malware, carefully cataloging them, and giving them their names.  Then, the sudden explosion of these threats just happened, seemingly one day to the next.

The Conflicker worm recently demonstrated that essentially the same vulnerabilities are still with us. As a matter of fact, Conflicker uses some modules that were built years ago by the 29A virus-writing group, which is no longer, but their legacy is still with us.

Certainly, there is more to do to improve protection at both sides of the spectrum: at security vendors as well as at the end points by the companies themselves. We are working very hard to improve security for our users who can be rest assured that we have never, ever been more focused on delivering the best protection in the industry.

(1) The Art Of Computer Virus Research and Defense, published by Addison Wesley 2005.

Business Continuity & Disaster Recovery Expert John “Traenk” Traenkenschuh

In a recent interview with Lawrence Webber, we discussed the ‘hows’ and ‘whys’ of business continuity and disaster recovery planning.  This week, our Data Center Leaders Interview Series drives home the importance of this topic during our two part interview with John “Traenk” Traenkenschuh.

Budding author, book editor, and Information Technology worker at three Fortune 100 companies, John “Traenk” Traenkenschuh’s insight into business continuity and disaster recovery planning comes courtesy of years of real world experience.

For his time spent introducing students to Microsoft’s Visual Basic, Traenk has been awarded the Microsoft Most Valuable Professional (MVP) designation since 2004.   He has also authored  VCP VMware 310 Cert Flash Cards as a late stage exam preparation tool.

In part one of our interview below, Traenk demonstrates the value of business continuity and disaster recovery planning through a look at both the evolution and future of  these solutions:

Evolving Solutions:
You have extensive experience in the fields of disaster recovery and business continuity.  How would you describe the evolution of recovery and continuity solutions since you first entered IT?

John “Traenk” Traenkenschuh:
Circular, the path from older Business Resumption Planning (BRP) options to today’s BRP options seems to have gone in a circle.

In times past, well defined applications were housed on well maintained and highly available hosts.  This design simplified identifying both the critical applications and the business data (and important external datastores) being acted on.  Flash forward a decade or more, and the emergent client-server model has us splattering app bits and pieces all over an increasingly ‘splashed to the four winds’ technical infrastructure.

The UNIX server acts as a client to the z/Series, fetching a copy of Accounts Receivable from some obscure PDS and then acting on it.  The new generation of Accounts Receivable data results are now posted to a Windows 2000 server, where someone’s copy of excel, running on a PC, performs data transformations that a staff assistant posts as authoritative graphs of the organization’s Accounts Receivable status.  And this mix of platforms and informal accesses is driving business decision making!

Indeed, everyone applauds the data without realizing the BRP issues:

•    How can we secure that data (and transformations that occur) across so many network and SAN paths?
•    What constitutes ‘safe storage’ in this ad hoc design?  Are any of the data generations ever reckoned back to the z/Series?
•    Which devices are now promoted to our high-priority computer/application list, those systems that MUST be restored by hour four of our BRP planning?  (And are we really comfortable with important data being manipulated and stored on the Staff Assistant’s laptop, possibly misplaced by absent-minded baggage handlers???)

Now flash forward, again, to 2009.  The right application of virtualization technologies can alleviate many of the harms we thought unsolvable just a few years ago.  We begin centralizing the technical infrastructures into a handful of virtualization hosts.  The mandate to virtualize means the company begins alerting and responding to the ad hoc IT flows that flooded our 90’s networks.

Throw in Desktop virtualization, and even those sore-point endpoints, the thousands of laptops and desktops winking on and off the internal network (so-called ‘Intraverse’), these are now backed up reliably.  (No one is saying goodbye to fat clients with the new scheme either.)

This is the core premise of virtualization technologies, that we might begin returning to required centralized technical and governance structures, structures that allow the organization to meet regulatory requirements, to cut costs, and to begin adopting a more green footprint as hundreds of dedicated computers are folded into a handful.

Evolving Solutions:
What disaster recovery and business continuity solutions do you see emerging in the next 5 years?

John “Traenk” Traenkenschuh:
If the term ‘solutions’ equals IT technologies, I think we start poorly?  BRP has always been a practices and procedures discussion; one implemented through technology to be sure, but one that has never been about technology, per se.

I believe, strongly, that the regulatory pressures and economic costs of today’s IT infrastructures require increased virtualization.  This will begin normalizing the infrastructure, the applications, the data (and access methods—maybe, more on that below), etc.  This will impact BRP in several fundamental ways:
•    Technical infrastructure BRP plans must no longer mirror a fractured infrastructure/Intraverse, one that includes all known and planned flavors of linux, a few Macs in the warehouse, Billy-bob’s mobile phone app, and who-knows-what ancient systems lingering in any one building’s computer center.  We lessen the options and force updates.
•    ‘Stealth’ processing and data results will be identified, making system- and application-prioritization more reliable.  Much like the show, “Cash in the Attic”, virtualization forces us to check into all the dataflows and systems , if we are to achieve our goal.
•    Flows that are difficult to manage may go outside the organization.  Increasingly, internal IT shops are no longer required to host every website nor to code up each and every workgroup-level Word macro.  Some of the processing, lurking in baling wire informal technologies that often run on volunteer hardware, these may need to go elsewhere for support.

I see governance to governmental regulations (and business partner practices) increasing the pressure to change.  If IT organizations cannot get a handle on internal pressures to [mis]manage application design and basic information access, away from longtime informal practices; at some point some-to-all IT services may be moved to Cloud Computing organizations, who will reduce an complex IT equation to a true Software as a Service (SaaS) offering.

At this time, IT organizations are in flux regarding whether to build an internal virtualization infrastructure or whether to vFarm IT Out to a third party.  There are compelling reasons for and against building or sourcing your vFarm.

There may be a middle ground:  ‘enhanced resources’, those you and I call ‘Consultants’.  These will be tasked with mapping legacy organizational practice with externally dictated Best Practices, with the idea that there can be a smooth transition plan to a world-class IT infrastructure.  However, that is an expensive course; and as a former consultant, I know that there are some very insular organizations that will not transition until they must.

In my mind, the Enron, and now banking crises, have made regulatory oversight of most organizations inevitable.  Payment Card Industry (PCI) compliance requires security testing with world-class tools.  Although imperfect, this system anticipates all organizations submitting to third-party security audits.

Please remember that I had seven great years in the Insurance industry, at a premier company.  Insurance works, providing premium sufficiency, because industry members manage to common processes that examine the risk exposures faced by all.  In fact, if I can add one small point, I’m shocked that the world of IT security metrics STILL does not have data-driven risk experience models as sophisticated as those used in the insurance industry.

Ask most insurance pro’s the relative claim value of the loss of mechanic’s finger, and they can arrive at a figure, no matter how obscure the facts.  Ask an IT person the relative value of a hairball analysis application, running at a pet food company with 23% market share, and you will wait, despite so much business data near at hand.

The Center for Internet Security (www.cisecurity.org) has an intriguing system of metrics announced recently.  Mitre.org’s CVSS is some help.  But overall, much remains mysterious, although commodity virtualization infrastructures and service offerings may bring us to a more common understanding of the worth of systems and their data, should a disaster occur.

If readers would like a short list of trackable technologies, those aiding BRP, let me offer this one:

•    Security Information and Event Management (SIEM) – Thanks to responsible vendors publishing long lists of security best practices, (Microsoft and others) and to the work of responsible security think-tanks covering security for multi-vendor environments (Center for Internet Security and SANS (@ www.SANS.org)); many organizations have enabled all the logging we can.  In debug mode at that!  This has made incident response as difficult as finding the proverbial needle in a haystack [of event information].  How can you prioritize BRP responses for the important applications, when you cannot separate the security wheat from the chaff?

•    Virtualization Security (known by many names and techniques) – Now that vFarms are hosting our applications, either on-site or off-site, we need to track what goes on at the virtualization ‘back-plane’.  The reoccurring fear is that a hacker can use a virtualized machine’s (VM) security weaknesses to attack the hypervisor, and then use it as gateway to other VM’s.  Another fear is the ‘rogue’ vFarm administrator who does all manner of bad things, accidently or maliciously.  In this world, the vendors to watch are those virtualization vendors with a long history of security prowess and competent tools AND those security vendors who offer solutions for the virtualization layer and for those VM’s needing their host security tracked and alerted (CA and eTrust and others).  The lack of security API’s in many virtualization packages is a leveling factor; few tools can operate at the backplane layer.  But to be sure, configuration audit and management is still possible.  As security API’s are provided by the vendors, being aligned to a solid security vendor will provide valuable.

•    Risk evaluation tools – As mentioned before, there is a fundamental fuzziness to security evaluation that makes risk mitigation difficult, if not dangerously off-the-mark.  Once regulations and cyber-security governmental appointments begin leveling the playing field, we’ll see new, improved risk models and companion tools that make risk evaluation less subject to personal and professional biases.  Maybe.

•    Green IT Movement – Complementary to BRP is the Green IT Movement.  Whether the computers gain electrical efficiency or we find ourselves growing a more extensive IT intraverse on fewer systems, these factors impact BRP directly.  Uninterruptable Power Supplies may be cut back, either because of fewer/more efficient computers OR because we do not want to proliferate an IT environment full of lead-acid batteries belching hydrogen fumes, possibly spilling sulphuric acid during a disaster.   Computer room temperature control units may be scaled back because of fewer computers, improving BRP focus.  I recently read a toilet paper wrapper that proudly proclaimed that the energy used during production was generated through windmills!  Expect all organizations to be encouraged to offer similar claims to environmental sensitivity—and for reasonable adjustments to be made to our BRP plans.

Part 2 of our interview with discussing Business Continuity & Disaster Recovery with John “Traenk” Traenkenschuh, discussing the factors guiding continuity and disaster recovery planning, and tips for getting a plan started, will publish later this week.

Business Continuity & Disaster Recovery Expert Lawrence J. Webber

Ensuring your business has a solid disaster recovery and business continuity plan in place isn’t just good practice, it can be a valuable sales tool.  With this in mind, we interviewed Lawrence J. Webber for the latest post in our Data Center Leaders interview series.

Along with Michael Wallace, Webber is one of the co-authors of the acclaimed The Disaster Recovery Handbook: A Step-by-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets.

Below, we discuss the reasons for your business to develop a disaster recovery and business continuity plan, how to get started, and how to use these plans as sales tool in front of prospects:

Evolving Solutions:
What factors play most heavily in developing a continuity plan, for example, government regulations, client contracts, or something more?

Lawrence J. Webber:
Disaster recovery plans are required for government regulations to protect stockholders from a company’s collapse in the face of a disaster (such as loss of a data center, etc.)  Their goal is to quickly restore essential company activities.  Non-essential activities are restored over time.

Business Continuity plans (actions in case of the failure of a significant component) are usually driven by customer requirements.  A reputation as a reliable supplier is valuable sales tool.

Companies providing Just-In-Time materials must have provisions to ensure that they can reliably deliver the expected goods even in the face of a problem.  This could be a need to set up a second assembly line, a second factory or to provide duplicate equipment for all process bottlenecks.

No matter how low your price – no one will buy if you cannot reliably deliver.

Evolving Solutions:
What are the most common misconceptions in regards to what a business continuity plan should or should not entail?

Lawrence J. Webber:
1.     Business continuity plans belong to the Business Continuity Manager.  Business continuity plans actually belong to the process owners, because if the process fails and the plan does not address the problem, it is that process manager who will under the management spotlight.

Since it is their plan, they must ensure it remains up to date and that team members know their roles.

2.    That the Business Continuity Manager (BCM) will “go write us a plan”.  This person coordinates the authoring of plans by others.  The BCM does not fully understand the processes of the Accounting Dept., the materials management group, the engineering team, etc.  Each group must fully participate in the process.  They often imagine the BCM will trot through their offices and magically write a workable plan for each.

Evolving Solutions:
What tips would you offer for a business as it develops continuity plan for the first time?

Lawrence J. Webber:
Don’t feel overwhelmed.  The plan only addresses restoring the critical business functions – perhaps 20% of the total.  Take it in stages.  ID what is most valuable, write a disaster recovery plan, and then write a business continuity plan.

It costs nothing to gather the basic information into one place:

•    Recall list for all personnel (phone numbers, emails, etc.).  Verify quarterly (preferably by calling them. Roster of all vendors, what they supply, and a 24 hour contact number.
•    List of support contracts (contacted via the vendor roster) along with what they support, hours of support, contract number, etc.
•    Build a calendar for when each contract expires
•    Keys to everything, including network cabinets, closets, passwords to servers, etc.
•    Ensure that ALL data residing on data center storage devices is backed up and then promptly moved off site to a secure storage area.  Verify that these back ups work, know who can recall the data and how to do it.
•    Identify critical IT systems, and the primary and secondary support person for each.
•    Ensure each person is on the recall list
•    Identify the critical components for each (servers, peripherals, etc.)
•    Ensure these items are covered by vendor support agreements

Evolving Solutions:
Susan Snedaker,  Principal Consultant with VirtualTeam and author of Business Continuity & Disaster Recovery Planning For IT Professionals, identified as the three biggest mistakes when developing a continuity plan as “Not Creating A Plan,” “Not Getting Executive Buy-In,” and “Not Getting The Right People In The Room.”  What would you add to this list?

Lawrence J. Webber:
False confidence that once a plan is written, you are safe.  It must be regularly tested (perhaps quarterly) so that everyone knows their roles and that the plan reflects the current processes.  A plan sitting on a shelf is a snapshot in time.

Processes change, so do process tasks and staffing.  The document does not magically change by itself, and often no one bothers to inform the Business Continuity Manager.

Evolving Solutions:
How would you measure the chance of a newly launched company’s success, with or without, a disaster recovery or business continuity plan?

Lawrence J. Webber:
A disaster plan and a business continuity plan are only called into action when something goes wrong.  A new company with potentially excess capacity can disguise a disruption from a customer.  However, a well run company, tightly staffed, cannot disguise a disruption.  At best, they are tempting fate.

Evolving Solutions:
Wild Card: Anything else you’d like to add?

Lawrence J. Webber:
Disaster recovery is all cost.   Like insurance, you pay and pay but usually never need it (ie no disasters strike).

Business Continuity planning provides payback in resilient processes which result in more reliable cost estimates and product/service delivery. Green and Lean initiatives (such as virtualizing servers) also shortens recovery time.

Businesses today are finding themselves on a predatory quest to cut costs now, and in some cases, think about the ramifications to efficiency later.  Remarkably, strategies designed to lower data center costs are simultaneously designed to increase efficiency.

Evolving Solutions has gathered insight from top industry thought leaders designed to help our readers lower data center costs and improve efficiency.  Thought leaders, including Microsoft Global Strategist Toby Velte and FOCUS Consulting President Barb Goldworm, have contributed their insight to the Data Center Leaders interview series.   Below, are 5 data center cost avoidance tips from our thought leaders:

1.    Completely Reevaluate The Management Of Your Data Center: Today’s advances in technology, particularly green IT initiatives, offer tremendous potential to minimize consumption of current resources.  Per Microsoft Global Technology Strategist Toby Velte,  by reevaluating data center needs, including how much storage and speed is truly necessary, companies will become armed with the knowledge necessary to achieve sustained data center cost reduction in future projections.

2.    Server and Storage Virtualization: In the long run, virtualization is best for sustained cost reduction, states Omar Sultan, Senior Solution Manager for Data Center Switching at Cisco.  Virtualization, replacing physical servers with a virtual environment, lowers the total cost of server infrastructure, thereby lowering the total energy costs of a business overall.

3.    Move to Blade Systems: Blade systems, self-contained computer servers designed for high data density, can increase your efficiencies in power and cooling, per Barb Goldworm, President and Chief Analyst at FOCUS Consulting.   The amount of servers common in a data center have oftentimes led to power consumption concerns as these large servers must run in a temperature controlled environment.  By minimizing the heating and cooling costs necessary for a  data center, blade centers minimize the heating and cooling costs for a business as a whole.

4.    Go Green: “Organizations are finding that there simply is no more power available to them unless they pay to build the generation plants necessary to support them,” shares Dan Kusnetzky, ZDNet contributor and founding partner of the Kusnetzky Group. It can be tempting to see the green movement as just another fad, but at the end of the day, it is about saving power costs by utilizing more energy efficient technology, such as virtualization, and little else.

5.    Have a Disaster Backup and Data Recovery Plan: “If your server room imploded, what would you do?” asks Susan Snedaker, Principal Consultant with VirtualTeam.  The likely answer is, you would pay – and pay any amount – to get your critical data back.  Disasters happen, and to recover will cost money. By developing a disaster backup and data recovery plan in advance, however, companies can mitigate much of the desperation costs involved with recovery.

Offered to steer your business in the right direction, the cost avoidance tips provided in our Data Center Thought Leaders interview series illustrate ways your businesses can achieve cost cutting initiatives without sacrificing efficiency or productivity.

If you have more tips to share, we welcome your insight and invite you to share via a comment below.