07-31-13 | Blog Post
The following is an excerpt from our Disaster Recovery white paper that explains different disaster recovery and offsite backup technical solutions, from traditional to virtualization (cloud-based disaster recovery), as well as considerations in seeking a disaster recovery as a service solution (DRaaS) provider.
A case study of the switch from physical servers and traditional disaster recovery to a private cloud environment details the differences in cost, uptime, performance and more.
This white paper is ideal for executives and IT decision-makers seeking a primer as well as up-to-date information regarding disaster recovery best practices and specific technology recommendations.
Sending data offsite ensures a copy of your critical data is available in the event of a disaster at your primary site, and it is considered a best practice in disaster recovery planning. There are several offsite data backup media options available, including the traditional tape backup method that involves periodic copying of data to tape drives that can be done manually or with software.
However, physical tape backup has its drawbacks, including read or write errors, slow data retrieval times, and required maintenance windows. With critical business data from medical records to customer credit card data, your organization can’t afford to risk losing archives or the ability to completely recover after a disaster.
According to NIST, the different types of data backups include:
For more about specific offsite backup technology, read section 5.4 SAN-to-SAN Replication and SAN Snapshots.
Outsource vs. In-Source
Outsourcing your offsite backup to a managed services provider can provide your organization with continuous data protection and full file-level restoration, and offload the burden of installing, managing, monitoring as well as complete restoration after a disaster.
With a vendor, your encrypted server files are sent to an onsite backup manager (primary site), which are then sent to a secondary, offsite backup manager, ideally far enough apart to reduce the chances of the secondary site being affected by the same disaster or interruption.
While offsite backup managed in-house can be costly due to building out, maintaining and upgrading both primary and secondary sites, outsourcing your offsite backup to professionals means you can take advantage of their investments in capital, technology and expertise.
As NIST (National Institute of Science and Technology) states, backup media should be stored offsite or at an alternate site in a secure, environmentally controlled facility. An offsite backup data center should have physical, network and environmental controls to maintain a high level of security and safety from possible backup damage.
Physical security at a data center means only authorized personnel have limited access to client servers, and the facility itself should require dual-identification control access (through the use of a secondary identification device, such a biometric authentication that requires a fingerprint scan). Environmental controls should include 24×7 monitoring, logged surveillance cameras and multiple alarm systems.
Any sensitive infrastructure should be protected by restricted access, and redundancy in routers, switches and paired universal threat management devices should provide network security for your offsite backup data.
Vendor Selection Criteria
When vetting offsite backup and disaster recovery vendors (also known as disaster recovery as a service, or DRaaS) check certain criteria to ensure your data is protected. Look for certain security certifications, compliance, communication styles and technology when comparing offsite backup providers, as well as the basic disaster recovery criteria of geographic area, accessibility, security, environment and costs discussed in section 5.2 Location for Disaster Recovery.
One way to gain assurance of an offsite backup/data center provider’s security practices is to inquire about their industry security and compliance reports.
Vendors that have invested the significant time and resources toward building out and meeting regulatory requirements for operating excellence and security practices will have undergone independent audits. They should also be able to provide a copy of their audit report under NDA (non-disclosure agreements).
Look for these data center audit compliance reports: