Data Protection - Backup and Disaster Recovery FAQs

Data loss is an error condition in IT systems in which information is destroyed by failures or neglect in storage, transmission, or processing. IT systems implement backup and disaster recovery equipment and processes to prevent data loss or restore lost data.

The cost of a data loss event is directly related to the value of the data and the length of time that it is needed, but unavailable. Consider:

• The cost of continuing without the data
• The cost of recreating the data
• The cost of notifying users in the event of a compromise

Data loss prevention can rarely be guaranteed. However, the frequency of data loss and the impact can be greatly mitigated by taking proper precautions. The different types of data loss demand different types of precautions. For example, multiple power circuits with battery backup and a generator will only protect against power failures. Similarly, using a journaling file system and RAID storage will only protect against certain types of software and hardware failure. Regular data backups are an important asset to have when trying to recover after a data loss event, but they don't do much to prevent user errors or system failures.  A well rounded approach to data protection has the best chance of avoiding data loss events. Such an approach will also include such mundane tasks as maintaining antivirus protection and network firewalls, as well as staying up to date with all published security fixes and system patches. User education is probably the most important, and most difficult, aspect of preventing data loss. Nothing else will prevent users from making mistakes that jeopardise data security.

Disaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to a business after a natural or human-induced disaster.   Prior to selecting a disaster recovery strategy, a disaster recovery planner should refer to their organisation's business continuity plan which should indicate the key metrics of recovery point objective (RPO) and recovery time objective (RTO) for various business processes (such as the process to run payroll, generate an order, etc.). The metrics specified for the business processes must then be mapped to the underlying IT systems and infrastructure that support those processes.  Once the RTO and RPO metrics have been mapped to IT infrastructure, the Disaster Recovery planner can determine the most suitable recovery strategy for each system.  An important note here however is that the business ultimately sets the IT budget and therefore the RTO and RPO metrics need to fit with the available budget. While most business unit heads would like zero data loss and zero time loss, the cost associated with that level of protection may make the desired high availability solutions impractical.  

The following is a list of the most common strategies for data protection.

• Backups made to tape and sent off-site at regular intervals
• Backups made to disk on-site and automatically copied to off-site disk, or made directly to off-site disk
• Replication of data to an off-site location, which overcomes the need to restore the data (only the systems then need to be restored or synchronised). This generally makes use of storage area network (SAN) technology
• High availability systems which keep both the data and system replicated off-site, enabling continuous access to systems and data

In many cases, an organisation may elect to use an outsourced disaster recovery provider to provide a stand-by site and systems rather than using their own remote facilities.  In addition to preparing for the need to recover systems, organisations must also implement precautionary measures with an objective of preventing a disaster in the first place. These may include some of the following:

• Local mirrors of systems and/or data and use of disk protection technology such as RAID
• Surge protectors — to minimize the effect of power surges on delicate electronic equipment
• Uninterruptible power supply (UPS) and/or backup generator to keep systems going in the event of a power failure
• Fire preventions — alarms, fire extinguishers
• Anti-virus software and other security measures

Data is critical to the running of most businesses.  If a business is unsure of the best ways to protect their data it is essential they talk to an outside IT expert who can advise them and devise a strategy for data back-up and recovery in the event of a disaster.

• The more important the data that is stored on the computer, the greater is the need for backing up this data.
• A backup is only as useful as its associated restore strategy. For critical systems and data, the restoration process must be tested.
• Storing the copy near the original is unwise, since many disasters such as fire, flood, theft, and electrical surges are likely to cause damage to the backup at the same time. In these cases, both the original and the backup medium are likely to be lost.
• Automated backup and scheduling should be considered, as manual backups can be affected by human error.
• Backups can fail for a wide variety of reasons. A verification or monitoring strategy is an important part of a successful backup plan.
• Multiple backups on different media, stored in different locations, should be used for all critical information.
• Backed up archives should be stored in open and standard formats, especially when the goal is long-term archiving. Recovery software and processes may have changed, and software may not be available to restore data saved in proprietary formats.