Not many people read IT disaster recovery (DR) plans for pleasure but these documents are often far more insightful than the organisation’s annual report. That’s because the quality and scope of the DR plan instantly reveals the company’s relative priorities, levels of resource investment and commitment to business continuity planning.

At the very least, a robust, up-to-date and proportionate IT disaster plan shows not only that somebody cares enough to try and keep the wheels of industry turning but has also put adequate measures in place to minimise the risks of unexpected IT failure.

Of course, the interpretation of ‘adequate measures’ will always vary from organisation to organisation, according to local needs and resources, because there is no cookie-cutter model (one size fits all) for disaster recovery.

Nevertheless, some fundamental principles do apply, regardless of organisation size and scale, which means that Small and Mid-Sized Businesses (SMBs) face very similar DR challenges to those of their larger counterparts. Even the smallest SMB needs to take some steps to protect the integrity of its business systems when things go wrong.

A Freeform Dynamics study that focused on organisations with between 50 and 1,000 employees shows that SMBs generally care about IT disaster recovery and proactively establish DR measures, even if they don’t always describe them in such terms. However, the research also highlights some gaps and shortfalls in disaster recovery capability, which respondents readily acknowledge. Having said this, only 20% of SMBs indicated that investing in DR improvements would be considered as high priority spending:

The chart above is one of a number from the aforementioned research which tell us that a good proportion of SMBs are well aware of their DR challenges but most can’t afford to throw money at the problem areas, particularly in a difficult economic climate.

But that shouldn’t stop them taking a fresh look at their disaster recovery plans, not only to see if there are any affordable opportunities for incremental improvements in key areas, but also to check that any previous plans remain properly aligned with their systems portfolio and infrastructure. Chances are that some re-alignment may be necessary, particularly if business systems, IT infrastructure or services have been changed or introduced since the last DR review.

It’s also vital to pay specific attention to any changes in business priorities, working practices (such as growth of remote/mobile working), service delivery models or service providers, because these will all directly affect the business continuity and disaster recovery requirements.

Likewise a previously suitable mix of DR tools, techniques and technologies might now benefit from a rethink. SMBs may find that the falling cost of storage, the mainstream readiness of virtualisation technology and the maturation of third-party hosting services (including Cloud) offer real benefits of cost and timeliness, in terms of better IT resilience and recovery, when compared with a ‘traditional’ DR approach, such as offsite tape backup and recovery.

Perhaps, though, the biggest challenge for a smaller business is in knowing what ‘effective’ DR and good business continuity planning looks like in practice. This is where awareness of what works well elsewhere can be invaluable.

In an attempt to flush out some of the ‘best practices’ for SMB disaster recovery, our analysis of the research sample divided the interview respondents into two groups: a) those with comprehensive/ good IT DR, and b) those with inadequate/ poor IT DR capabilities.
On comparison of the two groups we saw some significant differences, with seven specific characteristics, or behaviours, that appear to stand out as ‘enablers’ of better DR performance.
Some of these enablers, such as inclusive planning (i.e. ensuring that IT disaster recovery planning is fully co-ordinated with general business continuity plans for people and process) and the prioritisation/ funding of DR investments, are hardly surprising because they represent the fundamental points of entry to effective DR anyway.

However, other enablers identified in the research may be less obvious to an SMB hoping to improve IT disaster recovery capability. These include the use of alternative storage media and advanced DR solutions, such as Continuous Data Protection (CDP) which facilitates rollback or recovery to a particular point in time – extremely useful if a key data store has become compromised, or otherwise invalidated by application or user error.

For a full discussion of the effective DR enablers and more information on this topic, you can download the full research report here.

Colin Beveridge, Principal Analyst, Freeform Dynamics

Some back-to-front thinking in evidence?
 
One of the most frequent concerns about cloud is security. Andy Buss and I were discussing this the other day as part of a research scoping exercise. We are currently designing a study to look at the risk related aspects of Software as a Service (SaaS).

Something we always try to avoid in our research and analysis is falling into trap of generalising too much. In this case, it was important to acknowledge that businesses vary significantly in terms of their risk sensitivity, e.g. based on the degree to which they are regulated, the amount of confidential or personal information they handle, their operational dependency on IT, and their general risk awareness. Attitudes to security therefore range from extreme paranoia at one end to total complacency on the other. And even within a given organisation, some systems and data will be regarded as highly sensitive, and others will not.

The logic then goes that categorisation of applications based on their risk profile is a good place to start when considering which requirements lend themselves more to cloud based deployment from a security perspective.

So far so good, but then the conversation with Andy got really interesting.

The unspoken working assumption to this point was that application profiling would allow organisations to identify low risk candidates for initial cloud activity. To put it another way, if you're concerned about the hosted services model representing a security risk, then gain some initial experience with less sensitive applications for which security is less of a consideration.

The trouble is that for many small and mid-sized businesses, it could be argued that such advice would be flawed. Whatever the current perception, the reality is that a reputable service provider will almost certainly be able to manage application access and information security better than the majority of smaller businesses (and arguably many larger ones), so data and transactions would probably be a lot more secure in a third party hosting environment. The reasoning here is not rocket science, even though it may not be obvious to many. Service providers have the economy of scale to justify investment in top-notch technology and skills in a way that SMBs, with the best will in the world, could only dream of.

As responsible analysts, perhaps we should therefore be turning the logic on its head and advising at least some organisations to prioritise putting their most sensitive rather than least sensitive applications and data sets in the cloud first. While the original opposite view might be intuitively appropriate, that would be simply pandering to ignorance and ill-considered prejudices.

As this point, I can almost hear the abuse being directed at whatever medium you are reading this on – “Bloody naïve ivory tower analysts that have never done a real day’s work in the real world giving us bloody stupid advice about putting our most sensitive data into the hands of ‘fly-by-night’ cloud upstarts? They should get themselves a proper job and stop writing such crap”.

Then again, maybe this line of reasoning has got you thinking, which to be honest, is all I am trying to achieve.

In the real world, of course, it’s not legitimate to provide sweeping advice like the above. But neither does it make sense for those in IT to make sweeping generalisations about whether cloud services are or aren’t a good idea, on security or any other grounds. The point is that it needs some thinking about, and sometimes the most obvious conclusion can prove to be incorrect in many scenarios.

It’s for these kinds of reasons that one of my other colleagues, Tony Lock, and I put together a paper entitled “Applied Cloud Computing: A practical guide to identifying the potential in your environment”. In many respects, this was a reaction to all of the generalised opinion we hear on both sides of the house, as both the evangelists and the sceptics are guilty of the same crime in this respect.

The reality is that it’s all about context, and what’s appropriate or meaningful in one situation could be a total non-starter in others. Then there are those grey areas where it’s difficult to call it either way. With this in mind, after almost a quarter of a century in IT, I am still waiting for an example of a technology or approach that is universally right or wrong regardless of the circumstances.

Meanwhile, if you are interested in a more practical treatment of cloud computing, including some down to earth thoughts about security, integration, management and the general impact on the IT department, you can download the abovementioned paper from here.

By Dale Vile, MD at Freeform Dynamics.