For anyone working in IT, business continuity normally boils down to one thing –­ disaster recovery, and all the related technologies designed to help organisations get their critical processes back online in the event of a serious disruption.

Complex combinations of data backup and management, offsite replication, application failover and server mirroring invariably form the bedrock of disaster recovery strategies in large enterprises.

But in many instances, safeguarding business operations can be as simple as protecting a server with an uninterruptible power supply (UPS) to maintain data and application availability in the event of a power cut, or at least allow for a safe shutdown that avoids data corruption and makes systems easier to bring back online.

Different approaches to disaster recovery have evolved with advances in network, storage and data management technology, but one that has come to the fore in recent years is online backup. Most, if not all, IT managers used to back up their systems either to another computer or to removable media that was then stored in a safe place, but increasing numbers are now sending backups electronically to remote repositories.

“There is definitely a move to online backups, though an awful lot of organisations still rely on the white van coming every evening to remove the backup tapes,” says Graham Titterington, principal analyst at researcher Ovum.

Online backup usually involves data being encrypted before being transmitted to a secure offsite location, often a datacentre hosted by a third-party provider. Though good wide area network (WAN) connections are essential to ensure reliable backup and retrieval, there is little day-to-day management involved. This means online backup is particularly attractive to organisations with limited in-house IT support resources.

Some companies prefer technologies that replicate or mirror mission-critical servers to a recovery network, often using continuous data protection (CDP), which transmits snapshots of change to the protected data set at pre-defined intervals. The replicated data is again hosted in an offsite datacentre. A virtual private network (VPN) is often used to connect the two sites for added reliability, security and speed of recovery.

“WANs based on iSCSI are starting to remove the distance limitations associated with traditional Fibre Channel (FC) technology,” says Titterington. “Organisations based in the City of London have realised it may not be a good idea backing up to a datacentre in Docklands, for instance, and iSCSI allows them to replicate to one in Newcastle.”

Server virtualisation is having a big effect on the way that companies approach disaster recovery. Software from the likes of VMware and Microsoft make it relatively straightforward to migrate active virtual machines (VMs) from one server to another to take the strain should others go down, while creating and booting up new VMs from scratch can take a matter of seconds in some cases.

Nor is it just data that can be protected in this way – ­ the applications and processes running on a server can also be reinstated from a virtual machine more quickly and often at lower cost than if they were hosted on a physical system replica.

“The big advantage of virtualisation in disaster recovery is that you do not need an identical server hardware configuration to replicate the system, which includes the data and the applications,” says Titterington. “This makes it a lot easier for organisations to share backup data across distributed environments.”

Virtualisation can also make disaster recovery plans much easier to test, because unlike physical servers they do not require hardware to be shut down to simulate a disruption. This is particularly advantageous in distributed environments where remote access tools might otherwise be needed to power down physical servers located in branch offices, for example.

Data retention regulations

As the cost of disk-based storage has plummeted, the trend for moving data backups away from traditional tape and onto hard disks has accelerated. Meanwhile, more organisations are installing complex tiered data storage systems that are designed to help comply with rules and regulations governing data retention.

The key element here is not the hardware, but the storage management software that enables IT managers to identify mission-critical information, see how often it is accessed and by whom, and decide whether current rules mean it should be kept on hard disk for fast access or archived onto slower tape-based storage.

Because offsite replication and backup technologies rely so heavily on the network, software to monitor network health, performance and bandwidth is an essential ingredient. Not only does network performance and application management software keep a close eye on the systems and processes running across the network to quickly identify and flag up problems, they can also help the IT department to monitor their WAN and managed backup service level agreements (SLAs).

While business continuity is obviously intertwined with IT disaster recovery, it is important to remember that technology can only go so far towards minimising the impact of any disruption.

Business continuity needs to be seen as a business issue rather than just an IT problem, but getting managers to appreciate this can be difficult, according to Neil O’Connor, principal consultant at Activity, an independent information security consultancy firm specialising in risk assessment and business continuity planning.

“A real disaster is if the payroll system goes down, for example. It is not an IT system per se, but it is still critical and we advise organisations to keep a paper copy of last month’s payroll offsite, for example. Most businesses will say the most important thing is their cashflow, and any business continuity plan needs to look at how that cashflow is being affected,” he says.

It is crucial to understand the precise nature of the business before formulating any plan, not least because hard decisions about the systems and processes that need to be protected first will have to be made.

“If you are going to pick and choose, there needs to be a business impact analysis that looks at what is most critical in terms of urgency and getting the organisation back up and running,” says Isobel Nicholas, a consultant at Steelhenge Consulting, which advises public- and private-sector organisations on business resilience.

This is especially true where limited time or budget means that an organisation cannot afford to implement a business continuity strategy across its entire infrastructure in one go.

“Business continuity seems like a huge task, but it can be a scalable process if you decide to take a pragmatic, common-sense approach. It depends on the nature of the organisation, but identifying a specific part of the business that really is critical to getting services or products out of the door and protecting that is better than doing nothing at all because you do not have the resources for a comprehensive programme,” says Nicholas.

Thinking carefully about where to site datacentres – ­ away from flood plains, airports and major road or rail junctions where disasters are more likely to strike, for example – ­ is one practical step. But first, IT managers have to consider just what it is they are trying to protect and whether it is worth the effort.