From backup to business continuity: How to stay prepared

Stratégie de sauvegarde 3-2-1

From backup to business continuity: How to stay prepared

According to Gartner, an incident involving a service interruption costs an average of 4,595 euros per minute. When we look more closely at company sizes, the average cost of this type of incident is 45,130 euros for a small business and 74,670 euros for an SME*. In addition to the financial impact, a computer failure or disaster can temporarily or permanently harm your customers’ data. Such losses would be dramatic for your company's reputation.

 

    Context and market situation

    Preparedness - Response - Recovery - Mitigation

    Over the past 12 years, the use of replication technologies, multi-site datacentre architecture, public cloud storage and DRP implementation has increased significantly. However, only a portion of those surveyed (38%) by Forrester in 2019 say they are fully prepared for an incident**. And for the most part, large companies are better organised than small to medium-sized companies.

    There are several reasons why professionals plan to implement an DRP. The main reason is that 54% of respondents want to stay online 24 hours a day. This is a huge challenge, especially for e-commerce companies.

    It is important for organisations to improve the availability of their critical applications (for both themselves and their customers). Furthermore, the financial impact of downtime for services is also an important factor to keep in mind.

     

    To meet these needs, organisations should:

    • Perform regular and recoverable backups of their data.
    • Establish a realistic and effective DRP strategy for their business.

    Backups and replication

    This is the foundation for protecting your business. With backups, you can avoid losing both your data and your customers’ data. Backups provide a solid foundation for your business, and are useful in a number of situations. These include hard drive damage, hacking, natural disaster or even human error.

    What is a good backup?
    An effective backup means your data can be recovered quickly and easily in the event of an incident.
    Restoring these backups is the most important element.

    According to Veeam, our partner, the optimal backup strategy is the “3, 2, 1” principle.

    This means:

    • Having 3 copies of your data.
    • These copies should be stored on 2 different media to avoid loss, corruption or hacking.
    • 1 copy should be stored on another site (in the event of an incident at your company headquarters).

    With this strategy, you can protect yourself against the vast majority of data loss risks — which can occur in several cases.

    To give you a better idea of this backup strategy, we can take company X as an example. Company X is an SME running an online store, where customers order kits to create their own coffee capsules. It therefore produces critical information that it must protect, such as its customers’ personal data. To do this, it has chosen to create:

    • A backup of its data in Paris, on a server and an external hard disk.
    • Another backup on a remote server, located in Lille.

    In the event of an incident on the Paris site, the data can be found on the server in Lille. Although the chances of such an incident occurring are minimal, if both servers are destroyed, the external hard drive will restore the data on a new server. This minimises the risk of data being lost centrally on the same site and media.

    If you have a cloud architecture, our customer YetiForce has set up a full backup system. It enables users to recover quickly from an incident, by making different copies of their data on dedicated servers that are used for this purpose. These copies are located in a remote datacentre. The system performs weekly, daily, and 30-minute backups, depending on the type of data to be protected.

     
    ForePaaS - réplication des données

    Another effective backup mechanism is data replication. It can be performed in real time, and can be used to create copies in different datacentres. This way, in the event of an incident in one datacentre, the data is still active in the others.

    As an example, we can look at our customer, ForePaaS:

    Their cloud management platform data is replicated in real time in three datacentres, one of which is located in another continent (North America). This way, if one of the sites experiences a major incident, the company can retrieve its data from another. They will then be able to restart their activity without delay.

    However, a backup system is just a tool to protect you against data loss. Even though it forms the basis for your business continuity, it’s still important to plan what actions you need to take in advance. This way, you can get your services back up and running again.

    Disaster Recovery Plan (DRP) strategy

    The DRP defines the business processes to be set up in order to get your business back up-and-running. Important indicators for defining DRP strategies are:

    RPO vs RTO
    • The RPO (recovery point objective). This term refers to the maximum allowable data loss rate. It is measured over a period of time, and is generally staggered as follows: no data loss, 1, 4 or 24 hours of data.
    • The RTO (recovery time objective). This refers to the maximum time that an application can remain down before it is restarted. The RTO is staggered in a manner similar to RPO: no delay, 1, 4 or 24 hours.

    These indicators must be pre-defined based on the criticality of the data affected by an incident. As an example, we can look at company X. It has three types of applications that require a different disaster recovery plan. First, a banking data application, which cannot afford downtime or data loss. Then its institutional site, which is essential but not critical. Finally, its application for booking meeting rooms, also non-critical. The company adapts a different DRP depending on the application.

    How to adapt your disaster recovery plan

    Critical application

    RPO & RTO=0

    Essential application

    RPO > 1 hour & RTO > 4 hours

    Non-critical application

    RPO > 24 hours & RTO > 24 hours
    RPO=0 RTO=0
    RPO>1h RTO >4h
    RPO>24h RTO>24h

    The company cannot function without these applications.

    It runs its application:

    • In 2 datacentres.
    • With spaces of several kilometres (+100km apart).
    • Data is synced between the two locations.
    • Backups are placed in a third datacentre.

    The company can function without these applications, but not for more than an hour.

     

    It runs its application:

    • In a primary datacentre.
    • The data is replicated in a second location, several kilometres apart (+100km).
    • Backups are located in a third datacentre.

     

    The company can function without this application for more than a day.

     

    It runs its application:

    • In a datacentre.
    • Data backups are located in a second datacentre.

     

    It will therefore use the backup data to restore the application to the second datacentre if the first is down.

     

    To help our customers set up their DRP, we offer partner solutions. For example, Partitio offers different models of disaster recovery plans to its users. They are based on solutions for manual backup and replication by Veeam, with automatic replication via Zerto.

    The DRP helps you minimise the impact of incidents on your business, and minimise data loss resulting from temporary service interruptions. However, some types of companies — such as banks or IT service providers — cannot afford downtime. They must be offered online services at all times. This involves building a resilient infrastructure to remain accessible, regardless of any issues.

    Our customer KBRW, who offers SaaS cloud-native solutions to retail and logistics companies, certifies that building resilient infrastructures is the goal for a company’s security. However, implementing and maintaining an effective disaster recovery plan is an ongoing process. The plan must be tested and updated regularly. Your IT solution portfolio and infrastructure are constantly changing. This will affect your security requirements.

    “[...] Resilience should be seen as a global approach within the company. It is by no means the sole responsibility of IT or security experts. From a company perspective, it’s important to build a culture of IT risk management — and this culture should be fostered from the lowest to the highest levels. Each employee should be aware of their role and responsibilities in this overall strategy. To successfully implement an IT resilience plan, it is essential to start with a realistic potential risk assessment. It must be conducted on a regular basis. We usually recommend running it every 6 months on all of the critical points in your system.”

    Arnaud Wetzel, co-founder and CTO of KBRW, and Ronan Garet, Site Reliability Engineer

     

    Your business continuity

    A disaster recovery plan enables you to react to an incident. Business continuity planning includes actions to be taken before, during and after this event. This is to maintain your services, and ensure that your business can carry on functioning in the best possible conditions.

    This planning is based on three factors:

    • Transparent communication about the possible crisis on the channels available to you, such as emails, social networks or the press. Keep your employees, customers and partners informed of the incident resolution progress, and let them know when it is complete.
    • Establishing an action plan for your employees in the event of an incident. They need to know what to do, and who to contact. Ensure that they are regularly updated on planning and security policy changes, for example.
    • A resilient IT infrastructure is the best way to keep your services online under all circumstances. This will avoid any losses or costs associated with service interruptions.

     

    Plan de reprise d’activité vs la continuité de votre activité

    Business continuity is the goal. Planning procedures to follow will help you deal with most situations that impact your business. Our partners, such as Thales and Capgemini, can provide you with consulting services to help you set up a DRP or business continuity plan.

    “[...] the first step to take involves properly identifying your resilience needs, depending on the hosted service. Each service’s level of criticality must be defined, along with the risk involved in the event of an availability issue. Once we have completed this assessment, we enter the design phase of the architecture, looking all the elements identified during the assessment phase. [...] We can identify three different infrastructure plans that the customer needs to work on to ensure resilience:

    • Resilience of the production infrastructure.
    • Backup implementation.
    • DRP implementation.

    These solutions must of course be secure, to ensure that all customer data is kept under lock and key.”

    Jean-Charles Ferrand, Managing Director of Partitio

     

     

    *According to a study conducted by software publisher CA technologies.

    **Source: The State Of Disaster Recovery Preparedness In 2020, Forrester Research, Inc., 24 August, 2020.