SMB Requirements for Backup and Disaster Recovery
Small and medium-sized businesses have a variety of different requirements when it comes to backup and disaster recovery. When disaster strikes, whether it be a hurricane, a ransomware attack, a network or disk failure, what is most important? Some businesses can’t afford to lose any data. An e-commerce or trading business cannot afford to lose hours of transactions when a database server is destroyed in a flood.
Other types of businesses need their critical computing capabilities to be available during emergencies that take primary systems down. A hospital, for example, cannot afford to lose access to patient records for even a few minutes when a network failure takes down access to their data center. The metrics used to quantify requirements like these are RPO and RTO.
RPO and RTO
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are important parameters that help us understand the backup and disaster recovery needs of an SMB. RPO limits how far back in time you have to roll back when disaster hits. For example, an RPO of 2 hours means that if disaster strikes at 12 noon, you will be able to recover all the data up until 2 hours earlier - 10 am. Typically, an e-commerce or trading business needs a very low RPO.
RTO limits how long it takes to get back up and running. An RTO of 2 hours means that if your primary systems go down at 12 noon, you can have them up and running again within 2 hours - by 2 pm. Typically, a hospital needs a very low RTO.
Determining the RPO and RTO of an SMB is a key first step to devising a backup and disaster recovery plan that is appropriate for that business. It’s tempting to set RPO/RTO targets very low. After all, who doesn’t want the latest data backed up and recoverable as fast as possible? But there are costs to consider. The lower the RPO/RTO, the higher the cost. So you need to pick an efficient RPO/RTO that balances backup and recovery with the other needs of the business. If effect, it becomes a budgetary decision.
Third Party SaaS Systems - like Office 365
Another important consideration when evaluating backup and recovery concerns the business data being stored in third party systems. SMBs often run mission critical operations using third party cloud software as a service (SaaS). In particular, Microsoft Office 365, Sharepoint, and OneDrive provide email, document processing, collaboration, and file storage in the cloud for many SMBs. Google’s G Suite is another popular option.
It is tempting to not worry about these SaaS systems and assume that the third party companies are taking care of backup and disaster recovery. Especially a large corporation like Microsoft. But, in actuality, Microsoft (and Google, and others) are focused primarily on uptime (RTO). Microsoft does not fully back up data on your behalf.
For example, if you accidentally delete a critical document, or email, Microsoft only keeps a backup for 30 days. Since accidental deletion is a far more common cause of data loss than natural disaster, SMBs need to plan for it. Beyond the 30-day backup policy, Microsoft has no retention policy for customer data either. So, if an SMB is subject to regulation requiring retention of documents of a certain period of time, or a requirement for legal hold, they should consider additional managed services for backup and recovery.
Beyond the requirements for specific litigation, a variety of regulatory compliance may influence the design of backup and recovery systems.
For many SMBs, federal and state regulations dictate backup and disaster recovery requirements that must be met. For example, businesses that process credit cardholder data (e.g., e-commerce, retail, etc.) the Payment Card Industry Data Security Standards (PCI DSS) require data backup and disaster recovery that meet specific requirements. Similarly, healthcare organizations must implement backup and recovery solutions that are HIPAA compliant. Both PCI DSS and HIPAA have strong data security requirements, meaning that any cloud backup solution probably needs to encrypt all data.
Furthermore, under HITECH, a healthcare organization’s backup and recovery providers must enter into Business Associate Agreements with them that impose further regulatory requirements. These include administrative, physical, as well as technical, safeguards for personal health information being backed up.
Regulatory compliance does not usually require extremely fast recovery times (low RTO), but other considerations (like a hospital’s need to access patient data), means that an SMB may need some of their backup data stored locally. Local data backups can be integrated with cloud backup to form a hybrid solution.
Hybrid Data Backup
Pure cloud backup is not sufficient for SMBs that need fast data recovery (e.g., low RTO organizations like hospitals). Recovering terabytes of data over the Internet can take an order of magnitude longer than over an on-premise LAN. For this reason, many SMBs require local (on-premise) backup.
Of course, the problem with local backup is that disaster may strike your local backup hardware at the same time as your primary systems. Natural disasters, like earthquakes, come to mind, but this scenario can arise in other situations like ransomware attacks.
The solution, in this case, is a hybrid data backup system. Data is backed up to a local storage mechanism and the local storage is backed up to the cloud. Such solutions are often referred to as disk-to-disk-to-cloud (D2D2C).
Whether a business implements a straight cloud backup, or hybrid solution, having their mission critical data backed up to the cloud creates the opportunity to implement a cloud-based disaster recovery solution as well.
Disaster Recovery with Virtual Machines
Traditional disaster recovery solutions require duplicate hardware to be setup and configured in an off-premise location. In the event of primary systems failure, data is restored from backup to the duplicate hardware and operations resume at the backup location.
Purchasing and maintaining duplicate hardware for disaster recovery is prohibitively expensive for many SMBs. This expense has been a significant impediment to the adoption of disaster recovery solutions by SMBs.
With the advent of cloud computing, physical hardware is no longer needed for disaster recovery.
With the advent of cloud computing, physical hardware is no longer needed for disaster recovery. Instead of restoring backup data to physical machines, an SMB can restore data to virtual machines, running in the cloud, and purchased on-demand. This approach drastically reduces the expense of a disaster recovery solution and is the only affordable option for many SMBs.
Finally, designing and managing backup and disaster recovery with cloud technologies may seem like a daunting process to many SMBs. After all, most businesses don’t need a complex solution that requires multiple steps and advanced training to restore a file or recover a server. Ideally, the backup and recovery system can be operated through a simple user interface provided by a web portal. For operations that are not self-service, Managed Service Providers (MSPs) can deliver and manage a ticketing system the makes it easy for users to submit requests and track progress.
AWS and Azure - Harder than it Looks
Given all these requirements, where should an SMB consider storing their backup data? Cost is clearly a big consideration. In particular, it often determines the RPO/RTO targets that can be achieved. The good news is that cloud technology has dramatically changed the economics of backup and recovery, making it possible to pay for only the storage being used, and compute resources only when an actual disaster occurs. Gone are the days when off-premise disaster recovery solutions require purchasing redundant hardware for failover.
So, how can the average SMB take advantage of cloud-based backup and recovery? Should they roll up their sleeves and start implementing a disaster recovery solution in one of the popular cloud environments?
In theory, you can implement backup and disaster recovery with Amazon Web Services (AWS) or Microsoft Azure. But AWS and Azure are Infrastructure-as-a-Service (IaaS) platforms. You pay for the compute, storage, memory, bandwidth, and other resources as needed. And if those are the only costs you look at, then the price of a backup and recovery solution built on AWS or Azure looks very inexpensive.
But, a business considering AWS or Azure should also understand that, while the cost of data storage with these services is relatively low, access charges can be exorbitantly high because of data retrieval and bandwidth fees.
Furthermore, an SMB needs to consider the additional costs beyond just the storage and retrieval fees. An expert needs to design the backup architecture; configure the compute, storage, and network components; write the automation scripts that provision the virtual machines, and load the backup data; etc.
Beyond the initial design and implementation, backups need to be monitored, alarms created, and capacity adjusted as the business scales up or down. If a backup fails in the middle of the night, the business needs staff who can respond.
If the business doesn’t currently have the staff or skills in-house to design, operate, test, and monitor the backup and recovery system, then they will need to hire people. Once you factor in these staff costs, a solution based on AWS or Azure begins to look very expensive and time-consuming.
This is not the turnkey approach that most SMBs need. Hiring a managed services provider is a better fit for most SMBs.
Managed Services for Backup and Disaster Recovery
A managed services provider (MSP) will integrate all the pieces to provide the backup and recovery solution that meets the unique needs of each of their clients. They can operate the system for you as well, working as an extension of their client’s IT department.
A managed service provider typically offers:
Customized Backup and Disaster Recovery Plan - Determining RPO/RTO and designing a solution to meet those objectives, as well as other requirements including regulatory compliance. May include a combination of cloud infrastructure and physical hardware in data centers operated by the MSP.
Configuration and Integration - Cloud infrastructure, physical hardware, networks, software, SaaS data, etc. must all be configured and integrated for backup and recovery.
Support - Responsive to help requests when issues arise that need to be addressed, like changes in business requirements, operational issues, restoration of data.
Monitoring - Once the backups are running, they need to be monitored and problems need to be solved to ensure that the system operates within the target RPO/RPO.
Scalability - As your operations grow and change, the MSP will scale your solution seamlessly.
IIS Backup and Disaster Recovery Managed Services - Powered by Webair
International Integrated Solutions (IIS) is a managed service provider for SMBs offering backup and disaster recovery services that are comprehensive, yet moderately priced. IIS cloud backup and disaster recovery services provide:
- Hybrid Backup as a Service (BaaS) - maintaining a local copy of data that is mirrored offsite in the cloud.
- Fully encrypted data storage - to ensure privacy and meet regulatory requirements.
- Disaster Recovery as a Service (DRaaS) - providing the capability to restore mission critical systems on virtual servers running in the cloud.
- Office 365, Sharepoint, and OneDrive backups - to ensure full restore capabilities for all data stored in Microsoft’s cloud.
- Push button simplicity - including custom scripting to bring up servers and restore data in the event of disaster.
- Flexible pricing - based on business requirements including RPO and RTO.
- Customer service portal - including ticketing and monitoring, built on the industry-leading ServiceNow platform.
The cloud provides SMBs with affordable backup and disaster recovery solutions with robust features previously out-of-reach to all but the largest organizations. If you thought your organization could not afford a comprehensive backup and disaster recovery solution, now is the time to take a second look.