rolffimages - Fotolia
Disaster recovery and backup serve similar -- but different -- purposes in data protection. But there appears to still be some doubt that both functions should be included in a data protection plan, which can lead to organizations making some risky decisions.
In IDC's "The State of IT Resilience Report: 2019," 94% of companies said it was redundant to have separate disaster recovery and backup processes. While the survey may reflect prevailing attitudes, some analysts strongly believe in the need for distinct and multifaceted data protection approaches that include both backup and DR.
In this tip, three analysts weigh-in on the idea that having backup and DR tools is redundant, and how the evolution of business continuity and disaster recovery (BCDR) affects that view.
BCDR vs. backup?
"All we had 15 years ago was backup. Everyone backed up and if something went wrong, you just hoped and prayed," said Steven Hill, senior analyst, applied infrastructure and storage technologies at But that approach has changed dramatically as BCDR has evolved.
Backup is an action, Hill said, "while BCDR is more of a formula based on a sequence of actions that address protection of all or part of a business IT environment." Backup is the cornerstone since it is all about data you could lose, he said. "Without data, you have nothing."
But it is no longer enough for an organization to say it will back up and then restore. "That can work acceptably for a given application and its data, but in an increasingly complex business environment systems are often interdependent," he said.
This is because backup doesn't accomplish everything, Hill said. "You need a plan for all aspects, including relationships and physical and logical challenges," he said, as well as other factors needed to make things keep working if something goes wrong.
Backup establishes that basic role so you don't lose data. But if you want to be protected, you need to think bigger. "I have talked with a lot of companies that will proudly show you their backup storage or systems right next to their main system," he said. What if there is a major storm or electrical problem? What good will that adjacent backup do? In other words, Hill said, backup and recovery are each one half of the equation and the process needs to be well thought out.
Backup is the data protection aspect of BCDR, Hill added, but practice should still reflect the traditional 3-2-1 rule. "That means three copies of the data: two systems locally and one copy off site," he said.
Assessing business requirements
Exactly how you balance disaster recovery and backup depends on your business requirements, said Nik Simpson, research vice president at Gartner. For SMBs, the DR plan was traditionally, "Oh crap, we will have to restore from our tapes" and it would take as long as it was going to take, he said. On the other hand, if your recovery time objective (RTO) requirements are measured in minutes or seconds, traditional backup isn't enough.
Fortunately, Simpson said, everyone now has more options than in the past, especially if you use the public cloud. "To do DR, you no longer need a second data center with equipment sitting idle almost all of the time," he said. For SMBs that couldn't justify a major investment in a DR plan, there are flexible and low-cost options.
In addition, Simpson said there is more overlap between business continuity and DR because of virtualization. In the past, he said, you could only back up to a server. With virtualization, it has become much easier to do image recovery, pulling up machines ready to run, and that has opened the door to more ambitious recovery point objective (RPO) and RTO targets that would have been difficult or impossible in the past.
He said he is seeing some backup platforms instituted with continuous data backup. "That can get you into a recovery point of minutes; it is a much more flexible tool than in the past," Simpson said.
Small organizations face budget hurdles
Christophe Bertrand, senior analyst at Enterprise Strategy Group, said that in all the talk about BCDR, many organizations, especially the smaller ones, neglect to consider how important robust capabilities are for dealing with cyberattacks, particularly ransomware. "That is a logical disaster like the corruption of a database, but of course the source is different," he said.
Once you stop the infection you then need to go through the backup and recovery process, he said. An additional cultural issue may be impeding some smaller organizations when it comes to investing in BCDR. "Younger people, even the ones in IT, tend to think they can get everything back right away, but that is not how [things] work in the real world," Bertrand said.
Still, Gartner's Simpson said he believes more organizations are beginning to understand the need for both disaster recovery and backup. However, he said, it may be that many smaller organizations still haven't figured out how to do DR at a price point they can afford.
One thing is certain: Over time, organizations are setting more aggressive RPO and RTO goals. "Gone are the days when you could be out for a couple of days," Simpson said. "Now there are tools that don't cost an arm and a leg and can have you back up and running in a relatively short [period of] time."