There are a number of items that must be taken into consideration before entering into an agreement with an online backup service provider. What follows is a checklist of some of the major items that should be addressed in a service-level agreement:
- Security and privacy
- Response time
- Disaster recovery
- Nonperformance clauses in service-level agreements
- Access to an online data backup provider's facility
The SLA should include a clear policy on logical and physical security of your data. This should go beyond simple assurance that your data is safe and should outline the measures put in place to ensure data security and privacy. This should be governed by a clearly defined policy statement outlining what type of security is in place, how access to your data is controlled and monitored, who has access to your data, etc.
Data backup and recovery best practices dictate that you should always keep a second copy of your backups offsite. Outsourcing data backup does not change that basic rule even though the backups are actually stored elsewhere; your SLA should include a clear description of how your backup data is protected from hardware failure or media loss (such as number of backup copies and the locations where they are kept, and the number and locations of sites the provider copies your data to).
Your SLA must include very clear details around service levels with respect to network connectivity and bandwidth. Focus must not be limited to how fast backups can complete; agreements must also address what you can expect when you need to restore a large amount of data. Companies must be especially careful with this as network connectivity is often provided by a third party and negotiated as a separate agreement. The provider should specify not only what bandwidth options are available but also the guaranteed capacity if the networked link is not dedicated (as in shared). Many providers include the ability to exceed the allocated bandwidth for an additional cost per megabyte of bandwidth used in excess of the initial agreement. The monthly cost can add up quickly if limits are frequently exceeded, so selecting a realistic capacity for the start is important.
Response time must be clearly articulated in a service-level agreement. This should include not only the time it takes to acknowledge a request for restore but also the time to process initiation. Obviously, the time to completion is dictated by the amount of data needing to be restored and the technology in place but expectation should be clearly set as to how long it will take before the restore process is initiated.
Disaster recovery is a twofold item; your service provider must clearly demonstrate their ability to completely recover and in a timely fashion should disaster strike their facility. That said, the service-level agreement must also be aligned with your own disaster recovery requirements. The service levels must meet your recovery time objectives (RTOs) and recovery point objectives (RPOs). The frequency of backups and technology in use (i.e., disk vs. tape backups) must be able to satisfy your recovery requirements. That being said, it is your company's responsibility to define what those recovery requirements are; they must be based on your needs and not on the services offered.
Any SLA should include a clear nonperformance clause. Many providers offer a rebate or will even waive monthly fees for failing to meet service levels which can be meager compensation if valuable backup data is lost. A better agreement will include a termination clause for multiple failures to meet SLAs on the provider's part.
You should be wary of providers who claim their facility is not suitable for showing, or if security policies do not allow them to let clients in. Best-of-class providers will be more than happy to display their facility; they usually go the extra mile to put a clean and well-maintained facility on display. Not to say that you should expect them to hand you keys to the data center and walk away, but you should be able to see where and how well your backup data is kept.
If your company is required to be Statement on Auditing Standard No. 70 (SAS 70) or Payment Card Industry Data Security Standard (PCI) compliant, outsourcing backups does not exclude you from demonstrating that the data you handle is secure and that your company is in compliance with the guidelines in place. You service provider must be able to demonstrate their certification credentials as well. Once more, serious providers should not take issue with making that part of the agreement as they typically leverage compliance as a competitive advantage.
About the author: Pierre Dorion is the Data Center Practice Director and a Senior Consultant with Long View Systems Inc. in Phoenix, AZ, specializing in the areas of business continuity and disaster recovery planning services, and corporate data protection.
This was first published in February 2010