John Merryman, services director for recovery services at GlassHouse Technologies Inc., discusses the benefits and drawbacks of managed data backup and recovery, and the managed backup market today in this FAQ.
Table of contents:
What are the benefits of managed backup/recovery?
Can you explain some of the drawbacks of managed backups?
What are the most important features a user should be looking for when selecting a managed backup provider?
How do managed backups address disaster recovery issues?
What kind of RPOs can you expect from a managed backup/recovery provider?
Who are the major players in the managed backup space?
There are a lot of benefits companies can derive from getting someone else to take on the burden of data backup. First and foremost is offloading the complexity associated with data backup. Quite honestly, backup applications really aren't that great. Most of them are fairly complicated to deploy. If you are asleep at the switch or take someone away from the switch for too long, they will degrade and turn into a complete train wreck.
A lot of companies either don't have the time or resources to focus on backup. So what would you get out of doing a managed data backup services? In a lot of cases, you would get better service levels because you're bringing in people who are focused on backup and do it for a living. There is potential in a lot of environments, especially in midsized companies, to lower capital and the operational costs associated with backup. This can be compounded by policies, and in a lot of cases, you'll have legacy hardware and legacy configurations that can be optimized by a managed backup provider.
Ultimately, the big play is about risk. There are a lot of companies that are doing this today to lower the risk of operational and disaster recovery (DR)-type data loss, which is one of the biggest draws of bringing in an outside source to help with managing backup.
A lot of drawbacks stem from having to trust and rely on your external data backup service provider. There are a few options here. One approach is where a company comes in and manages what you already have, your existing infrastructure and where it fits as it is today with incremental improvements. The other is online data backup, where a service provider may start remotely backing up your data to an alternate location where your data is managed in an alternate facility by them.
Either way, you're putting a lot of trust in the external data backup service provider. There are some security implications, too, in terms of data access and data loss. When you look at this, you're creating a dependency on a third party that, even though backup isn't the most sexy thing you can be doing out there -- it's fairly critical to business operations when you do lose data.
You should find out what the backup plan is, how complicated is it to pull them out or how hard is it to get your data back if you decide to terminate the contract. Also, look at scaling and growth, which can apply to technology or people, and the company that you are working with. Have you selected a company that is going to scale with you?
Then, ultimately, if your data or your number of hosts is growing significantly, how are the costs going to hit you over time and are you contractually protected to make sure that you can scale in an efficient way?
It's a conceptual play. If you inherit your infrastructure and have another firm managing your backup environment, do their features include 24/7 support, tiered support with various levels available around the clock? Do they have desk, application and database support for your environment? Do you have any custom needs that must be met by either the company or the technology? These are some of the key things for managed services that outsource backup.
If you look at some of the technology plays, like online backup for deploying a new software architecture and backing up data over the wire to a remote location, some of the key things are how easy it is to use and deploy? After all, if it takes you six months to deploy something that you need done in a week, it may not make a lot of business sense.
Also, if you have minimal impact to your network architecture, do you have the appropriate levels of security and flexibility in the security architecture? Also, do you have visibility into the capacity, performance and metrics behind backups, so you can really see what's going on?
Lastly, if you're looking at either scenario, is the technology supporting that company stable and are there reference accounts indicating if it's a one-hit wonder or if you're the fiftieth customer doing this? When you call the company for a question, does the CEO answer the phone or are you getting someone appropriate for support fielding the question? Things like that are definitely good to look for.
Just to define a disaster, what I'm talking about here is that a site is down and you're recovering your business at an alternate location. So let's say in that scenario, you're recovering your own infrastructure, but you're using an external service provider to manage the disaster with your team.
So first off, is the DR team, including your outsourced provider, available? Are they coordinated as part of the DR team and is everything documented? Are the people there and is the process documented to perform the data recovery with your data at the alternate location? If it's a managed online type of service, there a bunch of other considerations, including if you have network and wide area network (WAN) connections in place.
If you're recovering data over the wire to an alternative location, do you have enough pipe to move the data in a timely fashion so that you can accomplish your recovery time objective (RTO) and recovery point objective (RPO)? And can those data transfer rates meet or beat your RTO objectives? Also, the backend architecture of the service provider should sustain that data transfer as well.
The bottom line here is that managed backup services are definitely going to be a critical player in your DR plan, but don't make any assumptions that just because you're paying for a service, it's going to satisfy your DR requirements. You really need to be defining your requirements, building a plan and testing on a fairly regular basis.
I like to frame RPO in terms of data loss, so you might have operational RPO and disaster RPO. What RPO really means is how long the last good copy of data or the last backup you can afford to have is, and how much data loss you can afford to sustain in the event of a disaster or an operational recovery event.
What is standard for RPOs in the backup world is about a 24-hour cycle. This can be lowered somewhat via scheduling more frequent backups, but there is a break point where backup has never really been designed for architectures to be a perpetual data protection mechanism that something like replication would satisfy. There a few technologies like continuous data protection (CDP) that allow you to maintain copies.
But there aren't a lot of those out there and with your standard-issue backup technology, whether it's something that you own or your backup service provider might be providing. The typical paradigm is that you're scheduling backups on a 24-hour type basis. That 24-hour RPO applies to operational recovery and assuming you're getting that data copied and vaulted offsite everyday, that's going to be a 24-hour RPO as well.
A question which I think is worth mentioning is how can you guarantee your backup can restore RTO-type performance? So if you're depending on an outside service provider that has your data at an alternate location, LAN bandwidth and backend performance is going to be a critical component.
Things to look for in that case are whether or not the service provider can guarantee speeds and megabytes per second -- whether or not your WAN architectures are redundant enough to sustain a disaster event and be ready for recovery. And, ultimately, whether or not your layers of service providers (managed service providers for backup, network service providers for WAN, etc.), are all willing to live up to the service-level agreement (SLA) and meet your DR requirements.
There are quite a few. EMC Corp. is in the space quite heavily as they acquired a company in 2007 called Berkley Data Systems, otherwise known as Mozy. They're making quite a large play for a wide range of users in the market, ranging from home users and small businesses to even parts of the enterprise, with Mozy and Enterprise Mozy.
IBM Corp. acquired Arsenal Digital as well as FilesX Inc., which is providing a managed service offering with quite a bit of flexibility on the bottom end, but also some enterprise-type capabilities on the top end.
There is Dell Inc. with a very good offering for SMBs. Iron Mountain Inc., Symantec Corp., Carbonite Inc., Evault, Asigra Inc., Hewlett Packard Co. and even the company I work for, GlassHouse Technologies Inc., all have a play. So it's a good market to be looking at because you have quite a few options out there.
But you also have to be fairly careful -- kick the tires and make sure that the companies you're talking to have the right experience and technology to satisfy your needs.
John Merryman is responsible for service design and delivery worldwide. Merryman often serves as a subject matter expert in data protection, technology risk and information management related matters, including speaking engagements and publications in leading industry forums.