Protecting Data Within New HA/DR Parameters
There are two types of organizations in the world: those that have experienced unplanned system downtime and those that will. Of the first group, many have likely tightened up their high availability and disaster recovery (HA/DR) methods and tools as a result of their incidents, moving, for example, to hosted cloud-based HA/DR services. Within the second group, a lot are depending on what they’ve traditionally had in place in terms of HA/DR and hoping for the best.
But as Jim Kandrac, president of UCG Technologies, cautions, that latter approach simply may not be enough. “Many C-level executives really don't fully grasp the importance of HA/DR until something happens,” he says. “Some grasp it very quickly and will then approve funds to protect their data and organization. But too many companies aren’t currently proactive enough, even after they’ve experienced a data loss or cyber hit.”
New HA/DR Parameters
Indeed, many remain habitually reactive, continuing to rely on traditional HA/DR methods and solutions, including tape, on-prem box-to-box replication or a mix thereof. But recent and increasingly common natural disasters, including flooding caused by storms—think hurricanes Sandy and Ida—in once ordinarily dry locations, is proof enough of how deleterious that can be. Even colocated HA/DR systems pose their own, albeit lesser, risks, such as when the power goes out at the primary data center or the method of communications between the servers is severed and there are no redundancies in place.
“Often, earlier thought processes were, ‘Well, if there was a storm like Sandy, nobody's doing business anyway because everything local is closed,’ ” John Dominic, executive vice president, Maxava LLC, remarks. “But now you have internet sales and customer service for everyone outside the danger zone, so the local disaster excuse doesn’t work anymore. You have to stay in front of recovery trends to keep operating.”
The worldwide emergence of SARS-CoV-2, which can lead to COVID-19, has become an additional stressor to those traditional HA/DR models. Because of workplace lockdowns, many companies had to grapple with the remote monitoring and maintenance of their systems. They may not have had the correct tools and policies in place to easily allow for home-to-data center backend system access.
And then there’s the issue of becoming insured to cover downtime, data loss and ransomware attacks. If companies don’t meet certain business-interruption or cybersecurity thresholds, their premiums may be higher than normal or they may be turned down for insurance coverage entirely.
As Dominic notes, “A lot of customers still use tape for absolutely useful purposes, but it can’t be used as your primary DR method. The technology is outdated for that purpose, which will necessarily impact insurance coverage. If you're going to lose 24 hours’ worth of data and you’re down for two to three days, that's a huge liability, and it will definitely impact your business-interruption and cybersecurity premiums.”
And the insurance companies aren’t taking this lightly. Companies have to not only prove they have suitable HA/DR solutions in place, but, in some cases, successfully test them. So, it’s no longer enough for companies to tick a box for auditors indicating they bought of HA/DR software; they now have to prove everything HA/DR-related actually works as intended.
Which leads to yet another issue. Many seasoned system admins are thinking of retiring, if they haven’t already. Although younger IT professionals are skilled in many programming languages and high-level computing-asset maintenance, they may not completely grasp the subtleties of setting up, administering and managing HA/DR environments, especially those involving aspects of the cloud. Indeed, even long-term admins may have issues extending traditional HA/DR backup methods to hybrid clouds.
“In times like these,” Dominic says, “it seems like nobody has time for anything. They’re doing double duty just to keep things afloat, and they’re doing it under the circumstances of potentially working from home, which can create logistical problems involving, for example, remote connections. The entire workflow may have changed, whether you’re new to IT or not, and you need to learn how to work within these new parameters.”
Proactive Measures: Cloud-Based Software and MSPs
It’s for these reasons and others that an increasing number of companies are proactively turning to cloud-based software solutions and managed service providers (MSPs) to handle HA/DR functionality for them. Having hosted cloud services in place during, for example, COVID-19-related lockdowns was and continues to be invaluable for many organizations.
“COVID very quickly changed a lot of things for a lot of companies, especially in IT,” Kandrac says. “That's what’s in part driving the move to MSPs and cloud in general, particularly if companies aren't sure they're going to bring people back to the office. It’s about being able to remotely monitor systems from the cloud, no matter where the admin is located.”
Many companies already have at least some experience with hybrid cloud computing, so this type of remote management wouldn’t be all that foreign to them. It’s simply a matter of finding a trusted MSP and/or software vendor, establishing remote access to cloud resources and either allowing an MSP or independent software vendors (ISVs) to help them determine and maintain organizations’ HA/DR requirements. This is a big motivation for customers that are new to the cloud to move to MSPs or ISVs for HA/DR, knowing they won’t have to purchase or lease new systems—and decide where to locate them—to improve their HA/DR capabilities.
“Over the past year, we’ve an increase in interest about and of business with backup, DR, HA, largely driven by COVID, I’m sure,” Dominic says. “Their #1 priority was making sure everybody was connected, making sure everybody was secure. Engaging with MSPs or other providers with enhanced cloud capabilities is certainly one way to do that.”
Indeed, it relieves the burden on double-duty IT professionals, whether they’re on track to retirement or are relatively new to the field. They can take HA/DR tasks off their plates by handing much of the management to off to MSPs and ISVs, which have experts well-versed in how to best set up and maintain hybrid or wholly cloud HA/DR environments, while also keeping up on the latest trends in the field.
This type of arrangement addresses other HA/DR issues, as well. For example, if a local disaster occurs, companies will still be able to maintain their operations, remotely, over the cloud, with no long-term downtime. Because MSPs’ and ISVs’ solutions have already been proven in terms of business continuity and cybersecurity, dealing with companies’ insurance policies and premiums will become less onerous, resulting in lower costs and improved coverage.
Perhaps more importantly, MSP and ISV cloud HA/DR solutions dramatically decrease the possibility of data loss, theft or hostage taking. As Kandrac explains, “The human factor comes into play here. But there are three to five things they can do to protect themselves, such as multifactor authentication. We additionally have firewalls in place that block certain things. These are simple and proactive measures that can be taken to better safeguard their data.”
This obviously isn’t a small matter, but it’s becoming even more critical as government entities begin drafting bills and passing laws protecting personal privacy. The E.U.’s General Data Protection Regulation (GDPR), for instance, specifies that a company that experiences a breach that exposes sensitive E.U. personal data may potentially face stiff fines of up to 4% of their annual turnover or €20 million, whichever’s greater. In addition, affected individuals can take legal action on their own.
Notably, this applies to any company dealing with the personal data of E.U. individuals—citizen, resident or visitor alike wherever that company is located, including in the U.S. Indeed, some states—such as Ohio, as Kandrac notes—have passed legislation or are drafting bills that address privacy concerns. The Ohio Personal Privacy Act (HB 376), for example, will, if passed into law, monetarily penalize companies that don’t provide a reasonably accessible, clear and conspicuously posted privacy policy. Although HB 376 doesn’t deal directly with lost or stolen consumer data, it’s clearly setting the stage for future legislation that may well address that issue.
“I would strongly encourage companies to protect their organization by deploying multifactor authentication and mandating 30-day password changes,” Kandrac says. “It’s difficult getting that message across, but organizations that take their fiduciary duty seriously are being extremely proactive when it comes to following and keeping up with HA/DR and cybersecurity trends.”
On the internal UCG Technologies’ side of data and cyberprotection, as an MSP, in order to be compliant with our insurances, there are 155 actions the company must complete and stay up-to-date on. “Four years ago, it was only 35,” Kandrac reflects. “Next up is insurance companies turning the tables on end user companies who will also be required to comply with these standards.”
Responding to Changes in the HA/DR Landscape
It’s a given that everything in IT changes at some point. But it’s how companies respond to these changes that matter. They can be reactive or proactive. In the case of HA/DR, it’s much better to be the latter. Even if legislation isn’t driving it, there are profound benefits for companies to be had by being ahead of the curve, including less if any unplanned downtime, easy remote system access, improved data security, fewer people hours and better insurance coverage with lower premiums.
“The professional ecosystem is graying and there are always new threats and challenges, like COVID, which has forced a lot of people to work from home for the first time,” Dominic notes. “These are big changes for the traditional HA/DR community, and they seemed to have happened all at once. Cloud is obviously another aspect of this change, but you may not feel comfortable managing your backups there. Well, now you can work with an MSP or ISV to do it. That provides a lot of relief.”